Part 3: Recovering and evolving from a Ransomware attack

Welcome back to the final blog in the ‘‘Breaking the Ransomware Cycle’ series, where we’ll explore the ‘Respond’ and ‘Recover’ elements of the NIST framework, covering high-level ‘dos’ and ‘don’ts’ when faced with Ransomware.

For a more in-depth view, you can watch the accompanying webinar here. 

Part 3: Recovering and evolving from a Ransomware attack originally led by Kurt Kiefer, CRO of virtualDCS.

Setting the scene

There will be many people reading this blog and they’re likely to fall into the following categories; firstly, those who have seen it all before, have experienced a Ransomware attack and know it’s only a matter of time before it happens again.

Secondly, there will be those who have only done basic training, with a textbook idea of what’s coming but have thankfully never experienced it themselves… yet.

Then finally, there are the Ransomware gurus - the people who have survived multiple attacks and know all the technology, the jargon, and the models. Hopefully, all will find this blog (and the original webinar) useful.

Responding to a Ransomware threat

So, what happens should you receive the dreaded Ransomware alert? Well, it’s easier said than done, but the most important thing when following these steps is to remain calm.

1. Do not contact the hackers: Until they receive confirmation from the victim many hackers don’t know if the organisation has successfully been compromised. As soon as you contact them, you make the organisation more vulnerable to threats, pressure, and ransom demand increases.
2. Document Evidence: You might want to sprint into action and implement your Business Continuity playbook straight away, but one of the first things you should do is document the evidence for cyber insurance and law enforcement. Take pictures of the Ransomware message and record any other notable information available.
3. Identify and Contain: Before implementing your recovery plan, you must prioritise identify, and isolate infected systems. This could be achieved by shutting down the network or simply pulling cabling and each step must be included in your recovery plan.
4. Notify Stakeholders: Once you’ve stopped the infection from spreading further and taken stock of the situation, you’re now in a position to inform the relevant stakeholders – these include law enforcement, insurance, and the companies you do business with about the incident.

The Yellow Binder – your playbook

How do you remember the above steps under pressure? The answer is to have your own, unique company playbook to hand, considering all the elements presented above, and in the second blog of the series. This plan needs to be physically printed or stored outside of your system on a device that can’t be compromised.

Areas you also need to document and consider within this plan include:

• Communication: Your normal communications methods, such as Microsoft Teams may be taken offline during the attack, so who are you going to contact, and how?

• Chain of command: Along with the above, you also need an agreed chain of command in place – who is leading the Ransomware response team, what roles and responsibilities need undertaking, and who will be on-call to help?

• Testing and reviews: The plan needs to be under constant review, with regular rehearsals, and you need to have the confidence that your team can implement it.

• Coordination with insurance: When involving third parties data recovery becomes more complicated. In some cases, it can take up to 24 hours for a dedicated Cyber insurance team to respond to a request and to understand what an organisation can or cannot do with its equipment. Action before the response could potentially void the insurance claim, so it’s important to consider this in your playbook and read the terms and conditions.

• Coordination with law enforcement: Similarly, there have been many rumours and reports of law enforcement agencies taking away equipment for analysis and testing. Despite the research, we can’t personally confirm if this is accurate or not, but as a Ransomware recovery plan should consider every eventuality – this should also be one of them. In the UK, where appropriate it should be reported to the National Cyber Security Centre (NCSC), Action Fraud, Information Commissioners Office (ICO) and Office of Financial Sanctions Implementation (OFSI).

In the UK, where appropriate it should be reported to the National Cyber Security Centre (NCSC), Action Fraud, Information Commissioners Office (ICO) and Office of Financial Sanctions Implementation (OFSI).

Top tip - Case studies often provide invaluable information on how attacks develop, so a top tip is to engross yourself in the most recent attacks, and the successes and failures others have experienced.

Where should you recover data after a Ransomware attack?

Recovering data to its original location after a Ransomware attack is not recommended for several reasons:

• Forensic Analysis: Before recovery, it’s important to analyse the attack vector and impact assess the full impact before restoring data.

• Integrity: Recovered data might be corrupted or altered by the Ransomware, leading to potential data loss or further system issues.

• Security: Restoring data to a compromised system without fully eradicating the threat vector could leave vulnerabilities open for future attacks.

• Persistence: The original location may still be infected with Ransomware or other malware, which could immediately re-encrypt or damage the recovered data.

Avoiding repeat infections

It’s important to consider that you may have synchronously replicated the Ransomware from production to backup, where it now lies in wait. In this case, restoring data from the backup directly to the production environment will also restore the Ransomware, re-infect the system and introduce a ‘Ransomware loop’.

One way around this is to recover your ‘local backup’ to a public cloud, but this will take a lot of time that you may not have. Recovering data to its original location may not be the optimal solution. Our suggestion would be to consider a ‘Clean Room’.

What is a CloudCover Clean Room?

A Clean Room is an isolated environment that’s segmented from the infected network, and when used with a Veeam Cloud Connect Backup solution from virtualDCS, is available as part of the solution. During an event, it can be used short to mid-term until the production environment is ready.

It provides a clean environment for you to safely analyse, test and vet data before fully restoring it to the production environment – avoiding the Ransomware recovery loop.

The role of Service providers and DCS

Everyone has heard of the phrase, “Plan for the worst and hope for the best”, and this phrase, especially in the context of Ransomware is apt, but for me, another notable quote also springs to mind:

“Amateurs [musicians] practice until they can get it right; professionals practice until they can't get it wrong” - Harold Craxton, professor at the Royal Academy of Music.

Service providers, like virtualDCS, can be an experienced ‘helping hand’ in the event of a Ransomware attack - with access to comprehensive platforms for recovery, they are exposed to incidents daily, fully understanding the nuances of Ransomware.

So, if you have any questions, would like to know more about CloudCover Clean Rooms or would like to leverage our experience handling complex Ransomware attacks then feel free to contact the team at +44 3453 888 327 or email enquiries@virtualdcs.co.uk.

A more in-depth version of this blog is available as part of the on-demand webinar ‘Break the Ransomware Cycle’ here.