The rise of ransomware shows that hackers have stopped wreaking havoc on data just because they can, and now have figured out how to monetize their efforts. Through a variety of paths, one of the consumers of your company’s data might do something that appears innocent, and suddenly trigger some rogue event that encrypts all the data that user could access: local data, data accessible via network storage and data accessible via the cloud. Prevention software can shut off the user, but it’s likely some damage will have been done before this kicked in. The ransomware can encrypt files very quickly, but it doesn’t need to encrypt the entire file to render it useless by the applications designed to interact with the data.
When ransomware strikes, it not only leaves your data inaccessible, it has likely put your data through a blender. When you look at the resulting crime scene, what you will likely see is files have been renamed, deleted and/or moved. You’ll see new files with ransom notes in a pop-up window.
Basically, you have a mess – think a toxic waste site. Even when you pay to unlock your data, the collateral damage may not get cleaned up. It should also be noted that reports show people who pay the ransom are not guaranteed to get their data back. Some of this is due to bugs in ransomware software, and some to the fact that there is no honor among thieves. It may feel like the end of the world, but with the right plan, you can survive and recover from an attack with as little damage as possible.
Ransomware happened. Now what?
Ok, so ransomware happened. It shouldn’t have. You purchased all the detection software and did the best you could to protect the data. But now, you need to have a plan to restore operations. Worse than a double faulted RAID set since, at least in that case, your only option is to do a full restore. Your options now, and the best path forward, depends on your ability to learn exactly what happened.
The user that triggered the chaos may not even know they did it for awhile. Your first clue it happened could be every form of communication to you to is lit up. People are seeing frightening notes saying the data they are trying to access is being held for ransom. Not to over-dramatize, but some users will be afraid, since they won’t understand how this happened and think someone is in the company causing harm. They are sort of right, but the someone is virtual and the harm is to the business which relies on access to data. Try and explain this to someone outside the technical realm.
For folks in the IT world, think all paths down. For folks in security, it’s an incident and the incident response team kicks into action. It’s once again time for these two teams, if they are separate, to work together.
There are multiple products that can help you recover from ransomware, but many of them only solve a piece of the problem. When I read what many of them do, I feel like I am watching a LifeLock commercial (my favorite is the termite one). Basically, there’s a termite monitor that says you have a problem, but doesn’t help you fix it. LifeLock helps you not just identify the problem, but helps you fix it. What you really want is a massive cleanup service like ServPro for your data – your goal should be to restore operations and access to the data, like the disruption never even happened.
You may decide to pay the ransom to get the data back. Even if you do, there’s downtime until you get the decryption magic working, and no guarantee it will actually work. You’ll want to start working on the recovery yourself just in case. Most companies a have disaster recovery plan, created for physical data outages. It’s time to think about putting together for virtual data outages.
Learn more about recovering from ransomware.