Fighting Ransomware Before, During and After an Attack

September 20, 2019
Backup, Data Protection, Disaster Recovery, IT Services

Written by Daven Winans
Manager of Professional and Managed Services

 
Given the frequency and evolutionary nature of ransomware attacks, the nefarious cyberthreat won’t be going away any time soon. In fact, Cyber Security Ventures a leading researcher on the global cyber economy, estimated that a new organization will fall victim to ransomware every 14 seconds in 2019, and every 11 seconds by 2021.

With those kind of statistics, it’s no longer a matter of “if” a ransomware attack will occur, but “when.”

At US Signal, we’ve had many customers reporting ransomware. Not surprisingly, no two attacks are alike. As such, there’s no single one-size-fits-all approach to fighting the problem. However, we can break ransomware attacks into “before,” “during” and “after” stages to help identify some of the tactics to take to mitigate data loss and downtime. 

Early awareness

Sometimes, the best way to fight ransomware is before it does any damage. For example, we had a customer that was notified by the FBI that a malicious entity was targeting it. This is often known as the recon phase. Malicious entities find a way into an organization and begin collecting data. They only want to take advantage of organizations that are likely to pay because, like other businesses, they’re not interested in wasting resources for little or no profit. This leads to the first point that needs to be made - ransomware targets those who are likely to pay. 

The customer, with the help of the FBI and a cyber insurance company, began hardening its defenses strategically and slowly enough so as not to raise the attention of the malicious entity. If the entity knew it had been detected, it would detonate the ransomware that was likely already in place. This brings us to the second crucial point. It’s becoming common to see ransomware being placed but not detonated as a strategic move by the malicious entity.

It’s an attempt to outlive a company’s recovery software’s retention and/or compromise recovery points to ensure recovery isn’t possible. It also increases the likelihood that the customer will have to pay. To date, the ransomware in this case hasn’t been detonated or was effectively hardened against, so there was no compromised data or downtime for the customer. 

The detonation and post detonation phase

In this case, the customer quickly became aware that ransomware had been detonated or made active within its environment. The ransomware was spreading via compromised network accounts. The customer notified US Signal of the compromise and began quarantining the infected machines by removing network visibility/connectivity. Ultimately, the customer disabled networking to its servers and workstations to stop the spread of the ransomware while planning its recovery options.

Here’s a third crucial point to note. Just because an endpoint/node in an environment doesn’t show the symptoms of being encrypted doesn’t mean it isn’t a vector through which the ransomware passes. Luckily, the customer had management items and networking equipment on a diverse subnet and didn’t have to turn down networking entirely.

This enabled the company to perform restores via its backup platform to a unique network segment and partially restore business critical operations. At that point, it was a matter of reviewing restores to find a recovery point in time prior to the ransomware existing on each server — a lengthy process. Never begin the recovery process in the same source environment until you’re absolutely sure the ransomware threat has been mitigated. Otherwise, reinfection is likely.

Post-detonation and cleanup

In yet another case, a customer’s entire environment had been encrypted by ransomware before its eyes, and there was no time to stop the spread. Its backups had been compromised as well. The only option was to pay the ransom to get back to some form of a workable state. 

But paying the ransom didn’t solve the issue. Like many companies, this one didn’t have 200% of its resources available in order to restore its decrypted machines alongside the encrypted ones. It didn’t even have the resources to unpack a machine or two at a time and remove the original encrypted source.

US Signal was able to assist the customer by physically driving hardware to the customer site to augment its existing virtual environment. We gave the customer the resources needed to unpack the decrypted machines alongside the encrypted source machines so it could run in this state until the original encrypted machines could be removed after a return to business as usual.

That leads us to one more important point. For many different reasons, you may determine the ransom should be paid.  But be sure you understand how the encryption and decryption mechanisms will work once recovery begins.

Sandbox detonation

In addition to implementing a multi-layered security strategy to defend against ransomware, one of the recommendations we make to our customers is to detonate popular types of ransomware in a sandbox environment. They helps you be aware of what attacks looks like. There is some great free tooling we use called “any.run.” It lets you run many of the well-known types if malicious software in an internet browser sandbox VM and review the attack vectors.

Of course, there are many other tactics that can help mitigate ransomware and its effects. What you choose to use will depend on many factors. The important thing is to not wait until ransomware strikes. Be ready — before, during and after any ransomware attack.