Ransomware response and recovery can broken down into four steps:<\/p>\n\n\n\n
1. Isolate, Assess, Call for Help:<\/p>\n\n\n\n
2. Recover what can be recovered, replace what cannot be recovered.<\/p>\n\n\n\n
3. Apply lessons-learned and block future attacks.<\/p>\n\n\n\n
4. Revise (or create) the ransomware incident response plan.<\/p>\n\n\n\n
The initial incident response requires the team to perform several tasks nearly simultaneously. Not only must the attack be contained and assessed, the team might also need to let stakeholders, executives, authorities, and insurance companies know about the attack.<\/p>\n\n\n\n
Organizations with insurance policies need to first consider if they will involve their insurance company. Insurers often will require specific steps to be followed to fulfill the claims process.<\/p>\n\n\n\n
If lucky, the attack may be small enough that no cyber insurance claim may need to be filed. For example, an attack on a single machine or a simple ransomware attack involving a limited number of users. An attack of such minor impact may not even need to involve executives or other stakeholders because of the limited damage to the organization.<\/p>\n\n\n\n
However, in the case of a broad, sophisticated or Advanced Persistent Threat (APT)<\/a> attack, damages will be significant. Cybersecurity insurers often strictly outline the steps permitted in order to qualify for reimbursement and in larger attacks, the insurance company should be one of the first calls.<\/p>\n\n\n\n Few internal IT and security teams maintain expertise in incident response and forensics. Internal teams can usually handle recovery from limited attacks, but sophisticated attacks require professional help. Engineers from incident response, forensic, managed IT security services<\/a>, and managed detection and response<\/a> specialists can determine the full extent of the attack, stop the attack, and aid in recovery.. <\/p>\n\n\n\n Assuming no instructions to the contrary from insurers, the first step is to contain the damage. Whether using internal specialists or professional assistance, the incident response team will cut off network and internet access for the affected devices (computer, server, etc.), network segment, or office. If necessary, the organization can shut down all networks for the organization to stop the spread.<\/p>\n\n\n\n Shutting down all networks is an extreme step and should not be taken lightly. Not only will normal operations suffer, but full shutdown can lead to other consequences such as:<\/p>\n\n\n\n Also keep in mind that isolating either specific devices or the organization as a whole will prevent remote access so responding IT teams will need to go onsite \u2013 which will increase time and money required for the recovery.<\/p>\n\n\n\n Next, assess the direct damage from the ransomware and evaluate the potential reach of the attack. Some ransomware attacks automatically launch when someone clicks a phishing<\/a> link and will be more simple to remediate because the source of the attack can be quickly identified and the extent of the damage rapidly assessed.<\/p>\n\n\n\n Other attacks only launch after attackers have significantly penetrated the environment, accessed many different systems, downloaded company information, and deleted backups. In the latter case, the advanced persistent threat<\/a> (APT) nature of the attack will not be stopped by isolating affected devices and more advanced methods will be required to eliminate the threat.<\/p>\n\n\n\n Also see: Best Backup Solutions for Ransomware Protection<\/strong><\/a><\/p>\n\n\n\n Once the active attacks are contained, the team can then turn to recovery of the systems and the data. Some simple ransomware cases can be handled by in-house teams because of their limited scope and damage.<\/p>\n\n\n\n Larger attacks involve exponentially more complexity and variance, and unwinding an APT attack will require deep forensic investigation of the systems, logs, and possibly even the backups. Most organizations need to reach out to service providers to obtain suitable experts for this type of recovery.<\/p>\n\n\n\n The high variance of ransomware attacks and response easily exceeds what we can cover in an article, so we will limit the rest of this article\u2019s focus to a limited, manageable scope involving automated ransomware striking only a handful of endpoint computers. This example will still provide an overview of the basic steps of ransomware recovery at a high level without going into the more technical details involved in broader threat hunting processes necessary for sophisticated attacks.<\/p>\n\n\n\n Also read:<\/strong> How One Company Survived a Ransomware Attack Without Paying the Ransom<\/a><\/p>\n\n\n\n Short answer: It depends. The high variance of the types of attacks and the characteristics of the environment prevent easy estimation of ransomware recovery time.<\/p>\n\n\n\n However, the variables that affect recovery time consist of:<\/p>\n\n\n\n Ransomware typically announces its presence by locking the victim\u2019s computer with a message screen with the ransom instructions. This will provide information regarding the type of ransomware infecting the computer and provide some guidance regarding the next steps.<\/p>\n\n\n\n If we are lucky, a google search for the specific ransomware on the screen may yield free decryption tools<\/a>, but beware of or through anti-ransomware tools<\/a> that remove the ransomware and fully restore the system and files. Unfortunately, as covered in How to Decrypt Ransomware Files<\/strong><\/a>, the recovery of ransomware encrypted files has a low success rate. <\/p>\n\n\n\n The decryption difficulty stems from:<\/p>\n\n\n\n Some organizations may be tempted to pay a ransom. Organizations that depend on uptime such as hospitals, law enforcement, or emergency services have mandates to be available and responsive that go beyond simple financial considerations. Deaths associated with ransomware are rare, but at least one death<\/a> is directly associated with a ransomware attack and roughly 25% of healthcare providers noted an increase in mortality rates<\/a> following ransomware attacks.<\/p>\n\n\n\n Unfortunately, there are three big reasons not to pay a ransom<\/strong>.<\/p>\n\n\n\n Full recovery of our systems will test the quality and thoroughness of our backup processes. We will need to go back far enough to locate data and OS system backups free of malware, but the further back we need to go, the more work product that could be lost. Our preparation prior to the attack will be critical to our data recovery success.<\/p>\n\n\n\n Hopefully, backups can be accessed through System Restore. If we know the date of the infection, we can roll back the computer to a system restore point prior to the infection, which should automatically remove the ransomware, clean the registry, and restore the operating system.<\/p>\n\n\n\n If we are unlucky, a sophisticated ransomware attack encrypted or deleted any backup files and system restore points. In this case, we may need to completely wipe the system and reinstall all software.<\/p>\n\n\n\n While it is possible to manually restore systems instead of wiping them, this time-consuming process requires a deep understanding of Windows Registry to carefully examine it to remove any lingering infections. Generally, this option consumes too much time to be practical and will be much more expensive than wiping the computers.<\/p>\n\n\n\n Once the system has been cleaned, we still have to restore the data itself from backup. Keep in mind that some backups may be of corrupted data so incident response teams may need to go through multiple backups until they find clean data. Any changes made since the last clean backup will probably be lost.<\/p>\n\n\n\n Further reading on ransomware protection and recovery<\/em>:<\/p>\n\n\n\n Whether we can restore our systems ourselves or we must hire incident response specialists, fully recovering our systems from an attack only marks the start of the process. We will also need to:<\/p>\n\n\n\n Many ransomware gangs have adopted the tactic of exporting sensitive data prior to triggering the ransomware attack and extorting the victim company with the threat of publicly releasing their data. If exfiltration has occurred, what types of data was stolen?<\/p>\n\n\n\n Depending upon the type of data affected, a full forensic investigation<\/a> of the attack may need to be performed to gather evidence for criminal prosecution or to defend the organization from civil and regulatory action. Complex attacks involving more than one ransomware attacker or more than one exfiltration will increase the time and headaches involved in resolving the issues.<\/p>\n\n\n\n The theft of regulated data protected by law<\/a> will trigger reporting requirements regarding the full extent of personal information, credit card data, healthcare information, or other protected data accessed, breached, or publicly released. Once the type of breached data is known, legal counsel will determine what types of internal and external reports may be required.<\/p>\n\n\n\n IT teams also need to work with legal counsel and executives to determine the required internal reports and the timing and content of information released to authorities, affected parties, or the public. Even if not required by law, breached customer data may trigger contractual and moral obligations to report the extent of the breach to the affected parties.<\/p>\n\n\n\n Once the recovery is complete and required reports are delivered, our incident response teams need to perform a post mortem analysis. The method of attack must be reviewed to determine how to prevent such attacks in the future.<\/p>\n\n\n\n Often this will be referred to as a Lessons Learned report and it should cover:<\/p>\n\n\n\n Some organizations may not have the budget or time to immediately address all issues, so unaddressed issues will also need to be evaluated for risk to the organization. For example, it may not be practical to prevent phishing attacks<\/a> from leading to future ransomware attacks, but the organization may decide to encrypt<\/a> more data or block email access from critical systems to limit the future risk to the organization.<\/p>\n\n\n\n Additionally, the team will want to analyze their response to the attack to determine if improvements need to be made to the incident response plan (or to create an incident response plan). Common issues encountered in this process are incorrect phone numbers, obsolete IP addresses, or broken recovery processes.<\/p>\n\n\n\n Preparation remains the key to successful ransomware recovery. An organization must:<\/p>\n\n\n\n Some IT professionals dismiss policies as words on paper that protect nothing. The validity of that complaint depends upon the organization. Organizations that use the policies to enact procedures and to set the tone of the organization will enjoy more benefits from policies than organizations that just go through the motions for compliance check boxes.<\/p>\n\n\n\n Backup policies should include the type of backup (full data, changed data, full system), frequency (daily, monthly, quarterly), retention period (60 days, six months, etc.), and the location of the backup (on the device, in connected network repositories, offline, etc.). Best practices recommend three backups with at least one backup offsite and offline to prevent an attacker\u2019s access.<\/p>\n\n\n\n For an incident response plan<\/a> or policy, we must be honest about our valuable assets, our security capabilities, and our team\u2019s ability to respond to an incident. The key is functionality. A robust plan that cannot be executed by our team is worthless.<\/p>\n\n\n\n The plan does not require sophistication or even technical ability. It could simply be a list of different types of incidents (power outage, ransomware attack, etc.) and important numbers to call for each type of incident such as incident response experts, an attorney, key executives, insurance contacts, and so on.<\/p>\n\n\n\n Some attorneys will recommend specific processes that require their involvement. These recommendations hope to extend the protection of privilege to the work product and communication of the process so that it cannot be introduced as evidence in future lawsuits.<\/p>\n\n\n\n The incident response plan may also need to involve the CFO. Purchasing limitations that may normally require extended processes with multiple signatures may need to be bypassed with pre-approved budgets and vendors that would be triggered in the event of an attack.<\/p>\n\n\n\n Ideally, any cybersecurity insurance policy requirements should also be determined and added to the incident response plan. The more accurate the information, the smoother the process will be executed and the less risk of mistakes during an incident.<\/p>\n\n\n\n All policies should be reviewed periodically as well as after an event to revise or update the policies as needed.<\/p>\n\n\n\n When installing layered security we need to focus on the most likely target and the most likely attack paths.<\/p>\n\n\n\n We must cover the basics. A zero-trust architecture<\/a> with continuous authorization might be the preferred option for some, but a traditional security framework can provide adequate security for many.<\/p>\n\n\n\n The classic approach of a modern firewall<\/a>, robust network security<\/a>, and advanced endpoint security<\/a> would be reasonable. We should encrypt<\/a> data at rest. We should use multi-factor authentication<\/a>.<\/p>\n\n\n\n Budgets and IT capabilities may limit how much security we can afford to deploy, but not all security costs a fortune. Many of us ignore the embedded options and features of our current operating systems and software that can significantly reduce the effectiveness of attacks.<\/p>\n\n\n\n This is particularly true of server protection, where, as Symantec Endpoint Security VP and General Manager Adam Bromwich notes, \u201ctraditionally IT has not turned on all the protection technologies available to them. They have become a weak point that attackers are exploiting.\u201d<\/p>\n\n\n\n \u201cLay of the land\u201d attacks that exploit legitimate tools, such as PowerShell<\/a>, WMI and PsExec, add to that insecurity. Symantec has added behavioral blocking<\/a> around such tools and sandboxing<\/a>, and the Broadcom company\u2019s new Adaptive Protection tool shuts down processes that aren\u2019t in use, further hardening systems and disrupting the attack chain.<\/p>\n\n\n\n \u201cBy the time you can react to an EDR alert, it is too late,\u201d Bromwich told eSecurity Planet<\/em>.<\/p>\n\n\n\n Testing involves periodic checks of our security, processes, and procedures.<\/p>\n\n\n\n First, we must verify that our security has been correctly installed and is functioning. Internal assessments are okay, but can miss critical issues our team did not consider.<\/p>\n\n\n\n Paying for third-party assessments and penetration tests<\/a> can provide fresh thinking and a level of assurance for stakeholders such as customers, the board of directors, and the cybersecurity insurance company. Penetration tests and vulnerability scans may also be required to comply with various regulations (PCI DSS, etc.).<\/p>\n\n\n\n Our processes and procedures will often be planned in advance, but may overlook critical data or steps. Tabletop exercises and drills to go through the processes and procedures ensure our staff confidently can smoothly execute them should a ransomware attack or other incident occur.<\/p>\n\n\n\n It can also be wise to ensure that all employees in the company receive and understand the incident response policy. Intermedia surveyed employees and estimated that 59% personally paid<\/a> to recover from ransomware rather than admit to becoming a victim. However, our IT teams need to make sure that the malware has been removed from the system and we can only do that if we are informed about the attack.<\/p>\n\n\n\n The best way to recover from a ransomware<\/a> attack is to execute a carefully practiced incident response plan<\/a>. However, many organizations have no plan at all. Instead, they not only have to conduct recovery steps with no planning or preparation, they also need to figure out those steps under immense pressure.<\/p>\n\n\n\n While the recovery steps are the same, a written plan enables a security team to be much better prepared. A security team that practices a plan gains even more benefits because they can respond to attacks faster, with fewer mistakes, and with better results.<\/p>\n\n\n\n All organizations should take steps to prepare for future ransomware attacks so that when an attack arrives, they will be prepared and react quickly, effectively, and comprehensively to limit damage.<\/p>\n\n\n\n Read next:<\/strong> Ransomware Prevention: How to Protect Against Ransomware<\/a><\/p>\n\n\nProfessional Assistance<\/h3>\n\n\n\n
Isolate the Attack<\/h3>\n\n\n\n
\n
\n
Ransomware Assessment<\/h4>\n\n\n\n
2. Recover What Can Be Recovered<\/strong><\/h2>\n\n\n\n
How Long Does it Take to Recover from Ransomware?<\/strong><\/h3>\n\n\n\n
\n
\n
Simple Ransomware Recovery<\/strong><\/h3>\n\n\n\n
Ransomware Decryption<\/h4>\n\n\n\n
\n
Ransom Payment (Not Recommended)<\/h4>\n\n\n\n
\n
\n
Restoration from Backups<\/h4>\n\n\n\n
\n
3. Conduct Post-Attack Tasks<\/strong><\/h2>\n\n\n\n
\n
Deal With Other Ransomware Attack Issues<\/strong><\/h3>\n\n\n\n
Report to Regulators and Stakeholders<\/strong><\/h3>\n\n\n\n
Apply Lessons Learned<\/strong><\/h3>\n\n\n\n
\n
4. Create or Revise the Ransomware Incident Response Plan<\/strong><\/h2>\n\n\n\n
\n
Prepare Policies to Protect Against Ransomware<\/strong><\/h3>\n\n\n\n
Install Layered Ransomware Security<\/strong><\/h3>\n\n\n\n
Planning and Testing<\/strong><\/h3>\n\n\n\n
Bottom Line<\/h2>\n\n\n\n