Recovering From Ransomware Attacks Christophe Bertrand, VP, Product Marketing April 2018

Copyright © 2017 Arcserve. All rights reserved. Arcserve Profile Worldwide Customer Base & Sales Presence Industry Recognition 45,000 customers 7,500 partners Distributed in 150 countries WW HQ – Minneapolis, USA LATAM HQ – São Paulo, Brazil EMEA HQ – Barcelona APAC HQ – Singapore Japan HQ – Tokyo Sales offices in 20+ countries 3 VMworld Gold Awards 2 CRN Channel Chief Awards Channel Company Top Midmarket Executive MSPBJ Titan of Technology 4 Storage Awards Cloud Hosting DR Product of the Year Computer Singapore Readers’ Choice Award for Networked Storage 2 PC Pro Recommendations 3 IT Pro Recommendations DCS Storage Software Product of the Year CRN Woman of the Channel A single, fully-integrated solution portfolio to protect across cloud, virtual and physical environments. SOFTWARE APPLIANCES CLOUD (DRaaS) 2 Copyright © 2017 Arcserve. All rights reserved.

Copyright © 2017 Arcserve. All rights reserved. What is Ransomware? Ransomware is malware for data kidnapping in which the attacker encrypts the victim's data and demands payment for the decryption key. Ransomware spreads through e-mail attachments, infected programs and compromised websites. A ransomware malware program may also be called a cryptovirus, cryptotrojan or cryptoworm. The net result: no data access, sometimes data loss… The Alternative: Pay up or Ignore (but now you need to restore your systems/data) Copyright © 2017 Arcserve. All rights reserved.

Ransomware in Backup and SLA terms Recovery point objectives Recovery time objectives Copyright © 2017 Arcserve. All rights reserved.

Mitigating The Risk of Ransomware: Example 1 Multi-site medical center for senior citizens, with a mental health agency Client initiated incident response at 8:30am Identified culprit remotely and method of attack Phishing email with a Word attachment and a macro By 11:30am: back at steady state Able to identify what data access had been granted and what had been compromised by network shares File-level recovery from Arcserve directly into those folders Removed all infected data Back up-and-running in 3 hours Zero data loss

Mitigating The Risk of Ransomware: Example 2 Mechanical organization (plumbing and HVAC) Infected at 10:30am Identified what data access had been granted Performed file-level recovery right back into those folders Back up at 2pm Recovery time included wiping the PC Very little data loss A couple of files that had not yet been backed up

Mitigating The Risk of Ransomware: Example 3 Mid-sized medical clinic Combination of tampered admin account and cryptolocker Re-populated their backup stores and brought everything back online by restoring those virtual machines Phished by an email which allowed access to the network Seeded that back into the environment in person Maliciously held data for ransom by installing a cryptowall variant Servers were lost: Full BMR Deleted: application, Local backup copy Recovery time: It was a network share….Wasn’t hidden - too exposed!!!! Back up-and-running in 36 hours, Steady state at 48 hours Attack happened early in the morning No data loss Recovered copies from data center to removable storage Loss of time and productivity: 2 business days Brought virtual servers back online in their hypervisor

Arcserve UDP Platform Newest Addition to the UDP portfolio Copyright © 2017 Arcserve. All rights reserved.

Arcserve’s Backup and Recovery Solution: UDP Copyright © 2017 Arcserve. All rights reserved.

Arcserve UDP Cloud Direct ENTERPRISE GRADE AND EASY TO USE BACKUP AS A SERVICE (BAAS) DISASTER RECOVERY AS A SERVICE (DRAAS) Automated backups transfer data safely offsite Easy set up in a few clicks from a single web based console Web-based console recovery data to/from anywhere Easy set up Push-button recovery RTO ~5 minutes Automated DR testing Copyright © 2017 Arcserve. All rights reserved.

Protect the Source Machine Best Practices Protect the Source Machine Take precautions to prevent infection in the first place, such as training users to not click on links within emails, downloading attachments from unknown sources and updating software on a timely basis. Perform regular backups, which may include rethinking your service level agreements to ensure critical business data is backed up more frequently. Follow the 3-2-1 strategy for backup: one of the copies should be offline, and at least one of the copies should be offsite. Make sure your chosen backup solution includes virtual standby for critical systems so that you can get back on your feet very quickly. Copyright © 2017 Arcserve. All rights reserved.

More Examples– A Publishing Business….Somewhere 1 2 3 4 Customer X supports a few hundred users at this publishing business The corruption came in as an attachment titled Photos.zip with a spoofed email address – who doesn’t have “click-happy” end-users? Photos.zip was the infected file sent via email. It was a “bart” type virus Customer X does a 7AM snapshot of his environment and keeps a near line copy of the Recovery Points as a precaution. Best backup practices paid off!! Result Using Arcserve was key to his ability to thwart the attack and recover the affected systems and their data It took him 28 hours to determine the source, repair and reverse the damage but there was no publicly visible indication that an attack had taken place His ability to contain the attack and mitigate the damage earned him a letter of praise from his CEO Copyright © 2017 Arcserve. All rights reserved.

More Examples: Medical/Healthcare…Somewhere Else.. 1 2 3 4 Customer was hit with multiple successive attacks, a common recent occurrence in their industry Avoiding operational impacts (regardless of the interruption cause) is a fundamental SLA which has a direct impact on communities and individuals In addition, avoiding negative publicity is very critical to this line of business In this customer’s case, the 5th Ransomware attack was particularly aggressive and took over local admin accounts on workstations and servers and encrypted files dozens of servers. Having a Bad day? Result Customer was able to recover all the servers with Arcserve UDP  Without Arcserve backups, they would be paying many $1000’s to recover, In this customer’s experience, their attacks seem to be more focused on “traditional” types of flat files – PDFs DOCs XLSs, etc.  Copyright © 2017 Arcserve. All rights reserved.

Protect the Protector: The Backup Data Best Practices Protect the Protector: The Backup Data Replicate data to offsite / cloud If your backup server gets infected or if your backup data is on a shared network share that is accessible from an infected machine, ransomware can encrypt backup data as well. It sounds obvious, but it’s important to remember! Periodically, copy recovery points to offline media, such as USB disks. Consider leveraging tape as a backup medium for critical data (yes tape!). This oldie but goodie comes in handy to send periodic recovery points offline. Copyright © 2017 Arcserve. All rights reserved.