Stefan Folkerts

The last line of defense

We all love our data. Whether it resides on premise, in the cloud or a combination of both we can’t do without it. We use our data to provide services to our customers, run our daily internal operations and it even helps us determine our strategy moving forward. 


At the same time we also know our data is under constant attack and at risk of being held hostage and or being stolen. According to the Gartner report “Detect, Protect, Recover: How Modern Backup Applications Can Protect You From Ransomware” [1] by 2025 at least 75% of IT organizations will face one or more ransomware attacks. 

What is even more worrisome is that in the same report, Gartner states that more and more sophisticated ransomware attacks are specifically targeting backup data and backup administrator functions. This means that attackers are actively trying to gain access to the very heart of what manages your backups and backup data. 

This new and unique threat requires a whole new way of looking at the backup solution or as we like to call it, the last line of defense. 

Malware protection requires a multi-layered strategy and at its very core sits a backup and recovery solution that must be able to recover and do so within the required timeframe. 

Where in the past a backup solution was mostly about data integrity and bringing the data offsite for disaster recovery purposes we now have to add backup data and backup data application protection into the mix and bring it to the forefront. 

While most restores from the backup solution involve a document from a user or mailbox item, ransomware recovery has quickly become the main use for a backup solution at scale. Ransomware recovery pushes the backup environment to its limits while the future of the company hangs in the balance. This is where reliability and performance come into play and ransomware demands a solution that optimizes your chances for a successful and speedy recovery.

“Ransomware demands a solution that optimizes your chances for a successful and speedy recovery.”

Framing the ransomware risk as “when”, not “if” an attack will happen at some point in the future will help create the required mind set and think about ransomware recovery just like one does with regards to ransomware prevention. 

When the attack takes place it usually occur in phases. 

  1. Penetration of the network - thru stolen credentials and remote access malware. 
  2. Stealing of credentials for critical accounts – gain access to directory service, DNS and the storage/backup consoles.
  3. Infect systems with malware (such as ransomware)  - but only start encryption when the blast radius has been maximized.
  4. Attack on the backup administrative console – access to the backup admin console allows attackers to modify or turn of backup schedules and gain insight into where sensitive data is stored or simply delete backups all together. 
  5. Data theft – Why only encrypt if one can steal the data for future criminal activities.

So how does the right backup solution help you prevent and recover from a ransomware attack?

Detection of malware - Detection of the attack is a vital step in preventing further impact and a swift recovery. It might seem that detection of an attack is easy but small scale attacks can go unnoticed for weeks while the attackers look for ways to gain further access to the environment. The backup solutions should not be the one and only solution for the detection of malware but it can fulfill an important role. 

Protecting the backup system – The protection of the backup solution itself as a whole has become a #1 priority for all backup solutions. 

Ability to recover – When the times comes to recover the solution need to be ready and able to recover and do so within the required timeframe. 

Preparing for ransomware recovery with Rubrik 
Rubrik is uniquely equipped to enable organization to improve the detection of ransomware. It enables organizations to detect dormant ransomware and recover from ransomware without paying the ransom and do so within the required timeframe. 

Detection of malware 
Backup solutions have a unique and perspective of data that that may be leveraged in several ways when it comes to the detection of malware. 

Delayed activation ransomware sleeps on your systems, waiting for the signal from the attackers to start encrypting, it may sit idle for only a few short hours but this may be up to weeks or even months. 

After each backup Rubrik automatically searches for the most active ransomware strains at that point in time looking for its fingerprints in your backup data. When it finds malware it will instantly report to you what it found and where so you can take action and remove the software from your environment. 

If the ransomware was not detected before activation Rubriks Ransomware Detection feature uses the backup metadata and machine learning to scan the metadata for anomalies, Rubrik has a 98% success rate when it comes to correctly identifying ransomware attacks because it uses a multitude of factors to calculate the probability of an actual ransomware attack. 

Protecting the backup system 
Running a backup solution on the operating system that is known to be the most vulnerable to ransomware attacks and storing your data on its drives is not the way forward. A holistic ground-up approach to the protection of the backup system was needed and this is where Rubrik stepped in. 

Based on a stripped-down vault-like Linux layer Rubrik engineers build a immutable (append-only) clustered filesystem that offers data integrity features such as auto-healing from bit rot and no way for ransomware to mutate your valuable backup data. 

Rubik’s offers multi-factor support making sure stolen credentials don’t lead to mutations of retention or backup interval settings within the Rubrik environment.  

Rubrik’s four-eyes principle requires a second person to approve data-destructive changes on the Rubrik environment such as lowering retention or removing a objects backup. 

Ability to recover
When the attack comes and encryption takes place without your IT environment it is time to recover. 

With Rubrik this starts with determining the bast radius of the attack thru Rubrik’s Ransomware recovery wizard and selecting a point-in-time from before the attack that Rubrik has determined was before the ransomware became active and starting the recovery. 

Whether Ransomware has impacted a few hundred user files or a number of virtual machines, they can all be recovered from the same recovery wizard. 

Depending on the attack one might still need to remove malware executables that are dormant within your backups afterwards but Rubrik’s Radar enables you to quickly go back to a time from before the encryption took hold of your data enabling you to then work with the appropriate experts and their tools to remove the dormant ransomware from your environment. 

For your most mission critical systems Rubrik can start an instant recovery which means the virtual machines or databases, regardless of their size, will become available from the backup storage within moments. Due to Rubik’s build-in flash storage this provides a fast recovery and usable solution for most environments. Migration of the virtual machine back to production storage can take place at a later time and does not impact availability. 

The Gartner checklist

In the a before mentioned Gartner report Gartner lists a set of failings that next generation backup solutions address, lets map these onto Rubrik offering.

Failings of traditional backup solution   Rubrik  
Integration of backup storage and backup software Rubrik offers a “Single Software Fabric “-solution build on Rubrik scalable appliances 
Immutable file storage  Rubrik’s unique in-house developed immutable Atlas filesystem provides immutability 
Elimination of network sharing protocols  Rubrik does not expose changeable backup data via network sharing protocols 
Multifactor authentication for admin accounts  Rubrik offers MFA for all accounts that access the Rubrik environment 
Separation of administrative roles Rubrik offers RBAC as part of Rubrik’s zero-trust policy 
Multiperson authorization workflows  Rubriks four eye’s system requires a second person to approve data-destructive changes within Rubrik. 
Multiple copies of backup data  Rubrik stores multiple copies of your backup data locally and multiple replica’s offsite. 
Additional security measures   
Advanced user credentials  Features such as minimum password length and ZXCVBV password library, reuse prevention and temporary lockout after failed attempts increase credential security even further. 
Intelligent Data Lock  If intruders still manage to circumvent all security measures and remove backup data Rubrik will not actually remove the data but keep it in the background when it detects suspicious removal patterns. 

As you can see Rubrik ticks all of Gartner’s boxes and then some. This is why Rubrik ensures a very high level of backup data protection against ransomware attacks. 

Automate recovery testing

Adding Rubrik’s next-gen backup offering to BPSOLUTIONS BART tool was an easy decision and easy implementation due to Rubrik’s API-first design. 

BART helps IT organizations with, amongst others, ISO and organizational compliance by automating recovery tests and reporting restore results an real-world recovery-SLA compliance. Read more about BART at Meet BART

Interested in a Rubrik demo or a recovery Q&A? Contact me at

[1]published at the start of 2021, link here

Enjoyed this insight?
Share it to your network.