All Disaster Recovery plans include ways of dealing with fires, floods or earthquakes, but do not mention RANSOMWARE attacks – why is that so, and what to do if you want to be protected?
This article includes:
1. Defining RANSOMWARE as disaster
2. How do avoid getting infected by RANSOMWARE programs
3. How to deal with infection after it happened
4. Structure of backup and fast replication systems
It may be a real surprise for most of us to learn that many major organizations and companies have high-quality DR/BCP plans that do not include preparedness for RANSOMWARE attacks.
Disaster recovery planning usually gives sufficient response for the events caused by natural disasters (such as massive floods, fires etc) or even to events caused by human error or malicious actions. At the same time, possible damage in case of RANSOMWARE attacks is frequently left by the wayside, with the IT departments not assuming full responsibility for the consequences of such events.
Is RANSOMWARE attack a disaster event? In my professional opinion, it is, and very much so! Definition of disaster event in the IT environment should be influenced by the event’s business impact, and by the level of downtime experienced by the organization due to the event’s occurrence.
I am convinced that RANSOMWARE attacks should be defined as disaster events that can frequently cause a total shutdown of the organization, therefore there is need to plan for this kind of attack as it would be for any other significant disaster.
RANSOMWARE attacks have already caused widespread damage to various organizations, such as major hospitals, causing financial damage as well as endangering human lives. This proves once again that RANSOMWARE attacks should be classified as disaster-level events and dealt with accordingly.
Having concluded that dealing with RANSOMWARE attacks should be made part of your Disaster Recovery (DR/BC) Plan, we need to know how to prepare for it.
How to prevent being infected by RANSOMWARE
This is a theme for an entire a separate essay, but these are the main steps every organization should undertake on this issue:
1. Raising the awareness of personnel to the dangers of such infection
2. Minimizing the number of Admin authorizations to the absolute minimum, and making sure that those authorizations are given only to those employees that really need to have them
3. Control over software inside the office – you need to work on a strict WHITELISTING basis, so that pre-authorized applications can be run on your company’s IT network (mapping all the software inside the company may take time, but it is worth it)
4. Blocking applications in sensitive locations such as APPDATA
5. Blocking all scripts throughout the organization except the Whitelisted ones
6. Using anti-virus software with features that provide protection against RANSOMWARE, anti-virus programs without those features cannot be considered worthy of the name
Nowadays there are more steps to be taken, of course, I will describe them at length in a separate article that will be forthcoming
How to deal with RANSOMWARE infection
This chapter is the most relevant to the issue, as it is only a matter of time until your organization will be hit by a RANSOMWARE attack. IT professionals have to be fully ready to the “day after” that follows such an event. The process of dealing with RANSOMWARE attack should be part and parcel of your DR planning.
In my professional opinion, the best way to effectively deal with such an event is to ensure fast restoration of your data and servers, together with immediate forensic investigation that will help out to locate the way your organization got infected in the first place.
The decision on whether to initiate restoration of a file, a folder/directory, a server or a whole server cluster has to be taken according to the level of infection and its influence on company’s operations. There is a need for a clear Rule Book that will define when to step up from restoring a single file to the level of restoring the whole server. In such situations there is usually not enough time to deliberate on the possible consequences for the company, the best way is to operate according to a clearly delineated Rule Book that is compiled according to calculations and projections made well before the emergency occurs.
My professional experience exposed me to multiple cases in which the organizations lose precious hours or even days while trying to figure out in real time “what to do” instead of “doing it”.
This is when the proven methodology of Disaster Recovery Plan should kick in and save the besieged organization, when the employees and managers work according to a pre-approved, clearly defined and pre-tested process stages. All employees should know well their roles in the process, what and when to do – this will result in the company quickly returning to routine full-capacity operation.
Below you can find a concise template for Disaster Recovery process for organizations dealing with RANSOMWARE attacks:
- RANSOMWARE identification – the identification can be delivered by a server monitoring system, or by HELPDESK staffers that get complaints from the users concerning files or folders that “do not open/do not work”
- Absorbing the information about the infection and performing the initial analysis of the event – what files are affected, in what department, in what directories, this will help to identify the computer that was the source of infection
- Isolating or detaching the affected sector of the company’s IT network so that further infection will be prevented
- Making decision on the crucial subject of whether to restore only certain files/directories or the whole server/server cluster – this decision should be taken by the appropriate manager according to the chosen indicators as projected in the DR plan
- Usually the trigger indicators are defined as follows:
- If the infection is found in one separate department/unit and just a few files are infected there – only those files or folders containing them may be restored
- If there are indications that the server itself (in its system files or databases) has been infected – then there is a need to restore the whole server
- Every manager and employee of the affected department should understand clearly what his role is in the process, as defined by the DR plan
- All the team members should undergo training and simulations for the DR process
- Usually the trigger indicators are defined as follows:
- If the process of full server replication is initiated – great back-up and recovery tools, such as VEEAM, can ensure very fast Instant Recovery capability, especially when it is possible to define a SNAPSHOT back-up procedure with hourly recurrence, so that you will never lose more than the latest hour’s work
- You will be able to bring the affected server back to operational status while still accessing the infected version in a SANDBOX mode, so that you will be able to extract some of the freshest data from it manually
- After the restoration process is complete – you need to evaluate the situation, making sure that:
- There are no more affected files
- Source of infection has been identified and isolated
Structure of Back-up and Restoration System
As could be seen in the preceding chapter, protecting yourself from RANSOMWARE attacks is based mostly on thorough back-up and fast effective restoration.
Every organization has to make sure that it has the following:
- Full back-up on hourly, daily, weekly, monthly and annual level
- Offline/Offsite back-up capability – Offsite back-up should include historical versions of your data, separate back-up file created during each back-up session can be considered as Offline back-up. It can be done in several sites, my recommendation is to use Cloud services, perfect for the purpose
- No, there is no need to return to the era of back-up tapes
- It is also possible to ensure that there is no overlap of authorizations, so that the back-up system can read data from a Production system, but not vice versa (so that RANSOWARE would not be able to infect your back-up system)
- Nowadays we have numerous solutions for Offline/Offsite back-up, I would certainly recommend utilizing Cloud solutions such as AWS and Azure
- The organization should implement a high-quality Backup and Replication solution such as VEEAM – experience shows that this product can save IT networks from destruction or massive damage
- It allows for fast and efficient back-up
- It provides for back-up through separate PROXY servers – this increases the back-up speed and also adds to the level of system segregation
- Back-up on the level of Virtual Machine/Host greatly reduces the possibility of severe malware infection
- VEEAM uses Always-On approach which is so essential in current threat environment
- It is very important to keep VEEAM back-up copies at an Offsite location, there is no real DR without that
- There is a need to invest in a separate solution for Offline file back-up (below the threshold of server/server cluster) which back up the files with Unlimited Version History – there are solutions like CrashPlan that, while not enabling fast recovery, do allow the unlimited number of versions to be saved
- You will need to enable Volume Shadow Copy; in most cases it ensures quick recovery of affected files (otherwise RANSOMWARE infect those as well)
- You need to make sure that the back-up structure is designed and implemented correctly for data integrity
- Back-up of SQL systems should be enacted in the highest possible resolution (every 15 minutes) at the data level, and at hourly rate on the VM level – this way you will be protected even in cases of deep and widespread infection
If your system still runs on physical / non-virtual machine environment – this is the time to change that, advance to virtualization, because when your system operates as VM, there are so many more possibilities for fast assured back-up and Restoration!
Most organizations nowadays do not have any justification for not working with a virtual system, usually the reason for not advancing is the difficulty and complexity of replacing Legacy systems that are especially susceptible to RANSOMWARE attacks and other major malfunctions.
1. RANSOMWARE attacks should become an integral part of your DR plan
2. Your team has to be trained and ready to deal with those attacks
3. The foundation for effective and fast solution to such attacks is a fast back-up and restoration system
4. It is much easier to protect a fully virtual environment – do not hesitate to start the process of moving from physical to virtual environment
Prepared by Eli Migdal, CEO of TowerWatch Solutions Ltd (UK) and founder of Migdal Computing Solutions Ltd (Israel)
Visit our Information Security page for more information on our services.