Recovering From Ransomware

In the event of a ransomware attack, Panzura’s modern approach to unstructured data management ensures you have pristine data available to restore to, within a minimal amount of time, and with minimal data loss.

Panzura makes data impervious to ransomware by storing it in an immutable form (Write Once, Read Many) and further protecting it with read-only snapshots.  

If ransomware bypasses your first line of defense, here are the steps you need to take to recover.

1 - Slow the Spread

As soon as possible, disable the CIFS license on every Panzura node, through your Panzura management dashboard.  

This setting is found in Configuration > License Manager > Installed License Modules. Select the CIFS license and click the DEACTIVATE button that appears at lower right.  

This will prevent further infected files being written to Panzura nodes, and then being synced with your cloud store.

2 - Stop the Attack 

Run your installed antivirus software, or anti-spyware, to find and corral the infection, as well as identify the ransomware variant. If you’re able to identify the source of the attack – an infected laptop, for example – disconnect it from your network.

3 – Use Data Services to Identify Affected Files

Depending on the ransomware variant, this could be as straightforward as searching for a file extension that has been added to files.  Use File Audit to review the audit log for affected files, to determine the attack timeline, and then search for relevant file operations within the attack time frame.

4 – Contact Panzura Global Services

We’re available 24/7/365 to help with your recovery.  We’ll confirm the outcomes of the actions you’ve taken to date, and assist with file and timeframe identification if required.  It’s vital that we confirm the attack has been stopped, before beginning restoration, to avoid restored files from becoming reinfected.

Here's how to contact us.

5 - Begin Restoration 

Once the affected files have been identified, the timeframe has been established, and the snapshot to restore from has been determined, file restoration can begin.

If there are fewer than 50 affected files in total, you’re able to do this yourself by following these steps.

If greater than 50 files have been affected, the Panzura support team will perform bulk file restoration for you.

Files restored for you will be restored to a new directory, which we will ask you to create. This allows your team to then finish by restoring files to their original locations, overwriting the infected files with clean ones.

During this restoration, user snapshots will be disabled. This ensures that you retain clean snapshots according to your snapshot retention policy. User snapshots will be re-enabled as soon as restoration completion is confirmed.

The Panzura file restoration process involves moving lightweight metadata, rather than full file data, so it takes a fraction of the time of restoring from a backup.

That means the bulk of the total recovery time is often taken up by identifying affected files and the attack time frame, taking great care to ensure you’re truly restoring uninfected files.