Part 3: Complete Ransomware Recovery Guide

Ransomware Infection, Encryption, and Activation Events: How Each Impacts RPO and RTO

In Part 2 of our blog series, we discussed why it’s necessary to have a complete backup and retention strategy for successful ransomware recovery. We also talked about a multi-tier retention policy for a low RPO (recovery point objective) and mentioned both infection and encryption events.

Before we discuss replication and data protection options, let’s take a look at infection, encryption, and activation events, and how to rebuild or recover a clean copy of your infected VMs for the lowest possible RPO.

Infection Event

We define an infection event as the point in time when ransomware infects your VM. The infection could have occurred when you had an unpatched guest OS that got compromised due to a drive-by download, phishing attack, an infected machine connected to your network, or an employee mistakenly clicking on an email attachment with ransomware.

After an infection event, the infected VM may continue to operate normally for days, weeks, or even months. The ransomware remains hidden until a trigger launches it to start encrypting the data slowly. To restore a clean copy, you must find the timestamp of the infection event and restore your VM from a snapshot taken moments before it. If your infection event and encryption event (defined below) are within your RPO, the snapshot taken before the infection event may be enough for a clean recovery of the application and data.

Encryption Event

An encryption event refers to the point in time when the actual data encryption begins.
After infection, ransomware pings its malicious host (usually outside your network) and stores the encryption keys before it begins encrypting the data. Attackers store their encryption keys offsite to make sure that you can’t find them and initiate decryption. To restore a clean copy of the data, you must find the encryption event timestamp and copy data from a snapshot taken moments before it to get the lowest possible RPO.

Activation Event

The point in time that the data or system becomes inaccessible, and a ransom message appears on the screen is known as the activation event. In our experience, the activation event for most companies is the first indication of a ransomware attack, even if they may have been under attack for days, weeks, or even months.

When it’s critical to restore the data as soon as possible, and within a given RTO (or SLA), Datrium products help customers recover their workloads from pre-activation snapshots, and then reset the time on the recovered VMs to delay the recurrence of the activation event. That allows customers to copy sensitive information or complete urgent tasks before they shut down and initiate a full restore from pre-infection and pre-encryption events.

To read more about using snapshots to restart a clean copy of the VM with your most recent unencrypted data, check out our Complete Ransomware Recovery Guide. It’s absolutely free.

In our next blog post, we’ll cover replication and data protection options to protect all on-premises and cloud workloads, with backup and failover to another physical data center or the public cloud.