Products + Services Data Centers Industries Learn About
At US Signal, we’ve had many customers reporting ransomware. Not surprisingly, no two attacks are alike. As such, there’s no single one-size-fits-all approach to fighting the problem. However, we can break ransomware attacks into “before,” “during” and “after” stages to help identify some of the tactics to take to mitigate data loss and downtime.
Sometimes, the best way to fight ransomware is before it does any damage. For example, we had a customer that was notified by the FBI that a malicious entity was targeting it. This is often known as the recon phase.
Malicious entities find a way into an organization and begin collecting data. They only want to take advantage of organizations that are likely to pay. Like other businesses, they’re not interested in wasting resources for little or no profit. This leads to the first point that needs to be made. Ransomware targets those who are likely to pay.
The customer, with the help of the FBI and a cyber insurance company, began hardening its defenses strategically and slowly enough so as not to raise the attention of the malicious entity. If the entity knew it had been detected, it would detonate the ransomware that was likely already in place. This brings us to the second crucial point. It’s becoming common to see ransomware being placed but not detonated as a strategic move by the malicious entity.
It’s an attempt to outlive a company’s recovery software’s retention and/or compromise recovery points to ensure recovery isn’t possible. It also increases the likelihood that the customer will have to pay. To date, the ransomware in this case hasn’t been detonated or was effectively hardened against, so there was no compromised data or downtime for the customer.
Another US Signal customer had quickly become aware that ransomware had been detonated or made active within its environment. The ransomware was spreading via compromised network accounts. The customer followed best practices and moved to quarantine the infected machines by removing network visibility/connectivity. Ultimately, it disabled networking to its servers and workstations to stop the spread of the ransomware while planning its recovery options.
Here’s a third crucial point to note. Just because an endpoint/node in an environment doesn’t show the symptoms of being encrypted doesn’t mean it isn’t a vector through which the ransomware passes. Luckily, the customer had management items and networking equipment on a diverse subnet and didn’t have to turn down networking entirely.
This enabled the company to perform restores via its backup platform to a unique network segment and partially restore business critical operations. At that point, it was a matter of reviewing restores to find a recovery point in time prior to the ransomware existing on each server — a lengthy process. Never begin the recovery process in the same source environment until you’re sure the ransomware threat has been mitigated. Otherwise, reinfection is likely.
In yet another case, a customer’s entire environment had been encrypted by ransomware, and there was no time to stop the spread. Its backups had been compromised as well. The only option was to pay the ransom to get back to some form of a workable state.
But paying the ransom didn’t solve the issue. Like many companies, this one didn’t have 200% of its resources available to restore its decrypted machines alongside the encrypted ones. It didn’t even have the resources to unpack a machine or two at a time and remove the original encrypted source.
US Signal was able to assist the customer by physically driving hardware to the customer site to augment its existing virtual environment. We gave the customer the resources needed to unpack the decrypted machines alongside the encrypted source machines so it could run in this state until the original encrypted machines could be removed after a return to business as usual.
This leads us to one more important point. For many different reasons, you may determine the ransom should be paid. But be sure you understand how the encryption and decryption mechanisms will work once recovery begins, and recognize the potential operational risks of sanctions involved in paying out a ransom.
One of the recommendations we make to our customers is to detonate popular types of ransomware in a sandbox environment. They helps you be aware of what attacks looks like. There is some great free tooling we use called “any.run.” It lets you run many of the well-known types if malicious software in an internet browser sandbox VM and review the attack vectors.
Another recommendation is to mitigate potential damage from ransomware early on is to implement endpoint protection. There are various options. Among them:
Unlike EPP solutions that focus on prevention at the perimeter, EDR solutions also deal with malicious attacks that have evaded frontline defenses. In addition, they check for threats round the clock, offering more comprehensive security against breaches than antivirus solutions that run only scheduled checks. Many EDR solutions also incorporate machine learning technologies to identify the most current threats, something the signature-based systems used by antivirus solutions can’t do.
Of course, there are many other tactics that can help mitigate ransomware and its effects. What you choose to use will depend on many factors. The important thing is to not wait until ransomware strikes. Be ready — before, during and after any ransomware attack.
For more information on dealing with ransomware, download 10 TIPS TO COMBAT RANSOMWARE.
Or talk to a US Signal solution architect. Contact us today to get started.
To learn more about ransomware, check out these articles below from our blog or visit our resource center for whitepapers, e-books and more!
Back in 2019, Gartner predicted that by 2025, 80% of enterprises would shut down their traditional data centers — and that 10% already had. It’s now 2024. If you’re still running your own data center, is it time to consider an alternative like colocation, the cloud, or a hybrid solution? Reasons to Ditch Your [...]
When a US Signal customer asked about immutability (the inability of a file to be changed) — specifically the immutability of backups in US Signal’s Disaster Recovery as a Service (DRaaS) solution that’s powered by Zerto, here's how one of our US Signal solution architects answered th question.
There are various options for where you can put your workloads. But not every environment is ideal. Learn about some of the factors that can help you decide where they will perform best.