Servers overlaid with email icons

Ransomware Attacks and Tape Backups: Best Practices and Lessons Learned

The rise of ransomware has highlighted the need for air-gapped backups, and data tapes have become the most popular tools for fighting back.

The United States Cybersecurity and Infrastructure Security Agency (CISA) recommends offsite, offline backups as a ransomware mitigation strategy, noting that most ransomware infections cannot be resolved without restoring from a backup (or paying the ransom, which can exceed $1 million for high-value targets). Modern tape formats are an inexpensive and highly dependable way to create these backups, and many enterprises have quickly adopted current-generation formats like LTO-9 to build their disaster recovery strategies.

However, your enterprise cannot adequately prepare for ransomware infection by simply creating one-off backups. To build a strategy that works — and avoid costly remediation during an attack — it’s important to understand how tape backups address the problem. Here are a few considerations to keep in mind.

“Golden copy" backups are crucial for ransomware recovery.

A golden copy backup contains all of the essential information needed to restore a system following a ransomware attack or other data loss disaster. Data tapes are uniquely useful for creating golden copies; they’re inexpensive, and modern formats can be safely stored for decades without significant data loss.

If a backup is mission critical, it’s a mistake to keep a single copy — many enterprises maintain copies of each golden backup, archived for the express purpose of disaster recovery. Ensure that your enterprise’s strategy is suitable to your needs. If your storage systems change regularly, creating a monthly golden backup on tape can prevent enormous losses during remediation. However, if ransomware targets backup tapes, you may lose data for several months; make sure you’ve set appropriate retention periods for your golden copies.

Active tape archives can improve an enterprise’s ransomware remediation strategy, but it’s not foolproof.

An active tape archive is exactly what it sounds like: A storage architecture that maintains a current copy of mission-critical data from key storage systems. Recent advances in tape technology have improved the viability of active archiving; the LTFS filesystem, for instance, allows access to individual files on a tape or tape set, and modern tape systems are endlessly configurable to fulfill different archiving strategies.

In an active archive, the system moves data to different devices within the storage architecture based on rules; important data is moved to data tapes, which are regularly replaced to maintain a more-or-less “active" offsite backup of the entire system.

While this can be an excellent approach for some enterprises, active archives should be a component of a ransomware defense, not a standalone solution. Some ransomware variants target tapes, and malicious software may lie dormant for months before activation. If the archives aren’t retained for long enough, they may not be useful during disaster recovery. Additionally, if the ransomware is hidden in a backup, it may reactivate when the system is restored. Put simply, active archives are not traditional air-gapped backups — employ them carefully and understand their limitations.

Test your ransomware recovery strategy before you need it.

At Total Data Migration, we often encounter enterprises who followed the best practices of tape backup, with one key exception: They never tested their tape restoration strategy prior to the disaster.

A ransomware attack will draw tremendous time and energy from every member of your team, and even with appropriate backups, you’ll need a straightforward process in place to get key systems back up and running — without risking re-infection.

Test your strategy annually (or more often, if you’re in a high-risk industry). Ask questions like:

  • Who will be responsible for restoring backups from tape?

  • Does my team have experience with the tape format?

  • Do we have sufficient hardware to restore data quickly?

  • How can we mitigate the threat of ransomware re-infection?

  • Do we regularly check backups to ensure that they’re usable?

We strongly recommend working with tape experts who have experience with ransomware remediation. As a leader in data tape migration and restoration services, we offer both onsite and off-site services to help enterprises minimize downtime — and limit the significant costs associated with a ransomware attack. To build your strategy or to discuss tape restoration services following a disaster, contact us today.