There is more to ransomware recovery than decrypting the systems

INSIGHT ARTICLE  | 

Authored by RSM US LLP


You’re a well-rounded CIO, your staff is competent, you’ve invested as much as possible in security (but of course, the budget is never enough). You’ve done the research and you know the essentials for reducing the risk of ransomware:

  1. Train the employees to recognize malicious emails and websites—DONE!
  2. Apply security updates and patches quickly and thoroughly—DONE!
  3. Tier your administrator accounts to limit access to devices as needed—IN PROGRESS (that turned out to be a bigger work effort than expected)
  4. Implement Multi-factor Authentication (MFA) for remote access and SaaS applications—STALLED (the user community simply does not understand the risk and is convinced it will inhibit their ability to work)
  5. Build a firewall between your backups and the rest of your systems—BUDGETED FOR NEXT YEAR

You know there are holes, but there’s a roadmap and budget. And, unlike most, you actually have a plan.

It’s Friday night. You’re just sitting down to dinner and finally relaxing; life is good. Meanwhile, your system administrator starts getting alerts that a server is going offline. It’s not a critical issue; they’ll address it after dinner. Another alert comes in, then another…now there’s a problem. Your sysadmin tries to connect remotely: “Authentication failed!” Panic sets in as he or she jumps in the car and heads to the data center. It’s too late. The message on all the screens reads, “All your files are encrypted.”

Your phone rings and you hear the words, “They got everything: servers, workstations, backups…and, for good measure, they extracted 2TB of data from our system and say they’ll post it on the web.” The whirlwind begins. There’s insurance, lawyers, consultants, investigators, negotiators. You pay the ransom, get the decryption keys and the process runs anew, albeit painfully slower than you would have thought.

A bad actor’s goal is to inflict maximum damage in order to extort as much as possible. He or she can start with a user’s PC and carefully navigate laterally until privileges are elevated to the level needed to stage and execute the attack. The bad actor uses malware like Emotet and TrickBot and tools such as Mimikatz, Cobalt Strike and Metasploit, spreading them to as many machines as possible and replacing files you might have never known were changed. The bad actor continues until—BINGO: he or she has your domain administrator credentials: the golden ticket for forging Kerberos tickets. It’s not even hacking anymore when the bad actor can just log in to whatever he or she wants. Game over.

Attempting to reuse any part of your environment is a huge risk: The systems are still compromised, and the exploits used for the infiltration are still there. Consequently, you need a plan and resources to rebuild everything as quickly as possible. This includes sterile networks, fresh installs and data restoration as well as significant monitoring to ensure security holes are not left open.

The recovery will be a dynamic situation in regard to priorities, resources and roadblocks to navigate. However, the following can facilitate a faster recovery:

  1. Have up-to-date documentation in an offline location, including a password vault. Often, the system that contains your documentation is encrypted. The inability to access documentation slows down the recovery process, as resources become dependent on the one staff member who has the information memorized.
  2. Shut down systems immediately upon recognizing that they’re being encrypted. The number of machines encrypted can be minimized with simple monitoring tools that recognize services going offline and responsive administrators who recognize the threat and make quick decisions to take them offline. This prevents the encryption process from propagating, which greatly decreases the time to recover business systems.
  3. Have local copies of your backups. One of the most time-consuming components of recovery is moving a large volume of data. Cloud backups are great as a last resort, but the amount of time required to download and then restore is prohibitive. In many cases, this is a primary reason companies decide to pay the ransom, as restoring from cloud backups simply takes too long.
  4. Have your contacts and critical information printed and accessible. Insurance contacts, policy numbers, lawyers, vendors and support contract information readily available minimizes chaos at the most critical times.