The following section describes the steps that should be taken when one or more systems become infected by ransomware. The goal is to stop the spreading completely. A quicker reaction will result in less data to recover.
Isolating an infected client
Steps to contain a ransomware spread:
Remove infected system from network.
Disable backups on infected system to ensure that no files are backed up.
Disable data aging for infected system to ensure that encrypted files can restored to a previous version.
Stop all suspected services and kill all suspected process.
Recover from a Ransomware Attack
Once all the infected systems are clean, it is now time to recover the data. The following steps ensure a smooth recovery.
Steps to recover from a ransomware attack:
Sanitize the infected system and delete ransomware files.
Once clean, put the system back on the network.
If one of the infected system is the CommServe® server and the database is no longer available, recover it from a clean backup, such as one sent to Commvault® Cloud Services.
If one of the infected system is a MediaAgent and the configured storage was infected, ensure to have access to an unaffected copy, such as offsite tapes.
On previously infected systems, recover the data that was deleted during the cleaning process.
Re-enable backups on the systems.
Once the first backup is completed successfully and you are sure the systems are now clean, re-enable data aging.
DR Strategy in Prevention of an Attack
To ensure the recoverability of the data, the backup system data must be available and unaffected.
Review the following best practices when architecting your DR solution:
Protect the CommServe® server database and send a copy to an inaccessible location, such as Commvault Cloud Services.
Create an offline backup copy such as tape media.
Replicate backup data using Commvault® DASH copy technology rather than storage replication.
Lock down CommCell® storage against ransomware attacks by enabling the Ransomware Protection option in MediaAgents.