Recovering from a Ransomware Attack
Legacy backups are no match for ransomware, leaving your data vulnerable. What happens after you’ve been hit? How do you recover?
Every 11 seconds, a new organization gets hit by ransomware. Any organization, regardless of size or industry, is at risk. A report by Cybersecurity Ventures found that ransomware attacks surged by 105% in 2021, costing $20 billion worldwide.
The three most common ways ransomware spreads are ransomware emails, software vulnerabilities and server weakness exploits. Because smaller businesses rarely have adequate protection in place, server exploits are most used to infect them. As businesses increase in size, phishing emails become the most used method of attack.
Legacy backup architectures are no match for these modern threats, leaving your data vulnerable to cybercriminals. So, what happens after you’ve been hit? How do you recover?
To Pay or Not to Pay, That is the Questions
Many organizations are tempted to pay cybercriminals the ransom fee to get their data back, but there’s no guarantee that you’ll recover your data if you do pay. After all, you’re dealing with criminals. For example, in the Colonial Pipeline attack in 2021, hackers demanded approximately $5 million in exchange for the files held ransom. Within hours after the attack the company paid a ransom of nearly 75 Bitcoins ($5 million) to the hackers in exchange for a decryption tool, which proved so slow that the company’s business continuity planning tools were more effective in bringing back operational capacity.
Ransomware hit 66% of mid-sized organizations in 2021, up from 37% in 2020. Average ransom payments reached $812,000 during 2021, compared with $170,000 the prior year.
Among organizations with encrypted data, 46% paid a ransom to the malicious actors. In addition, 26% of organizations who were able to restore data from backups, still decided to pay a ransom.
A Real-Life Ransomware Scenario
Velosio has a client whose email server was infiltrated by ransomware. The biggest red alert that a business is down is when employees start using their personal emails – which is not good for an organization’s reputation with customers, partners, and vendors. The attack occurred at a time when there was a new IT staff member coming onboard, getting a handle of the systems. The IT staff attempted to resolve the problem internally, considering a payout to the malicious actors.
Velosio’s team offered advice and guidance to help the organization come back online. The first question we asked the client, whose data was hosted on-premises – do you have a data backup? They did not. We were able to help them get back online with their mail server, and recover most of their data, importing it after scanning to validate that the data was clean. This was a huge lesson for the client – backup data, consider migrating to the cloud, and have a security and disaster recovery plan.
Comprehensive Business Continuity Plan
A ransom payment is a tiny fraction of the costs an organization bears after suffering a ransomware attack. Business continuity planning can help reduce recovery costs.
Comprehensive business continuity and disaster recovery plans, with a strong focus on cybersecurity, can ensure you have the resources required to survive a ransomware attack. At a minimum, you should have a perimeter anti-malware system that filters out malware at the edge of your network, but even that won’t stop everything.
Broadly speaking, business continuity planning involves four aspects: assessment, planning, capability validation, and communication and coordination. Here is a business continuity plan developed by Microsoft.
Assessment
First you must identify the business functions in your org and the services and processes that support them. This includes completing a business impact analysis, where each business function is ranked according to how critical it is and you identify the processes and services which are interdependent.
Planning
Next, you look across business processes to see where any cascading dependency relationships exist. Based on the outcome, you prioritize and form resiliency strategies, and standard operating procedures supporting your strategies.
You can use Microsoft Service Map to help you in with this mapping. Microsoft Service Map automatically discovers application components on Windows and Linux systems and maps all TCP dependencies, identifies connections, and remote third-party systems that the app depends on. It also maps dependencies to areas of your network that are traditionally dark, such as Active Directory.
In your dependency analysis, you will identify and examine the process dependencies. Make sure you include people, suppliers, customers, partnerships, and facilities. The data from this analysis will be used to identify gaps between the recovery requirements of a process and the recovery capabilities of supporting dependencies.
Capability Validation
Once you have inventoried your business processes and mapped out relationships to other process and technologies, you need to build validation scenarios for all the processes. Basically, figure out how you are going to validate your business process continuity plans. You’ll probably find that some are more important that others and you’ll want to prioritize those. Don’t forget that regular training for employees on incident response and continuity measures is important once the plan is established. Post incident reviews should be used to enhance your resiliency strategies by incorporating learnings from each validation or test.
Communication and Coordination
During a service incident, normal communications channels may be impacted or degraded, so you should pre-arrange alternatives to help your organization stay connected during an incident. It is critical that the communication channels be established, vetted for security and compliance, and users trained on their use prior to a disruption. Failing from a known state to another known state is far preferable to users coming up with ad-hoc, unknown solutions in the middle of a crisis.
If email is your primary method of keeping your users and stakeholders informed, and your email service is degraded or unavailable, you can use another service such as Microsoft Teams, Yammer, or another 3rd-party service as a backup. The key is to establish these beforehand and train your users on where to go. A Yammer thread isn’t going to be useful if no one knows it exists or if no one has it bookmarked.
If your internal Incident Management processes rely on voice communications to coordinate your responses, establish an alternative telephony solution for use during a crisis. This solution doesn’t need to have full parity with your primary service but should provide the minimum level of collaboration to coordinate your Business Continuity and Incident Management teams. Additionally, asking users to publish their mobile phone numbers in your Global Address List can provide an additional layer of backup communication in extreme cases. You can use the O365 Service Communications API to tie this information into Microsoft 365 for an even greater level of visibility.
It is critical that the location of your Business Continuity Plans and Standard Operating Procedures is well known. We recommend maintaining online and offline copies of critical documentation, such as with SharePoint Online or OneDrive for Business configured for automatic sync to local devices. For Service/Network Operations Centers and other similar teams that will be critical for recovery, you may also want to keep hard copies available to be used in case event of an emergency.
I recommend taking this quick assessment to see where there may be holes in your security operations. Although Velosio is not a security company, it is a trusted advisor on security issues for its clients. Let us know if we can partner with you to look at your current security measures and make recommendations. In the meantime, STAY SAFE out there!
Leveraging Microsoft's Toolset to Protect Your Business from Cyberattacks