# Workflows - Ransomware Backup Strategy ## Workflow 1: Initial Backup Architecture Design ``` Start | v [Inventory all systems and data] --> Classify into Tier 1/2/3 by business impact | v [Define RPO/RTO per tier] --> Document in recovery plan | v [Select backup platform] --> Veeam / Rubrik / Commvault / Cohesity | v [Design 3-2-1-1-0 architecture] |-- Copy 1: Local repository (fast restore) |-- Copy 2: Secondary site/cloud (different media) |-- Copy 3: Offsite (geographic separation) |-- +1: Immutable or air-gapped copy |-- +0: Automated restore verification | v [Isolate backup credentials] |-- Remove from production AD |-- Deploy MFA for backup admin access |-- Segment backup network | v [Configure immutable storage] |-- Linux Hardened Repository (XFS immutability) |-- S3 Object Lock / Azure Immutable Blob |-- Tape air-gap rotation | v [Set backup schedules per tier] | v [Configure automated restore testing] |-- SureBackup / SureReplica |-- Verify boot, network, application health | v [Document recovery runbook] | v End ``` ## Workflow 2: Restore Verification Process ``` Start (Scheduled - Weekly for Tier 1, Monthly for Tier 2) | v [SureBackup job triggers VM restore to isolated sandbox] | v [VM boots in isolated network segment] | v [Heartbeat check] -- Fail --> Alert backup team | Pass | v [Network ping check] -- Fail --> Alert backup team | Pass | v [Application-specific check] |-- AD: LDAP query test |-- SQL: Database consistency check |-- Web: HTTP 200 response |-- Email: SMTP handshake | Fail --> Alert backup team with diagnostic details | Pass | v [Log successful restore] --> Update compliance dashboard | v [Clean up sandbox VMs] | v End ``` ## Workflow 3: Emergency Ransomware Recovery ``` Ransomware Incident Declared | v [Isolate affected systems from network] | v [Verify backup integrity] |-- Check immutable copies are unaffected |-- Validate backup timestamps predate infection |-- Scan backup files for ransomware artifacts | v [Determine recovery scope] |-- Full environment rebuild vs. selective restore |-- Prioritize by tier: AD/DNS first, then Tier 1, then Tier 2/3 | v [Rebuild infrastructure in clean environment] |-- Deploy clean OS images |-- Restore AD from immutable backup |-- Validate AD integrity with ADRestore/DSInternals | v [Restore applications in dependency order] |-- Database servers before application servers |-- Internal services before external-facing | v [Validate restored systems] |-- Application functionality testing |-- Data integrity verification |-- Security control validation | v [Reconnect to network in phases] |-- Monitor for re-infection indicators |-- Validate no persistence mechanisms in restored systems | v [Post-recovery documentation and lessons learned] | v End ``` ## Workflow 4: Backup Health Monitoring ``` Daily Automated Check | v [Query backup job status via API/PowerShell] | v [Check for failed or warning jobs] |-- Failed --> Create P1 ticket, alert backup team |-- Warning --> Create P3 ticket, investigate within 24hr |-- Success --> Log and continue | v [Verify backup repository capacity] |-- >85% utilization --> Alert for capacity planning |-- >95% utilization --> Critical alert, backup jobs at risk | v [Check immutable copy synchronization] |-- Verify last immutable copy is within RPO window |-- Alert if immutable copy is stale | v [Generate weekly backup health report] |-- Success rate percentage |-- Data protected volume |-- Restore test results |-- Capacity forecast | v End ```