Identifying and Recovering Files Corrupted by Ransomware Using RestoreManager Posted on Aug 6th, 2020 by Brian Sietsma


You don’t have to be an IT security expert to be aware of the threat of ransomware.  Almost every week you hear of another large corporation or government entity being the victim in a targeting ransomware attack. In fact, according to Cyber Security Ventures, a new organization will fall victim to a ransomware attack every 14 seconds! That’s why it’s not surprising to hear that ransomware protection and prevention is the number one concern of IT security teams. 

There are plenty of different techniques that are used to prevent infections or detect suspicious behavior, including email server filters, end-point protection, advanced file-access auditing, etc. The point of this article is not just to tell you what works best, because it’s a combination of things. The most important thing is to protect your file shares on your file storage volumes, CIFS/NFS shares.  If you have NetApp storage, CryptoSpike does an outstanding job. You can read more about CryptoSpike in some of my other posts or here.

What most people don’t think about is: What do you do if your ransomware protection processes are not successful? What if a malicious infection gets access to your file shares and encrypts your data? Most ransomware protection tools are just that… protection tools.  Once the ransomware gets through the protection layer, there are very few options for recovering your data.  First, all you can do is choose to roll back to an existing backup, or storage snapshot. This may sound like the obvious choice, but there is a major downside. For example, your backup, or your storage snapshot contains folders or shares that hold millions of files. If the ransomware attack can encrypt a few thousand files before being isolated and contained, rolling back to an old snapshot forces you to lose recent changes on thousands of files that were not affected during the attack. In a CIFS or NFS scenario, if a single user gets infected, reverting to an old snapshot causes data loss for all other users with files on that share. This data loss may be detrimental to an organization. Oftentimes, trying to manually recover data lost during an attack costs the company much more in time and lost data, than the actual ransom. Remember that the city of Baltimore, Maryland, lost over $18 million to avoid paying a ransom of approximately $65,000.

I am not telling you that the better option is to pay the ransom. After all, you are dealing with criminals who are not considered to be very trustworthy. In fact, though about 40% of ransomware victims decide to pay the ransom, just about 5% of those companies never received the decryption tool, even after paying. Also, those that did receive the decryption tool, were only able to recover, on average, about 90% of their lost data.

A circuit boardDescription automatically generatedSo, what is the best choice? I personally believe that it varies based on each situation. However, if the infection occurs on file shares hosted on NetApp storage, RestoreManager offers a very effective recovery option. 

RestoreManager uses a “crawler” that uses SnapDiff to create a central, online file index of every NetApp snapshot, giving you a single catalog-based view into your files. This online file index provides the ability to search through your NetApp snapshots using multiple criteria. It also allows you to restore files and folders right from within RestoreManager with a single click. 

Now, how can this catalog be used to help recover from a Ransomware attack?  Using the file metadata collected during the SnapDiff crawl of the CIFS/NFS shares, RestoreManager enables you to scan that data, identifying any files that have been manipulated to use any of the 4,000 known ransomware file extensions and patterns. Then, once those files are identified, using that same online catalog, the end user can leverage existing NetApp snapshots to perform a single file restore of that file, restoring it back to a point in time before the infection began. This is similar to the first recovery option that was mentioned earlier, except in this case, you are not creating additional data loss by reverting an entire NetApp snapshot. With RestoreManager you can isolate the files that were affected during the attack and quickly identify the best snapshot to use to recover those individual files. 

What is most impressive is that this recovery option can be implemented even after a ransomware attack occurs. RestoreManager does not have to be in place and running before the attack to help you recover. You can install and run the SnapDiff crawler after suffering an infection, and it would be able to identify the infected files and recover those files to a point in time before the attack.  In fact, this is exactly what the world's third largest financial services software provider chose to do after their file shares were infected by ransomware in late March. After deciding to take their NetApp storage systems offline, they chose to purchase RestoreManager for this exact reason, as well as CryptoSpike to protect them from attacks in the future.

If your organization is ever a victim of ransomware, or perhaps it had been attacked by ransomware in the past, do not get forced to choose between major data loss, weeks of lost productivity, or paying a ransom to criminals. Allow RestoreManager to discover the files affected by the attack and provide a simple way to recover those infected files using your NetApp snapshots.   

If you would like to learn more about RestoreManager, or it’s ransomware protection/prevention counterpart, CryptoSpike, you can request a live demo. We would be happy to help you set things up.