Ransomware Recovery
Ransomware is a form of malware designed to hold a victim’s information for ransom. The malware encrypts files on a device so that users cannot access files, databases, or applications. A ransom is demanded in exchange for decrypting the files.
The more virulent ransomware uses asymmetric encryption. With this type of cryptography, an attacker creates a unique public-private pair of keys to encrypt and decrypt a file. The attacker only makes the private key available to the victim after the ransom is paid. Victims are threatened that they will never be able to access the encrypted files if the ransom is not paid in a certain amount of time.
Since ransomware can spread rapidly across a network and target databases and file servers, it is able to quickly paralyze an entire organization. The increase in and cost of ransomware threats has amplified the importance of ransomware recovery (i.e., the process followed to bring IT systems back online after a ransomware attack).
Let’s jump in and learn:
Accelerating Ransomware Recovery
Early detection of suspicious activity is considered to be the best first line of defense against ransomware and can play a material role in accelerating ransomware recovery. Most organizations deploy anti-malware and antivirus software across almost all systems—from enterprise servers to employee laptops—to detect early signs of ransomware and contain it before it spreads.
Forensic analysis conducted as part of the cybersecurity incident response can also accelerate ransomware recovery by identifying where the ransomware entered the environment and what systems it infected. This directs ransomware recovery steps, including:
- Eradicating the ransomware
- Remediating the vulnerabilities that allowed the attackers in
- Restoring impacted systems
- Always scanning snapshots before recovery to prevent reinfection
Additional steps that can be taken to accelerate ransomware recovery include:
- Design backup systems to ensure that no existing data is overwritten to make the underlying log-structured file system inherently immutable.
- Enable the on-demand creation of isolated recovery environments (IREs) that can provision clean operating environments for validation and ransomware recovery.
- Follow a very prescriptive ransomware recovery plan.
- Maintain data and system backups that are operationally air-gapped.
- Retain recovery point histories that are minutes, months, even years old to enable full ransomware recovery, even if malware has been in the environment for a long time.
- Set up file and folder-level recovery capabilities to extract specific files or folders as needed.
Store a deep history of immutable snapshots in an isolated, off-site, and encrypted cloud file system—conducting data integrity checks.
How to Avoid Paying the Ransom
Experts agree that the best way to avoid paying a ransom for ransomware recovery is to keep the malware from infecting systems. However, ransomware incidents can happen even with a highly-effective security posture based on a zero-trust architecture.
Having processes in place to regularly back up important data and rehearsing ransomware recovery procedures on an ongoing basis can significantly minimize damage in the event of a successful attack. It also may help the organization to avoid paying a ransom.
A key part of backup as a ransomware recovery plan is prioritizing data policies rather than protecting everything at the same level. This means:
- Knowing what data and applications are critical
- Devising procedures to maintain siloed copies of that data
- Establishing a restoration plan before ransomware recovery is required
Data Backups and Ransomware Recovery
A solid backup strategy is widely considered to be the best solution for ransomware recovery and is an essential part of a strong cybersecurity strategy. However, even when backups are available, ransomware recovery is not as easy as a simple restore. The functionality and performance of backup systems and the available automation capabilities of the backup system play a critical role in a ransomware recovery process.
In addition, backups should be continually tested to ensure they can be restored if needed. Data backups for ransomware recovery and other disaster recovery testing should simulate recovery to a precise moment to confirm that systems and processes will be effective if required for ransomware recovery. This should include recovering specific files, virtual machines, and an entire application stack.
A good backup strategy should also follow the 3-2-1 Rule, which dictates that there should be at least three copies of important data, on at least two different types of media, with at least one of these copies being off-site. As a corollary to this, experts agree that at least one copy of the backup should be an air-gapped version (i.e., kept offline and inaccessible from a network). This ensures that an immutable copy of backups will be available, even if an attacker gains administrative privileges, to support a ransomware recovery.
| Examples of Air-Gapped Backups -Backups on tape that are either removed from the library or marked as WORM (i.e., write once, read many) -Backups in S3 or S3-compatible object storage -Offline media, such as removable drives -A hardened digital repository |
To effectively support ransomware recovery, data backup systems should provide robust automation—both to back up data as well as for recovery. Part of this automation should include scanning for malicious software. This helps prevent reinfecting systems when there is a gap between malware entering systems and the presentation of ransomware. By automating this testing, data backups can safely be restored, expediting ransomware recovery.
Analyzing the Impact of Ransomware
Ransomware recovery is costly. There are many factors to consider when calculating the cost of ransomware recovery for an organization.
Following are seven key considerations when analyzing the impact of ransomware.
1. Cost of Data Loss
For many organizations, data is lost even when a ransom is paid, or backups are used for restoration. In addition, fully recovered data can also be compromised when attackers sell it on the dark web. The cost of data loss after ransomware recovery varies greatly, but nearly every organization suffers some degree of data loss as a result of a ransomware attack.
2. Cost of Disruption and Downtime
As with data loss, regardless of what ransomware recovery plan is implemented, there will, inevitably, be downtime. According to industry experts, the cost of downtime can be up to 50 times greater than the ransom demand. When analyzing the impact of ransomware, the cost of disruption and downtime caused by a ransomware attack cannot be underestimated.
3. Cost of Forensics and Recovery
Forensics plays a key role in ransomware recovery. The cost of ransomware recovery-related forensics can be very high, even when the bulk of the work is done by internal teams. Regardless of whether backups are used to circumvent the ransomware threat, systems and files must be rigorously tested to identify the root cause and ensure that the malicious software has been eradicated.
4. Costs of Infrastructure before and after Ransomware Attack
When considering the financial impact of ransomware, the calculation should take into account expenses related to ransomware recovery and prevention. This includes defensive software, hardware, staff, and services that must be in place for ransomware prevention, response to, and restoration of operations.
5. Cost of Legal
Often, responding to a ransomware attack requires expensive legal support—even when the organization was not found to be negligent. Compliance and legislated requirements are stringent and legal oversight is often required in the aftermath of a ransomware attack. Organizations must address potential privacy violations, negligence claims, service downtimes that impact service level agreements (SLAs), and loss of business—all of which can lead to expensive lawsuits.
6. Cost of Ransom Payment
For some organizations, the cost-to-benefit ratio of paying ransom tilts in favor of making a payment. In many cases, the initial ransom payment leads to follow-on attempts by the cyber-attacker to extort additional money from the organization, by exploiting additional vulnerabilities.
7. Cost of Reputation Loss
One of the most potent, but also the most difficult to calculate is the cost of reputation loss. Admitting to succumbing to a ransomware attack can tarnish brands and shake the confidence of customers, partners, and investors.
Ransomware Recovery Frameworks
Preparing for Ransomware Recovery
- Implement security measures and training to protect from systems’ ransomware attacks.
- Deploy a solution to back up systems and data in immutable storage.
- Develop processes to recover and clean infected data and systems and test them before restoring them in a new production environment.
- Test backup and ransomware recovery systems and processes to identify issues and ensure expedited resolution in the event of a potential attack.
Critical Steps for Ransomware Recovery
- Isolate the Infection
- Identify the Infection
- Report the attack to appropriate authorities
- Assess options
- Remove the malware
- Decrypt ransomed files and systems
- Restore systems and data from backups
- Pay the ransom
After Ransomware Recovery
- Conduct a full investigation into the cause of the ransomware attack
- Remediate issues and implement additional systems and processes to prevent future attacks
- Evaluate efficacy of the ransomware recovery plan and adjust as needed to optimize it
Ransomware Recovery Products
Early Detection for Ransomware Recovery
During the assessment phase of ransomware recovery, early detection solutions are important. They identify targets of the ransomware, which helps with containment. These tools can be deployed independently or can be integrated into backup systems, including:
- Anomaly detection
- Malware detection
- Malware scanning
Backup for Ransomware Recovery
Experts recommend backup solutions as a core part of ransomware recovery strategies. When considering backup solutions, these capabilities are important.
- Provides immutable file storage
There are a variety of ways to implement immutable file storage, but the end result is that once data has been saved, it cannot be changed and can only be deleted under specified circumstances or according to retention protocols. - Does not use network sharing protocols
Instead of network sharing protocols, more secure approaches are employed, such as using:- More secure methods over the network, typically object storage APIs, such as Amazon S3 compatible APIs, or proprietary protocols
- Data storage platforms with their own data movement APIs, such as virtual tape libraries (VTLs)
- Combined storage and backup where the storage is local to the backup server and does not require network access
- Multi-factor authentication (MFA) or two-factor authentication (2FA)
Especially for administrative accounts, this capability requires users to identify themselves by more than a username and password. This immediately eliminates the risks associated with compromised passwords, because if a password is hacked, guessed, or even phished, that is not enough to give an attacker access without approval at the second factor. - Separation of administrative roles
Eliminating accounts with complete privileges to all backup systems is an effective way to contain ransomware attacks. When privileges are compartmentalized, the impact of breaching a single account is lower, even if an administrator’s account is compromised. Backup systems should support role-based access controls (RBAC) that assign different functions to different user accounts. - Multi-person authorization workflows
Accessing and changing anything with backup systems should require signoff from another account. This makes it more difficult for an attacker to damage the backup system by breaching a single administrative account. - Multiple copies of backup data
Use the 3-2-1 rule (three copies of backup data on two different storage types with one copy isolated off-site) to protect backups. One of these backups should be air-gapped. - Robust audit tools
Investigations and recovery from a ransomware attack are expedited when administrators have ready access to a robust audit trail of compromised users, files, data subjects, and sensitive data. - Granular file restoration
Backup systems should provide the option to restore both specific files, as well as support a full rollback of all files.
Malware Identification and Decryption for Ransomware Recovery
In some cases, decryption kits are available for ransomware recovery. No More Ransom, a non-profit project led by law enforcement agencies and security industry leaders, provides free ransomware identification and decryption tools. These include:
- Crypto Sheriff
Upload one of the encrypted files or information in the ransom note, and it will scan to find a match.
- Decryption keys
Free decryption keys can be found at No More Ransom. These can be used to unlock ransomed data.
Expedite Ransomware Recovery with Immutable Backup
Organizations from every sector must be prepared for ransomware recovery, from travel to healthcare and oil and gas to higher education. Preparing for ransomware recovery requires adopting a mindset that there is a high probability that the organization will be hit with a ransomware attack.
Paying the attackers is not a viable ransomware recovery strategy. In addition to data that shows that paying ransomware does not guarantee a full recovery, hefty civil penalties can be applicable when a ransom is paid. Recovery from ransomware is predicated on the ability to replace what the attackers have stolen or locked. A robust toolset is required to effectively prepare for ransomware recovery, but at the core of the strategy should be data management and backup. Having valuable data backed up and unreachable by ransomware will minimize downtime and data loss, allowing an organization to expedite ransomware recovery. The key to successful ransomware recovery with backup solutions is having a firm grasp on all content, what it is, and where it resides, as well as a bulletproof plan that is regularly tested and based on immutable backup data.
IMPORTANT: Report Ransomware Attacks to Authorities
Always report the ransomware to authorities as soon as the ransomware is contained—for several reasons.
- Ransomware is against the law—and like any other crime, it should be reported to the proper authorities.
- According to the United States Federal Bureau of Investigation (FBI), “Law enforcement may be able to use legal authorities and tools that are unavailable to most organizations.”
- Partnerships with international law enforcement can be leveraged to help find the stolen or encrypted data and prosecute attackers.
The attack may have compliance implications. For instance, under the terms of the European Union’s General Data Protection Regulation (GDPR), if the Information Commissioner’s Office (ICO, the independent regulatory office in charge of upholding information rights in the interest of the public) is not notified within 72 hours of a breach involving a European Union citizen’s data, the organization could incur hefty fines.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 21st March, 2022
