In this article

Rapid increases in ransomware attacks are forcing enterprises to explore immutable data recovery technologies, integrated cross-team response plans and additional isolated architectures. 

In partnership with Rubrik, our experts have designed a recovery range solution that allows companies to practice responding to specific real-world scenarios in a complex and controlled environment. In addition to having the capabilities to evaluate advanced technologies and integrate solutions to aid an effective cyber defense strategy, we can also support the following use cases. 

Determining the scale of the ransomware attack


In the aftermath of a ransomware attack, your insurance company, board, chief risk officer (CRO) and chief information security officer (CISO) will all immediately want to know: What was the scale of the attack, and was sensitive data impacted? 


Gone are the days of comparing thousands of spreadsheets to try and build a view of the blast radius. A critical component of the recovery range design criteria is to optimize artificial intelligence (AI)/machine learning (ML) enriched toolsets so customers can quickly visualize the scale of the attack. Within minutes of backup completion, the recovery range can identify all data encrypted by the attack and correlate it against up to 60 preset regulated data patterns, giving companies an immediate picture of their exfiltration risk posture.

Simplifying building recovery playbooks that integrate with security operations (SecOps) 


During a ransomware attack, your SecOps team and business continuity, disaster recovery and data center teams have very different missions. One is tasked with discovering the root-cause analysis, while the others are responsible for recovering business operations in order to meet compliance-driven service-level agreements (SLAs). 

Once leadership gives the green light to begin data restoration, your application recovery sequence has to be foolproof — reinfection is not an option.


WWT's recovery range was engineered to be API-first in order to optimize cross-team collaboration before, during and after a ransomware event. This integrated approach gives your teams runway to build a recovery playbook that incorporates SecOps security information and event management/security orchestration, automation and response (SIEM/SOAR) tools with data recovery tools. 

More importantly, the recovery range utilizes a YARA-based rules engine that uncovers threats hidden in your backup data, which is then used to calculate the most current non-impacted recovery points (RPO). This additional layer of analysis prevents ransomware reinfection and eliminates the need to repeat time consuming restores that can negatively affect your recovery times (RTOs).

Supporting a recovery plan with data vault after a ransomware attack 


If your company is in one of the 16 critical infrastructure segments, you know a ransomware recovery involves a lot of oversight from law enforcement agencies. 

Meeting your industry regulated RPOs and RTOs may require a physically isolated clean room with firewalls, segmented networks, hosts, storage, and replicated and backup data on standby for recovery in the event of an attack.


The recovery range has both logically and physically isolated architectures that can help your team build muscle memory around multiple recovery vectors. The environment is pre-built with standard ML (SML) SQL, Oracle and unstructured data sets. Additionally, the applications are hosted on a variety of virtualized and physical hosts to approximate production scenarios that replicate a set of complementary clean room assets. This is the only place enterprises can go to practice their Blue Team's ransomware recovery responsibilities in a physically isolated environment.

Strengthen and harden your enterprise's ransomware recovery

Give your enterprise the confidence to test, practice and deploy these new ransomware mitigating capabilities in WWT's Advanced Technology Center (ATC)

Interested in learning more about how to accelerate your RTOs after a ransomware attack?