There it is—the ransomware lockscreen staring you down with its arrogant gaze, just begging you to cry, “Uncle!” So much for your pleasant morning cup of coffee.
So, now what? What steps should you and your IT department take to mitigate the damage and restore your data?
The answer is: It depends.
Here are some things you’ll need to consider—ideally well before ransomware comes knocking on your door.
Isolate systems to mitigate ransomware damage—if you can
For some, immediately isolating systems and preventing the spread of ransomware is a crucial first step. If you can, disconnect from the internet and your WAN connection to contain the ransomware to the greatest extent you can.
Of course, not every organization can simply flip the switch and go offline. And, it all depends on what you have in your environment.
Consider a company that hosts its own web servers and receives all of its orders through its website, for example—or a business that serves up digital media and doesn’t have any tolerance for downtime. These organizations can’t just cut off their connection to the internet—at least, not without a lot of pain.
So a decision has to be made: “What’s the damage that’s been done here by the ransomware? And, by maintaining our connection, are we leaving ourselves open to more potential damage?”
Sometimes IT is a guessing game. You’ll have to ask yourself if it’s worth taking your servers offline.
If the answer is no, you’ll simply have to determine the best path forward—how you can clean up the ransomware infection and recover as best you can without disconnecting from your business’s lifeline.
Perform a forensic assessment of your systems
Next, you have to take a look at your systems to determine if the ransomware exists anywhere else in your IT environment.
Ask yourself, is the ransomware resident on any other machines or servers? Does it exist in my environment, but hasn’t been activated yet?
Sometimes, ransomware gets activated in a reboot, sometimes it gets activated at a certain time, sometimes it gets activated by something else in the machine. So, it may not be flippantly waving hello—yet.
Once it’s on a machine and you know specifically what you’re looking for, leverage your data security software for alerts on any server anomalies. And, diligently investigate any alerts that might indicate a ransomware infection, like spikes in changed or renamed files.
Clean up the ransomware infection and recover
When it comes to restoring your data, the first thing you need to identify is when you were hit.
Let’s say we’re talking about a really important server—on that hosts a tier one application. You might be backing it up every hour during the day, because it’s so critical to your business, that you can’t have more than an hour of RTO/RPO.
Typically, systems administrators will jump into their enterprise management console—often Microsoft—and go through system logs to identify the last time that server was live before it was compromised. Then, they can ensure they’re restoring from a clean copy.
If you don’t do this critical investigation, first, and just start restoring, you could just be restoring infected copies of that machine and perpetuating the problem.
Pay the ransom—maybe
What if you get caught unprepared? Have you thought about whether or not you should pay the ransom?
This is, of course, an individual choice you’ll have to make and it will be based on the type of business you operate, what data was encrypted, how important it is to your operations, and the time it will take you to recover.
If you find yourself in a position where you feel you have no choice, just keep in mind that you’re paying criminals. You might get the decryption keys—you might not. They might just take your bitcoins and say, “Screw you.”
And, these guys—they’re pretty smart.
Look at the size of the ransoms they demand. They’re just big enough that they can make some money off this racket, but small enough that an organization won’t pursue them if they don’t get what was promised, because it’s not worth their time.
This is a conversation you should be having now—not in the heat of the moment.
And, if it gives you a sense of unease, it’s probably an indication that your backup and recovery strategy isn’t as robust as it should be.
Remember—your best offense is a strong defense
Okay, so there it is again. The ransomware lock screen.
Now, if you’re backing up your data every hour, you’ve had great results with your backup solution, and you’ve already determined that one hour or less of data loss is acceptable to your business, you’ve got the upper-hand. So, why pay?
If you feel good about the way you’re protecting your data and you’re very confident that it’s restorable because you test your backup and recovery on an automated basis and know you can restore a VM in 20 minutes, you can tell the cybercriminals to buzz off.
And, that’s a very good place to be.
Your business critical systems, applications, and data are under a constant state of threat. In fact, a recent Cybersecurity Ventures report finds that a ransomware attack occurs every 40 seconds—and by the end of 2019 an attack is projected to occur every 14 seconds. It’s clear that you need a vigilant army of end users…
It’s a never-ending battle: Hackers relentlessly look for a way into your digital house, you work overtime, boarding up the windows. Meanwhile, your employees stand in the threshold graciously offering their up their keys. We know employees are the primary cause of data breaches—and that login credentials are almost always employed at some phase of…
This month, a Grand Canyon-sized hole in WPA2 WiFi security protocol was discovered—and, it’s a vulnerability that has the potential to spell catastrophic consequences for organizations and their mobile workforces. So, what does the threat mean to you? And, more importantly, how can you use WiFi safely? Let’s dig in. KRACKS is a threat to…
“We’ve been compromised.” Those three little words are sure to keep you tossing and turning at night. Maybe an unauthorized user has accessed your data. Perhaps you’ve discovered an end user’s screen being recorded. Maybe your critical business applications have been encrypted by ransomware. It’s the stuff of nightmares. So, how do you return to…