Attacked by ransomware? Five steps to recovery

Ransomware has been noted by many as the most threatening cybersecurity risk for organizations, and it’s easy to see why: in 2019, more than 50 percent of all businesses were hit by a ransomware attack – costing an estimated $11.5 billion. In the last month alone, major consumer corporations, including Canon, Garmin, Konica Minolta and Carnival, have fallen victim to major ransomware attacks, resulting in the payment of millions of dollars in exchange for file access.

steps ransomware recovery

While there is a lot of discussion about preventing ransomware from affecting your business, the best practices for recovering from an attack are a little harder to pin down.

While the monetary amounts may be smaller for your organization, the importance of regaining access to the information is just as high. What steps should you take for effective ransomware recovery? A few of our best tips are below.

1. Infection detection

Arguably the most challenging step for recovering from a ransomware attack is the initial awareness that something is wrong. It’s also one of the most crucial. The sooner you can detect the ransomware attack, the less data may be affected. This directly impacts how much time it will take to recover your environment.

Ransomware is designed to be very hard to detect. When you see the ransom note, it may have already inflicted damage across the entire environment. Having a cybersecurity solution that can identify unusual behavior, such as abnormal file sharing, can help quickly isolate a ransomware infection and stop it before it spreads further.

Abnormal file behavior detection is one of the most effective means of detecting a ransomware attack and presents with the fewest false positives when compared to signature based or network traffic-based detection.

One additional method to detect a ransomware attack is to use a “signature-based” approach. The issue with this method, is it requires the ransomware to be known. If the code is available, software can be trained to look for that code. This is not recommended, however, because sophisticated attacks are using new, previously unknown forms of ransomware. Thus, an AI/ML based approach is recommended, which will look for behaviors such as rapid, successive encryption of files and determine there is an attack happening.

Effective cybersecurity also includes good defensive mechanisms that protect business-critical systems like email. Often ransomware affects organizations by means of a phishing email attack or an email that has a dangerous file attached or hyperlinked.

If organizations are ill-equipped to handle dangerous emails, this can be an easy way for ransomware to make its way inside the walls of your organization’s on-premise environment or within the cloud SaaS environment. With cloud SaaS environments in particular, controlling third-party applications that have access to your cloud environment is extremely important.

2. Contain the damage

After you have detected an active infection, the ransomware process can be isolated and stopped from spreading further. If this is a cloud environment, these attacks often stem from a remote file sync or other process driven by a third-party application or browser plug-in running the ransomware encryption process. Digging in and isolating the source of the ransomware attack can contain the infection so that the damage to data is mitigated. To be effective, this process must be automated.

Many attacks happen after-hours when admins are not monitoring the environment and the reaction must be rapid to stop the spread of the virus. Security policy rules and scripts must be put in place as a part of proactive protection. Thus, when an infection is identified, the automation kicks in to stop the attack by removing the executable file or extension and isolate the infected files from the rest of the environment.

Another way organizations can help protect themselves and contain the damage should an attack occur is by purchasing cyber liability insurance. Cyber liability insurance is a specialty insurance line intended to protect businesses (and the individuals providing services from those businesses) from internet-based risks (like ransomware attacks) and risks related to information technology infrastructure, information privacy, information governance liability, and other related activities. In this type of attack situation, cyber liability insurance can help relieve some of the financial burden of restoring your data.

3. Restore affected data

In most cases, even if the ransomware attack is detected and contained quickly, there will still be a subset of data that needs to be restored. This requires having good backups of your data to pull back to production. Following the 3-2-1 backup best practice, it’s imperative to have your backup data in a separate environment from production.

The 3-2-1 backup rule consists of the following guidelines:

  • Keep 3 copies of any important file, one primary and two backups
  • Keep the file on 2 different media types
  • Maintain 1 copy offsite

If your backups are of cloud SaaS environments, storing these “offsite” using a cloud-to-cloud backup vendor aligns with this best practice. This will significantly minimize the chance that your backup data is affected along with your production data.

The tried and true way to recover from a ransomware attack involves having good backups of your business-critical data. The importance of backups cannot be stressed enough when it comes to ransomware. Recovering from backup allows you to be in control of getting your business data back and not the attacker.

All too often, businesses may assume incorrectly that the cloud service provider has “magically protected” their data. While there are a few mechanisms in place from the cloud service provider side, ultimately, the data is your responsibility as part of the shared responsibility model of most CSPs. You can take a look at Microsoft’s stance on shared responsibility here.

4. Notify the authorities

Many of the major compliance regulations that most organizations fall under today, such as PCI-DSS, HIPAA, GDPR, and others, require that organizations notify regulatory agencies of the breach. Notification of the breach should be immediate and the FBI’s Internet Crime Complaint Center should be the first organization alerted. Local law enforcement should be informed next. If your organization is in a governed industry, there may be strict guidelines regarding who to inform and when.

5. Test your access

Once data has been restored, test access to the data and any affected business-critical systems to ensure the recovery of the data and services have been successful. This will allow any remaining issues to be remedied before turning the entire system back over to production.

If you’re experiencing slower than usual response times in the IT environment or larger-than-normal file sizes, it may be a sign that something sinister is still looming in the database or storage.

Ransomware prevention v. recovery

Sometimes the best offense is a good defense. When it comes to ransomware and regaining access to critical files, there are only two options. You either restore your data from backup if you were forward-thinking enough to have such a system in place, or you have to pay the ransom. Beyond the obvious financial implications of acquiescing to the hacker’s demands, paying is risky because there is no way to ensure they will actually provide access to your files after the money is transferred.

There is no code of conduct or contract when negotiating with a criminal. A recent report found that some 42 percent of organizations who paid a ransom did not get their files decrypted.

Given the rising number of ransomware attacks targeting businesses, the consequences of not having a secure backup and detection system in place could be catastrophic to your business. Investing in a solution now helps ensure you won’t make a large donation to a nefarious organization later. Learning from the mistakes of other organizations can help protect yours from a similar fate.

Remote work and web conferencing: Security and privacy considerations

As more and more people remain at home and work from home due to the COVID-19 pandemic, most of them have been forced to use one or many video and audio conferencing applications out of necessity.

remote work security

For the same reason, many companies have had to quickly introduce these new tools to their employees, all the while hoping the benefits will outweigh the risks until they have had the chance to introduce protections, policies and more comprehensive training.

Enterprise risks

Organizations’ IT and IT security department must decide which teleconferencing solutions can be used to enable continued secure work while maintaining regulatory compliance (though some regulations have been altered to meet indispensable needs in this time of crisis).

One of the risks employees could end up being exposed to are phishing emails ostensibly coming from the IT department, asking them to download a teleconferencing applications that is actually a piece of malware.

Fake invitations to scheduled meetings could also point them to malicious sites.

Also, as many people work from home from their own devices, it has to be expected that the line between business and private use will soon blur and employees will forget that they should not to engage in risky online activities that increase the chance of the devices getting compromised.

Private use of teleconferencing apps

One particular remote conferencing solution is quickly becoming the solution of choice for many users worldwide: Zoom.

The popularity is due to how easy it is to use, to the quality of the video and audio connection, and to the fact that a free account gives you unlimited one-to-one meetings and 40 minutes for a group meeting per day, which is more than enough for most people’s private use needs.

Unfortunately, many users will sign up without reading the service’s Privacy Policy or Terms of Use or familiarizing themselves with security and privacy settings before starting to schedule meetings.

Zoombombing

Though private meetings are much less likely to be interrupted or spied on by malicious individuals, individuals and organizations that use it for bigger online meetings – either for work or after-work socializing and unwinding – must be aware that they could be “zoombombed.”

Zoomboming, a practice performed by online “trolls”, can result in harmless interruptions but also in total and very harmful chaos and, potentially, allow for economic espionage.

The company developing Zoom has offered advice on how to “keep the party crashers from crashing your Zoom event”, but trolls have been able to bypass some of those protection measures (as this Twitter thread shows):

Others have warned about things like private chats during Zoom meetings ending up in meeting minutes, as well as attention and user tracking.