Respond to ransomware in three steps: secure, assess, recover
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
Your help desk email and phones start lighting up. Your CIO is in your office looking stressed and staring at you. Quickly, you learn your company is the latest target of a ransomware attack.
Logically, you shouldn’t be in this position. The latest detection software and data protection tactics are commonplace at your organization, intending to keep you out of this mess. Also, you have followed all best practices to ensure maximum data availability, so it’s likely your backups and disaster recovery sites were impacted as well. At this point, all that matters is that your data has been kidnapped, and you need to restore operations as soon as possible.
It’s tempting to consider paying the ransom and moving on. You likely don’t want to reward the criminals who put you in this position, but you want to get back to normal. However, when ransomware strikes, it puts your data through a blender – files will be moved, deleted and renamed, or outfitted with new ransom notes in pop-up windows. Paying to unlock that information will still leave collateral damage throughout your environment, and paying also doesn’t guarantee that you’ll even get the data back.
Although there are plenty of solutions to help your team discover and stop ransomware, as you just experienced, none of them are fail-proof and none of them help you recover the data. An easy explanation is that this is a backup/recovery problem, but you know it’s more complex. Putting things back together will be like assembling a puzzle when you don’t have the picture on the box showing what things should look like at the end. However, the most complex restore scenario is recovering your production data that likely is living in virtual machines (VMs). The recovery plan for other types data is similar but likely less complex.
The below recovery plan assembles the recovery puzzle, framed by three phases nearly every organization goes through as they address malware and ransomware attacks:
Phase No. 1: Secure the crime scene
Following a ransomware attack, the crime scene is your data. Begin by taking a read-only snapshot of your VMs – a VMware or storage snapshot backup – to protect what’s left of your data in the wake of your attack. This way, if your recovery plans go badly, you can get back to where you started and try again.
Your temptation will be rollback to an older snapshot or backup. For the record, rolling back to a snapshot is, in ways, sanctioning data loss. You also don’t know if these are infected as well. Depending how advanced your planning was, you may have no other option than to roll the dice and pick a recovery point and move forward.
If you implemented a solution that will automatically shut down a user if ransomware occurs, you are ahead of the game as you should know who caused the issue and have automatically stopped them. If you have found a few of the files that have been encrypted by ransomware, see who the last modifier was. You could find this from audit logs if you don’t have other solutions in place. The goal is to make sure you stop additional damage from occurring.
Phase No. 2: Make an assessment of what happened
Often, facing news of a malware attack, an organization’s first impulse is to jump into action. However, give your team the time necessary to assess the damage and build an optimal repair plan. Learning the “who, what, where, and when” about a ransomware issue will expedite recovery in the long run, especially if site-specific needs and use cases are concerned.
This may seem like a simple assessment but, unfortunately, it does not always get considered and it should. Some questions that can help guide your investigative process include:
1. Was damage confined to a single user, directory, or area?
2. If it was widespread, how extensive was the reach?
3. Were any system changes that took place during the attack unrelated to the malware?
4. If files were renamed, deleted or created, what’s our process for cleaning them up and piecing information back together?
Phase No. 3: Clean up collateral damage
By the time you’re ready to attempt a full recovery from ransomware, the way you’ve handled the incident thus far will guide your next steps. If you decided to pay the ransom, you’ll still need to assess your system, clean up any remnants of the attack, and make your IT environment seem as if the attack never took place.
You also need to figure out which backups have the ransomware and perhaps purge them, or at least create a backup of the backup with the infected data removed. Additionally, you’ll need to sort through how to make the disaster recovery site whole. But these are likely read-only, so you can’t just use the key you bought to decrypt data.
If paying the ransom didn’t return your data, or you decided to forgo payment, you can understand the extent of the attack’s reach by monitoring user activity and live data between snapshots, and begin there.
If the damage was contained to a single user and set of folders, you can begin deleting the affected files and restoring them from a snapshot or backup. If your damage was widespread and the backup isn’t current enough to restore operations, you can use the different versions of backed-up systems to pinpoint when the issue began, export lists of affected and preserved files, and manually fill in the blanks that your recent snapshot or backup can’t cover.
A way to track both user and file activity can assist in restoring only those files that were impacted. This functionality can detect likely ransomware and create recovery points (backup or snapshot) when they detect it has been triggered. Putting tools like this in place can significantly reduce the impact in terms of data loss and improve the speed at which you can recover. Your stress level will also be reduced as you’ll be in control to make smart choices on the restore.
There’s no easy button for ransomware recovery. That’s one reason it continues to grow in popularity among attackers. However, if you’re prepared in advance with a ransomware response plan, you’ll be ready to spring into action and restore your system’s operations following an attack – without shelling out payment to your data kidnappers.
Long is a 30-year startup veteran and expert on enterprise data management, protection and storage with an undisputed track record shaking up an entire industry. She is co-founder and CEO of DataGravity, a leader in data security focused on data protection in virtual environments.