Story of Ransomware Recovery

Background

These days, the story of Ransomware Recovery is more common than most of us would want to admit and no company in any industry is immune from the risk of having this story play out for them. The reality is that all of us want to prepare for not only if we will have to deal with a Ransomware attack, but when you will deal with the same. This article will guide you to be prepared for this eventuality and, most importantly, have this story have a happy ending than not.

Beginning of the Story

The beginning of this story involves understanding your own industry and identifying the short term and long-term trends and macroeconomics in play. Knowing the trends and macroeconomics is crucial as that will inform us on how ready you are for dealing with a Ransomware attack. If you are not dealing with financial challenges that prevent you from investing in Infrastructure Resiliency, you will have gaps that can add risk to your environment. Assuming you were not as ready as you were hoping for, and knowing getting a Ransomware attack is not an ‘if’ but ‘when’, you are most likely dealing with a disruption to your business after getting attacked by a bad actor.  

Middle of the Story

Once you find out you are under an attack, here’s the blueprint of how you handle the attack.

1. Contain & Investigate
   1. Isolate networks, turn off all external interfaces and notify partners
   2. Work with Legal and engage appropriate Managed Disaster Recovery (MDR) vendor approved by Legal Counsel
   3. Implement forensic investigation and threat response steps recommended by MDR
   4. Procure decrypt key if appropriate
   5. Report on investigation results and recommendations
2. Recover & Rebuild
   1. Reset Privilege account passwords (Domain admin etc.)
   2. Create/Update Server Inventory based on existing CMBD (Configuration Management Database) or equivalent data sources
   3. Rebuild Tier 0 – Underlying Infrastructure servers (Domain Controller, DNS-Domain Name System, Backup System etc.). Note, you need to rebuild instead of recovering as you need a clean start.
   4. Recover Tier 0 – Foundational Application servers (Security, Identity Access Management applications etc.)
   5. Recover Tier 1 Application servers
   6. Recover remaining servers
   7. Decommission servers that are no longer needed after the recovery
   8. Reset system and user account passwords and remediate appropriately
   9. Certify the recovered servers by MDR vendor
   10. Perform IT/Business test and validation
3. Return To Operations
   1. Review and update Business Continuity Plan
   2. Identify critical business processes, applications and owners
   3. Implement necessary workarounds to enable faster return to operations
   4. Collaborate with vendor integration partners and turn on appropriate external interfaces
   5. Repeat the process for additional business processes

Crisis Management is the Need of the Hour

This is the time when your team will be tested and will have an emotional toll on all of them. Things to remember includes

• Need a strong Crisis Leader who would quickly build relationships and trust with new players while inspiring existing players to demonstrate swarm leadership and drive recovery activities
• Need to actively manage up and down during recovery; Need to manage and temper executive leadership expectations on the pace of recovery as there are a lot of 2nd-hand opinions out there, most of which are not contextually relevant to your recovery
• No fit to size Incident Response (IR) blueprint exists from any IR vendors; Be prepared to script your own IR blueprint while recovering from the incident
• While Windows based systems are most vulnerable to Ransomware, be prepared to recover non-Windows systems like Dell VxRail etc.
• Remember, as soon as you have recovered, you will walk into a litigatory environment and most of the recovery related communication is privileged communication

End of the Story

Never Waste a Crisis

There is always a silver lining to a crisis. Use this opportunity to secure persistent funding to keep your infrastructure up to date to defend future attacks. Also, look to invest in technologies like Rubrik that enable you to stay current with the latest trends while not breaking your bank doing the same. Some of the valuable feature technologies like Rubrik provide include

1. Enterprise, Cloud and SaaS Data Protection: Cyber-proof your enterprise data with air-gapped, immutable access-controlled backups
2. Rubrik Cloud Vault: Secure and archive your most valuable data with a cloud data vault with the next level of immutability
3. Ransomware Monitoring & Investigation: Determine the scope of ransomware attacks, using high fidelity machine learning to detect deletion, modifications, and encryptions
4. Sensitive Data Monitoring & Remediation: Reduce sensitive data exposure and manage exfiltration risk by discovering what types of sensitive data you have, where it lives, and who has access to it
5. Threat Monitoring & Hunting: Prevent malware reinfection by analyzing the time-series history of data for indicators of compromise to identify the initial point, scope, and time of infection
6. Mass Recovery: Restore business operations quickly by recovering apps, files or users at scale
7. Threat Containment: Ensure safe and quick data recovery by quarantining data infected with malware
8. Orchestrated Application Recovery: Recover applications quickly with pre-built workflows and disaster recovery blueprints

You cannot end the story without mentioning AI. AI can prevent as well as accelerate recovery from Ransomware. For example, Rubrik uses an AI agent, Ruby, to perform

1. Continuous Threat Monitoring scanning every backup every time for the latest Indicator of Compromise (IOCs). If found, it notifies Admin in the RSC (Rubrik Security Cloud) UI.
2. Admin starts an interactive chat with Ruby to investigate the incident.
3. Ruby collates all key details such as all impacted servers, IOCs identified, prompts where to email incident investigation reports to alert the business.
4. Ruby recommends & executes the actions to quarantine the infected backups with Threat Containment.
5. Ruby informs Admin of Sensitive Data Discovered in the impacted objects.
6. Ruby automatically builds a bulk recovery plan based on the investigation.

Closing Thoughts

Preparing for ransomware has become a ‘way of life’ and we should not underestimate the financial, reputation and emotional impact of it if you are caught unprepared to handle the same. There are ways to invest in modern technologies and leverage AI to prepare for Ransomware attacks without breaking your bank. If you cannot prepare for Ransomware attacks internally, you need to find the right partner to build a blueprint that is maintained to perform regular Ransomware Tabletop exercises so that you are prepared when the real attack happens. Finally, the world would be in a much better place if the ‘bad guys’ could use their talent for good use for humanity and not waste it on performing ransomware attacks. We will save that discussion for another time. In the meantime, I hope you find this article useful and don’t hesitate to reach out with any questions.