Using Azure Site Recovery to Reduce Monetary and Time Loss in a Ransomware Compromise

by | Mar 3, 2020 | Infrastructure

Organizations utilize Azure Site Recovery (ASR) as part of an overall Disaster Recovery Plan and/or Business Continuity Plan (DRP/BCP). These plans typically cover outages such as loss of a server, business application, or a full datacenter failure (power, weather, etc.)  ASR helps ensure business continuity by keeping business applications and workloads running during outages. Site Recovery replicates workloads running on physical and virtual machines (VMs) from a primary site to a secondary location. When an outage occurs at your primary site, you fail over to secondary location and access applications from there. After the primary location is running again, you can fail back to it.  Note that fail back takes time and preparation – a more detailed discussion on this topic will be posted in an upcoming blog.

But what happens when a business is compromised by Ransomware? Most Ransomware breaches extend across a network to multiple sites hindering many applications and even destroying disk based backups.  Use of replication technologies such as availability groups and clustering provide an easy means for the virus to spread.  So how do you protect your disaster recovery site?

ASR can be configured with multiple recovery points from up to the past 72 hours, enabling you be able to recover your server from a point before the machine was encrypted or infected!

By default, Site Recovery keeps recovery points for 24 hours. However, you can configure the value between 1 and 72 hours.  Additionally, the app-consistent snapshot frequency can be modified.  By default, Site Recovery takes an app-consistent snapshot every 4 hours. However, you can configure any value between 1 and 12 hours.

 

An app-consistent snapshot is a point-in-time snapshot of the application data inside the VM. Volume Shadow Copy Service (VSS) ensures that app on the VM are in a consistent state when the snapshot is taken.  Note that you may incur costs to maintain the additional storage.

While these settings can assist in preventing a wider spread of malware, it is not full protection.  Your organization should develop an Incident Response Plan, much like your DRP, which may include items such as:

  • Pro-active measures to alert on malicious behavior before it becomes pandemic
    • Logging of user activities, login locations
    • Correlation between user activities and system\data access
    • Minimizing elevated accounts and audits of changes
  • Communication plans: internal employee, clients, insurance, police, FBI, etc.
  • Isolation of compromised systems, maintaining forensic details
  • Confirmation that bad actors are no longer within the environment
  • Action items for system recovery

Peters & Associates has assisted many organizations in configuring ASR, building an incident response plan, and in recovery after Ransomware. If you would like more information on how we can help you plan for the unexpected, please contact us at info@peters.com