[BreachExchange] Respond to ransomware in three steps: secure, assess, recover

[Audrey McNeil]

http://www.networkworld.com/article/3192175/security/
respond-to-ransomware-in-three-steps-secure-assess-recover.html

Your help desk email and phones start lighting up. Your CIO is in your
office looking stressed and staring at you. Quickly, you learn your company
is the latest target of a ransomware attack.

Logically, you shouldn’t be in this position. The latest detection software
and data protection tactics are commonplace at your organization, intending
to keep you out of this mess. Also, you have followed all best practices to
ensure maximum data availability, so it’s likely your backups and disaster
recovery sites were impacted as well. At this point, all that matters is
that your data has been kidnapped, and you need to restore operations as
soon as possible.

It’s tempting to consider paying the ransom and moving on. You likely don’t
want to reward the criminals who put you in this position, but you want to
get back to normal. However, when ransomware strikes, it puts your data
through a blender – files will be moved, deleted and renamed, or outfitted
with new ransom notes in pop-up windows. Paying to unlock that information
will still leave collateral damage throughout your environment, and paying
also doesn’t guarantee that you’ll even get the data back.

Although there are plenty of solutions to help your team discover and stop
ransomware, as you just experienced, none of them are fail-proof and none
of them help you recover the data. An easy explanation is that this is a
backup/recovery problem, but you know it’s more complex. Putting things
back together will be like assembling a puzzle when you don’t have the
picture on the box showing what things should look like at the end.
However, the most complex restore scenario is recovering your production
data that likely is living in virtual machines (VMs). The recovery plan for
other types data is similar but likely less complex.

The below recovery plan assembles the recovery puzzle, framed by three
phases nearly every organization goes through as they address malware and
ransomware attacks:

Phase No. 1: Secure the crime scene

Following a ransomware attack, the crime scene is your data. Begin by
taking a read-only snapshot of your VMs – a VMware or storage snapshot
backup – to protect what’s left of your data in the wake of your attack.
This way, if your recovery plans go badly, you can get back to where you
started and try again.

Your temptation will be rollback to an older snapshot or backup. For the
record, rolling back to a snapshot is, in ways, sanctioning data loss. You
also don’t know if these are infected as well. Depending how advanced your
planning was, you may have no other option than to roll the dice and pick a
recovery point and move forward.

If you implemented a solution that will automatically shut down a user if
ransomware occurs, you are ahead of the game as you should know who caused
the issue and have automatically stopped them. If you have found a few of
the files that have been encrypted by ransomware, see who the last modifier
was. You could find this from audit logs if you don’t have other solutions
in place. The goal is to make sure you stop additional damage from
occurring.

Phase No. 2: Make an assessment of what happened

Often, facing news of a malware attack, an organization’s first impulse is
to jump into action. However, give your team the time necessary to assess
the damage and build an optimal repair plan. Learning the “who, what,
where, and when” about a ransomware issue will expedite recovery in the
long run, especially if site-specific needs and use cases are concerned.

This may seem like a simple assessment but, unfortunately, it does not
always get considered and it should. Some questions that can help guide
your investigative process include:

1.     Was damage confined to a single user, directory, or area?

2.     If it was widespread, how extensive was the reach?

3.     Were any system changes that took place during the attack unrelated
to the malware?

4.     If files were renamed, deleted or created, what’s our process for
cleaning them up and piecing information back together?

Phase No. 3: Clean up collateral damage

By the time you’re ready to attempt a full recovery from ransomware, the
way you’ve handled the incident thus far will guide your next steps. If you
decided to pay the ransom, you’ll still need to assess your system, clean
up any remnants of the attack, and make your IT environment seem as if the
attack never took place.

You also need to figure out which backups have the ransomware and perhaps
purge them, or at least create a backup of the backup with the infected
data removed. Additionally, you’ll need to sort through how to make the
disaster recovery site whole. But these are likely read-only, so you can’t
just use the key you bought to decrypt data.

If paying the ransom didn’t return your data, or you decided to forgo
payment, you can understand the extent of the attack’s reach by monitoring
user activity and live data between snapshots, and begin there.

If the damage was contained to a single user and set of folders, you can
begin deleting the affected files and restoring them from a snapshot or
backup. If your damage was widespread and the backup isn’t current enough
to restore operations, you can use the different versions of backed-up
systems to pinpoint when the issue began, export lists of affected and
preserved files, and manually fill in the blanks that your recent snapshot
or backup can’t cover.

A way to track both user and file activity can assist in restoring only
those files that were impacted. This functionality can detect likely
ransomware and create recovery points (backup or snapshot) when they detect
it has been triggered. Putting tools like this in place can significantly
reduce the impact in terms of data loss and improve the speed at which you
can recover. Your stress level will also be reduced as you’ll be in control
to make smart choices on the restore.

There’s no easy button for ransomware recovery. That’s one reason it
continues to grow in popularity among attackers. However, if you’re
prepared in advance with a ransomware response plan, you’ll be ready to
spring into action and restore your system’s operations following an attack
– without shelling out payment to your data kidnappers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170428/b492b784/attachment.html>