Accelerating ransomware recovery using a combination of local and remote backups

What is claimed is: 1 . A computerized method comprising: identifying a latest unencrypted remote backup, the latest unencrypted remote backup being a remote backup appearing prior to an encrypted backup in a sequence of backups; identifying a latest unencrypted local backup, the latest unencrypted local backup being a local backup having been created prior to the latest unencrypted remote backup; identifying a penultimate unencrypted remote backup, the penultimate unencrypted remote backup being a remote backup having been created prior to the latest unencrypted local backup; restoring, in a first computing environment, a local computing asset to a state of the latest unencrypted local backup, wherein the latest unencrypted local backup is stored locally to the first computing environment, and wherein the latest unencrypted remote backup and the penultimate unencrypted remote backup are stored in a second computing environment across an external computer network from the first computing environment; receiving a first difference between the latest unencrypted remote backup and the penultimate unencrypted remote backup; further restoring the local computing asset with the first difference; receiving a second difference between a failback backup and the latest unencrypted remote backup; and further restoring the local computing asset with the second difference. 2 . The computerized method of claim 1 , further comprising: generating the first difference; transmitting the first difference to the first computing environment; generating the failback backup; generating the second difference; and transmitting the second difference. 3 . The computerized method of claim 2 , wherein generating the failback backup comprises removing malicious logic. 4 . The computerized method of claim 1 , wherein the local computing asset comprises a virtual machine (VM). 5 . The computerized method of claim 1 , wherein identifying the latest unencrypted remote backup, identifying the latest unencrypted local backup, or identifying the penultimate unencrypted remote backup comprises using at least one sequencing identification selected from the list consisting of: a timestamp, a sequence number, and an annotation identifying a prior backup. 6 . The computerized method of claim 1 , further comprising: detecting a cyber attack, wherein identifying the latest unencrypted remote backup comprises identifying the latest unencrypted remote backup based on at least detecting the cyber attack, and wherein the encrypted backup manifests effects of the cyber attack; based on at least detecting the cyber attack, ceasing operations of the local computing asset; and after restoring the local computing asset with the second difference, resuming operations of the local computing asset. 7 . The computerized method of claim 6 , wherein the cyber attack comprises a ransomware attack, wherein the cyber attack encrypts at least a portion of the local computing asset, and wherein the encrypted backup is encrypted by ransomware. 8 . A system comprising: a backup selector identifying a latest unencrypted remote backup, the latest unencrypted remote backup being a remote backup appearing prior to an encrypted backup in a sequence of backups; the backup selector identifying a latest unencrypted local backup, the latest unencrypted local backup being a local backup having been created prior to the latest unencrypted remote backup; the backup selector identifying a penultimate unencrypted remote backup, the penultimate unencrypted remote backup being a remote backup having been created prior to the latest unencrypted local backup; a restoration manager restoring, in a first computing environment, a local computing asset to a state of the latest unencrypted local backup, wherein the latest unencrypted local backup is stored locally to the first computing environment, and wherein the latest unencrypted remote backup and the penultimate unencrypted remote backup are stored in a second computing environment across an external computer network from the first computing environment; the restoration manager receiving a first difference between the latest unencrypted remote backup and the penultimate unencrypted remote backup; the restoration manager further restoring the local computing asset with the first difference; the restoration manager receiving a second difference between a failback backup and the latest unencrypted remote backup; and the restoration manager further restoring the local computing asset with the second difference. 9 . The system of claim 8 , further comprising: a differencer generating the first difference; a recovery environment transmitting the first difference to the first computing environment; the differencer generating the second; and the recovery environment transmitting the second difference to the first computing environment. 10 . The system of claim 9 , wherein the recovery environment removes malicious logic. 11 . The system of claim 8 , wherein the local computing asset comprises a virtual machine (VM). 12 . The system of claim 8 , wherein the backup selector identifies the latest unencrypted remote backup, identifies the latest unencrypted local backup, or identifies the penultimate unencrypted remote backup using at least one sequencing identification selected from the list consisting of: a timestamp, a sequence number, and an annotation identifying a prior backup. 13 . The system of claim 8 , further comprising: a security manager detecting a cyber attack, wherein identifying the latest unencrypted remote backup comprises identifying the latest unencrypted remote backup based on at least detecting the cyber attack, and wherein the encrypted backup manifests effects of the cyber attack; the security manager ceasing operations of the local computing asset based on at least detecting the cyber attack; and the security manager permitting operations of the local computing asset to resume after the local computing asset has been restored with the second difference. 14 . The system of claim 13 , wherein the cyber attack comprises a ransomware attack, wherein the cyber attack encrypts at least a portion of the local computing asset, and wherein the encrypted backup is encrypted by ransomware. 15 . One or more computer storage media having computer-executable instructions that, upon execution by a processor, cause the processor to at least: identify a latest unencrypted remote backup as a remote backup appearing prior to an encrypted backup in a sequence of backups; identify a latest unencrypted local backup as a local backup having been created prior to the latest unencrypted remote backup; identify a penultimate unencrypted remote backup as a remote backup having been created prior to the latest unencrypted local backup; restore, in a first computing environment, a local computing asset to a state of the latest unencrypted local backup, wherein the latest unencrypted local backup is stored locally to the first computing environment, and wherein the latest unencrypted remote backup and the penultimate unencrypted remote backup are stored in a second computing environment across an external computer network from the first computing environment; receive a first difference between the latest unencrypted remote backup and the penultimate unencrypted remote backup; further restore the local computing asset with the first difference; receive a second difference between a failback backup and the latest unencrypted remote backup; and further restore the local computing ass