By Christoper Rogers, Senior Technology Evangelist at Zerto, a Hewlett Packard Enterprise company. Zerto won the ‘Best Cloud DR / Business Continuity Solution’ category at the 2023/24 Cloud Awards.
When it comes to physical theft, an alarm system is a handy deterrent. Any would-be thief knows that if they try to break into a store at night, the alarm will go off.
Ransomware gangs have it easier. As Mandiant Inc., a Google Cloud firm, has demonstrated, it takes most organizations seven full days to detect a ransomware attack. This is despite the fact that, during a ransomware attack, it takes just an hour for the average data set to be impacted and encrypted.
Which is to say that by the time most organizations notice they’ve been breached, the damage has already been done.
The result of this arrangement is that organizations are perpetually operating a step behind their attackers. This has significant implications for rebuilding critical applications from backups — assuming these backups were not themselves compromised during the attack.
It is for this reason that a consensus has formed around the need for rapidly detecting encryption as it happens, as opposed to days after the fact. The need for solutions that reduce recovery time objectives (RTO) and recovery point objectives (RPO) has never been clearer.
The scale of the threat
It is difficult to overstate just how dire the ransomware problem has become in recent years. Ransomware attacks have always been a concern, but, especially since the pandemic, they have rapidly metastasized into the single biggest cybersecurity threat facing businesses today. It is important to note that virtually no one has been untouched by this scourge: according to Statista, in 2023, over 72% of businesses were affected by ransomware.
Just a few minutes of downtime can negatively impact a business’ functioning, and a ransomware attack can cripple an organization for hours, days, or even weeks—with the average time to get back up and running totaling 22 days. This is unacceptable for any business, and it is particularly unacceptable for businesses operating in heavily regulated industries, which risk serious fines or worse for lack of compliance.
Worse yet, the nature of the threat is continually evolving, ensuring that no operating system or hypervisor is safe. In 2022, Black Basta and Cheerscrypt both targeted virtual machines – with the former specifically aiming for Linux hosts.

Why the old approach no longer works
The traditional approach to this problem has been to leverage advanced detection tools on a secondary copy of data taken directly from the production environment. However, there are distinct disadvantages to this method, including lengthy detection delays. Determining precisely when an attack attempts to modify critical system files becomes a challenge, further delaying detection.
Further complicating matters is the fact that backup copies may only be taken once or twice a day, and scanning the volumes of data involved can take hours. Inevitably, in the event of a ransomware attack, this laborious scanning will take place even as the malicious code spreads through your system.
From there, IT teams are faced with the unenviable, highly resource-intensive task of pinpointing an acceptable RPO/RTO from which to clean and restore the environment. Tally up each step of this complex, lengthy process, and organizations are looking at a recovery time that can stretch days or weeks.
Only if encryption is detected early – that is, in real-time, when it is happening – can organizations hope to avoid these headaches and meaningfully reduce RTO and RPO.

Real-time detection changes the game
Luckily, defensive capabilities have caught up with the ransomware threat in recent years. Today’s agentless, real-time ransomware detection solutions can automatically identify encryption activities beyond a specific behavioral threshold, alerting organizations instantly, instead of long after the fact.
What this allows organizations to do is, effectively, turn back time. They can use tagged recovery checkpoints to identify and verify the instant an attack began, allowing them to instantly transport their systems to seconds before the attack.
The benefits of this approach are manifold. The sooner encryption is detected, the smaller the blast radius of a given attack will be, thus minimizing data loss and all its subsequent consequences (from loss of consumer trust to potential regulatory action). At the same time, the granular reporting permitted by these solutions allows organizations to get their systems up and running again in minutes, instead of days.
What we are discussing here is the difference between proactive and retroactive detection: catching a burglar in the act, instead of muddying through the wreckage days later. Deploying detection capabilities on periodic backups is retroactive. Real-time and continuous detection at the point at which data is written—that is proactive. And only proactive solutions will suffice in today’s cybersecurity environment.
