There it is—the ransomware lockscreen staring you down with its arrogant gaze, just begging you to cry, “Uncle!” So much for your pleasant morning cup of coffee.
So, now what? What steps should you and your IT department take to mitigate the damage and restore your data?
The answer is: It depends.
Here are some things you’ll need to consider—ideally well before ransomware comes knocking on your door.
Isolate systems to mitigate ransomware damage—if you can
For some, immediately isolating systems and preventing the spread of ransomware is a crucial first step. If you can, disconnect from the internet and your WAN connection to contain the ransomware to the greatest extent you can.
Of course, not every organization can simply flip the switch and go offline. And, it all depends on what you have in your environment.
Consider a company that hosts its own web servers and receives all of its orders through its website, for example—or a business that serves up digital media and doesn’t have any tolerance for downtime. These organizations can’t just cut off their connection to the internet—at least, not without a lot of pain.
So a decision has to be made: “What’s the damage that’s been done here by the ransomware? And, by maintaining our connection, are we leaving ourselves open to more potential damage?”
Sometimes IT is a guessing game. You’ll have to ask yourself if it’s worth taking your servers offline.
If the answer is no, you’ll simply have to determine the best path forward—how you can clean up the ransomware infection and recover as best you can without disconnecting from your business’s lifeline.
Perform a forensic assessment of your systems
Next, you have to take a look at your systems to determine if the ransomware exists anywhere else in your IT environment.
Ask yourself, is the ransomware resident on any other machines or servers? Does it exist in my environment, but hasn’t been activated yet?
Sometimes, ransomware gets activated in a reboot, sometimes it gets activated at a certain time, sometimes it gets activated by something else in the machine. So, it may not be flippantly waving hello—yet.
Once it’s on a machine and you know specifically what you’re looking for, leverage your data security software for alerts on any server anomalies. And, diligently investigate any alerts that might indicate a ransomware infection, like spikes in changed or renamed files.
Clean up the ransomware infection and recover
When it comes to restoring your data, the first thing you need to identify is when you were hit.
Let’s say we’re talking about a really important server—on that hosts a tier one application. You might be backing it up every hour during the day, because it’s so critical to your business, that you can’t have more than an hour of RTO/RPO.
Typically, systems administrators will jump into their enterprise management console—often Microsoft—and go through system logs to identify the last time that server was live before it was compromised. Then, they can ensure they’re restoring from a clean copy.
If you don’t do this critical investigation, first, and just start restoring, you could just be restoring infected copies of that machine and perpetuating the problem.
Pay the ransom—maybe
What if you get caught unprepared? Have you thought about whether or not you should pay the ransom?
This is, of course, an individual choice you’ll have to make and it will be based on the type of business you operate, what data was encrypted, how important it is to your operations, and the time it will take you to recover.
If you find yourself in a position where you feel you have no choice, just keep in mind that you’re paying criminals. You might get the decryption keys—you might not. They might just take your bitcoins and say, “Screw you.”
And, these guys—they’re pretty smart.
Look at the size of the ransoms they demand. They’re just big enough that they can make some money off this racket, but small enough that an organization won’t pursue them if they don’t get what was promised, because it’s not worth their time.
This is a conversation you should be having now—not in the heat of the moment.
And, if it gives you a sense of unease, it’s probably an indication that your backup and recovery strategy isn’t as robust as it should be.
Remember—your best offense is a strong defense
Okay, so there it is again. The ransomware lock screen.
Now, if you’re backing up your data every hour, you’ve had great results with your backup solution, and you’ve already determined that one hour or less of data loss is acceptable to your business, you’ve got the upper-hand. So, why pay?
If you feel good about the way you’re protecting your data and you’re very confident that it’s restorable because you test your backup and recovery on an automated basis and know you can restore a VM in 20 minutes, you can tell the cybercriminals to buzz off.
And, that’s a very good place to be.
The art of the scam is nothing new. While ransomware attacks now fuel a continuous stream of breaking news, we only have to think back to the many distraught Nigerian princes—all who suffered the loss of their uncles and were desperate to find safe places to stash their unexpected inheritances—to remember how long these “spray…
If the ransomware threat wasn’t already keeping you up at night, surely the attack on Atlanta has left you questioning the strength of your cyber defenses and disaster recovery. Now, it should be abundantly clear to all who work in local government that you are under attack. And, it’s up to you to ensure critical…
Once again, cyber attackers are proving no one is safe from a ransomware attack. This time, it’s the City of Atlanta that has fallen victim. So, what do we know? Experts suggest Atlanta may have been infected by a variant of SamSam ransomware; the same family deployed against governments and hospitals since 2015. In this…
Like a terrible foot fungus, and not nearly as pleasant, SamSam ransomware just won’t go away. This customized ransomware strain first entered the scene in 2016 and, today, it’s powering the types of targeted cyber attacks that should give all of us pause—especially those in the healthcare industry. Just consider this: In the past three…