Part 2 - When You Aren't Sufficiently Protected
In part 1 we discussed being sufficiently protected and what it takes to get there. Here we will talk about what to do in the event you have a ransomware attack and I'm operating under the assumption not all the best protections are in place. If you have a serious and high performance backup system in place and a plan of action you can act on that, limit downtime, and not need to risk losing substantial data or paying the ransom. That being said, here we go...
What To Do Immediately?
Ransomware takes substantial time to encrypt files on a network and the amount of data affected will be directly impacted by the amount of data you have, the performance of your systems, and the length of time the ransomware has to run. In fact, often times ransomware can live dormant in the network for days or longer until the ransomer decides to execute their attack. Often they do this during evenings or weekends to maximize the damage before they are found out. The moment anyone in your organization suspects ransomware is present you should notify your IT staff or IT service company immediately. Stopping the spread is possible fairly quickly by a professional.
If you don't have an IT professional on staff or an IT service company you are contracted with, consider disconnecting all your systems from the local area network, the Internet, and shutdown affected systems and servers until someone can analyze them. Remember that time is of the essence with ransomware. You need to take this threat seriously and make it your top priority to guarantee success in recovery.
Ok, we stopped the bleeding, now what? Once you've stopped the spread of the ransomware, you need to determine the affected systems and damage caused. Did it hit critical data on servers or just a few workstations? Did it get an entire server before it was stopped, or did it just get a handful of folders on the file server? Determine how severely your organization was affected is the critical next step. Most networks have a lot of data that doesn't change regularly and likely resides in existing backups. If you can continue to function as a company and restore 95% of needed data without downtime and without major business impact that's great news.
If you find you have recently changed personal or business critical data that might not be on a current backup, your situation gets more challenging. Is rolling back data 24 hours sufficient? Or maybe you do have a backup that's 1 hour old, but your backup systems performance and IT team will take a full day to restore that server from the ground up. Can you handle a full business day of downtime to do a restore?
Many current backup systems also have the ability to "spin up" virtual copies of the systems from a previous state. However, there's a lot complexity to this when it comes to ransomware. When you do this you might also be turning on the ransomware from a previous state. When discussed above, because ransomware is often in the environment before the impact is noticed, going back to a backup a few hours ago won't be sufficient. This means piecing together backups in a much more time consuming way. Often we find the best practice is to build brand new virtual machines and restore the data only to them to reduce the risk of a recurrence. That's where high performance systems can really reduce the downtime and risk for organizations.
What Are My Options?
So you're in a tight spot. You either don't have sufficient backups, or your business losses will be greater than you can sustain due to downtime during restores. What do we do now?
Before you pay that ransom you still have some options:
- Often times clients can limit the machines they need to pay to decrypt because only 1-2 of them are actually mission critical. The rest of the data can wait a day or two. Determine what you absolutely must have right away.
- If you have a good IT service company or law firm at hand, they should have access to security professionals that work on ransomware regularly. Some of these packages have been reverse engineered and the data is decrypted without paying the ransom. Better to pay a security expert than a criminal.
- There are also some public websites that can help you find out if your particular ransomware has keys available. Here's one of a few sites if you search online that might help you. But remember, it still takes time to decrypt your files even once you get the keys: The No More Ransom Project
How to Negotiate with Data Terrorists.
So, you're in a really, really bad spot... you can't get your much needed data back. You need to negotiate with the ransom person. Here's what to do:
- First, as mentioned above, figure out the absolute smallest amount of data you will need to get the ransomer to recover for you. Get anything you can from alternate sources.
- Once you have your short list, look for a file in the folder of encrypted files with contact information for the ransomer.
- Create a "burner" email account for this transaction. Don't use your business email, real name, or any identifiable information. I would also recommend connecting to the email service from a VPN service to make sure you are as anonymous as possible.
- Contact the ransomer and let them know you intend to pay the ransom to get your data back. Act as though you are a home user with a single computer affected at first. I'm sure this will be difficult, but don't get upset, curse, etc. at this person. At this point it's an illegal and unfortunate business transaction, but you want this person on your side... and you might need them to be.
- Tell them you want to do a test recovery before sending funds. They should honor this. You might be able to get some of your most valuable data back in the process too.
- Once you've got your test and validation done, negotiate with them. They normally want to charge per computer. If you only have one computer affected you in a good spot to negotiate the price down. If you have multiple they will likely assume you're a business. How much they are willing to negotiate will vary, but they are always willing to negotiate to get paid.
- Finally, once you've struck a deal, you have to pay them.
Considerations When Paying the Ransom.
- If you haven't used cryptocurrency before you might be in a difficult spot. Most exchanges limit how much you can quickly buy and send cryptocurrency as a new customer, and you likely won't be able to get enough. Ask you law firm or IT service provider if they can help.
- If you're reading this and haven't been hit yet, consider getting an account with a cryptocurrency exchange and buying some cryptocurrency. Over time you'll have the ability to purchase and send more in case you ever do get hit.
- It may be difficult if your IT firm and law firm can't help you, and you don't have an account with an exchange. Your last ditch effort it to locally buy bitcoin or cryptocurrency from someone you know or via a site like local bitcoins, transfer them to a software wallet on your computer or phone, then send them to the ransomer.
- Once you send the cryptocurrency reach back out to the ransomer. They should give you a recovery tool which will kick off the decryption process. Remember this will take time.
- If you have problems with the process you might need them to help you further. This is where not being a jerk to them earlier could help you. Have them regenerate the restore package or open a support ticket with their ransomware as a service place to help.
Now That You're Restored - Implement Those Safeguards!
I hope both parts of this guide have helped you prepare or deal with a ransomware attack if you've been unlucky enough to get hit. Now that you have your data back and are running your business once again, revisit part 1 and work with your IT service provider to get those backup systems up to snuff. If you're not confident in your systems and want a second opinion, feel free to give us a call as well!