Is Ransomware a Disaster Recovery?

Many organizations are changing how they approach data resilience by strengthening their disaster recovery (DR) plans, backup systems, and immutable storage solutions. They recognize that the best way to prevent ransomware is with a comprehensive DR strategy.

However, there are still many ways ransomware attacks can thwart the DR plan. One example is when decryption keys don’t work.

How to Prevent a Ransomware Attack

Thankfully, methods exist to prevent ransomware. One of the simplest is to keep security software programs updated regularly. Software providers regularly release updates to fix bugs, improve functionality and address other issues. It’s vital to update all systems and applications as soon as new updates become available.

Another best practice is to isolate devices immediately after a ransomware attack. If a single device becomes infected, disconnecting it from the network, internet and share drives can reduce the impact and prevent other devices being affected.

Isolating infected devices can also give cybersecurity professionals more time to clean systems and restore backup data. It can also help to identify the source of the ransomware attack, which is a useful piece of intelligence in improving staff training and security practices.

When an attack occurs, it’s important to not pay the ransom. Security experts and law enforcement agencies warn against paying ransoms, as it encourages attackers to continue their criminal activities. It’s also not guaranteed that even if an organization pays a ransom, it will receive a decryption key that works.

Ransomware attacks are not just a threat to large, lucrative businesses; smaller merchants are frequent targets as well. Small- and medium-sized enterprises (SMEs) often have less robust security systems and are therefore easier to compromise. Ransomware can quickly cripple a business’s operations and lead to loss of revenue.

To avoid a ransomware attack, SMEs should maintain good security practices with all their hardware and applications. This includes keeping security programs up-to-date, implementing patch management and deploying strong password policies. Additionally, SMEs should make sure to back up data on a regular basis and test their recovery capabilities. They should also have a layered approach to security that includes firewalls, anti-virus software, antimalware tools and cloud data loss prevention solutions. Backing up all data to a secure location is critical, as it will allow SMEs to recover from an attack with minimal disruption. Backing up to a known clean state will also ensure that no files have been permanently corrupted. In a worst-case scenario, if all other measures fail, law enforcement should be contacted to help identify the perpetrators and assist with recovering stolen or compromised data.

What to Do in the Event of a Ransomware Attack

Regardless of how many precautions you take, there is always the possibility that malware could infiltrate your system. If an attack occurs, it’s important to act quickly. One of the first steps is to isolate the infected device or systems from all connections. This includes disabling Wi-Fi, disconnecting any core network connections (including switches) and removing all external devices. This can help contain the infection, limit data loss and prevent the ransomware from spreading to other systems.

Next, it is a good idea to report the incident to authorities. While the downside to this might be lost productivity while an investigation is underway, reporting the attack helps authorities get a better picture of how these attacks happen and what countermeasures can be put in place.

After a business is hit with ransomware, the next step should be to restore any impacted systems from backups. This will ensure that critical applications and systems powering operations are restored and the ransomware has not gotten ahold of any new files or data.

Make sure to keep your backups up-to-date and make an offline copy of any quality backups. This reduces the risk that the attackers will target these backup solutions and delete them in order to stop the victim from rebuilding their assets. Keeping backups on air-gapped locations (like disconnected external drives or the cloud) will also help. Using immutable backup options that also gives you the ability to maintain truly air-gapped data that is fixed and unchangeable.

Finally, it is important to remember that even if you pay the ransom and receive a decryptor key, you are still funding criminal activity. The attackers are not in the file recovery business; they are in the money-making business. In addition, it is not uncommon for the encryption process to corrupt or damage files beyond repair. This means that even if you pay the ransom, your files may never be fully recovered. Ideally, you should work with Disaster Recovery Ransomware to perform a forensic analysis of the attack and determine what type of data was removed, if any.

What to Do During a Ransomware Attack

Once an attack has occurred, the first step is to isolate the device and take it offline. Doing so will prevent the ransomware from spreading to other devices and potentially encrypting them. It will also give your IT team a chance to remove the malware and recover files.

Once you’ve isolated the device, it’s important to start identifying what kind of ransomware you’re dealing with. This will help you create a more targeted response to the threat, including how much money you should pay for decryption.

It’s a good idea to report the attack, as well. This will help law enforcement understand how widespread the attack is and how attackers are getting in, and it will provide insight into future attacks against your organization.

When the initial infection is under control, you’ll need to restore systems based on a prioritized list of critical services and revenue-generating functions. While doing this, make sure you’re able to accurately determine within a reasonable degree of confidence when the initial compromise occurred by examining file dates and messages. Otherwise, you could unintentionally restore the infection during recovery.

As you’re restoring and rebuilding your system, consider reaching out to professional cyber security assistance. Having this support on-hand will allow you to get back to business as quickly as possible and may even save you from paying the ransom.

Another good practice is to have backups that are isolated from your local and network-connected devices. By storing backups offline and using air-gapped storage you can ensure these backups are immutable and cannot be accessed by ransomware.

It’s also a good idea to consult with federal law enforcement about any possible decryptors that may be available for the ransomware variant you have in your systems. These can be found through researchers who’ve discovered flaws in the way that particular ransomware works. They may even have free decryption tools that will help you restore your data and avoid the need to pay a ransom.

What to Do After a Ransomware Attack

Having a solid disaster recovery (DR) plan is a critical element of not only responding to ransomware attacks, but also of preventing them. DR planning helps an organization to identify the key assets that may be at risk, understand the impact of an attack and how it can be mitigated, and ensures that business operations aren’t disrupted.

After an attack, the first step is to isolate systems in a coordinated fashion to prevent ransomware from spreading to other devices. This is important because malicious actors want to make as much money as possible and will often invest the time and resources to create new strains that can be pushed out into networks after an initial infection.

Once the affected systems are isolated, it’s a good idea to conduct an incident response (IR) assessment. This should include looking at all of the organizational detection and prevention systems, analyzing logs, and searching for evidence of precursor "dropper" malware that may have been used to spread the ransomware. This will help organizations to better understand the scope of the threat and can reveal how the attack originated, as well as provide clues about how to prevent future attacks.

It’s essential to have a backup solution in place that works, particularly one that can be backed up and restored from offline data sources that aren’t connected to the network. This will prevent attackers from using connectivity to the DR environment to access and encrypt files on those backups, especially ones that are immutable.

Once the infected systems have been restored, it’s a good idea to report the incident to law enforcement or regulatory bodies depending on where your organization is located. This will provide valuable support in pursuing criminal charges against the attackers and can serve as leverage to get the ransom demand reduced or even eliminated.

While it’s not ideal, it’s also a good idea to consider paying the ransom if no other option is available. This can provide a quick fix and reduce the amount of downtime your organization experiences. However, paying a ransom is never an optimal solution, and should only be considered after all other options have been exhausted.

Many organizations are changing how they approach data resilience by strengthening their disaster recovery (DR) plans, backup systems, and immutable storage solutions. They recognize that the best way to prevent ransomware is with a comprehensive DR strategy. However, there are still many ways ransomware attacks can thwart the DR plan. One example is when decryption…