Ransomware is unfortunately an IT reality. With the complexity and frequency of attacks, there is a good chance you or someone you know has been impacted. Many victims attacked are tempted to just pay the ransom and be done with it; a strategy that is more widely-used than you might think. Even the FBI has admitted that sometimes paying the ransom is the way to go.
This can be a difficult decision: on one hand you know this form of digital extortion wouldn’t stop while it’s profitable, and on the other, you aren’t sure you can afford the down time to take a stand and try and go it alone. You have some time to decide, which is good because it may take some time to get the ransom together.
I have been asked on more than one occasion if companies should have Bitcoin in reserve in the case of a ransomware strike. That’s for your company to decide. I do recommend that you learn how to purchase Bitcoin so are ready to do so if necessary.
Hollywood Presbyterian Medical Center in Los Angeles suffered a ransomware attack in early 2016. Patient records, test results, X-rays and most other digital information was not accessible. Media relations said patient care had not been compromised, but you can just imagine the chaos that must been occurring as none of the normal modes of operating were working.
Medical institutions in particular are being impacted more frequently because they have a large amount of mission-critical data and can afford no down time, making them the “perfect customer,” if you will. Hospitals train for all forms of emergency response. They need to have a plan for how they will continue to operate if there data becomes unavailability. The plan will be organization-specific and will need to be coordinated with IT.
There also needs to be a plan for how the IT staff will respond when the data the organization relies on is not available. Unlike other forms of IT disasters, there are ways to predict and reduce your data exposure from ransomware attacks. For the current forms of ransomware, the end-user likely needs to have access to the data for it be encrypted. You need to do an audit of what data is user-accessible and if it needs to be protected. You also need to look at whether that data needs to writeable or if staff can rely on a read-only copy. It is also time to clean up permissions so the impact a single user can cause is limited.
Then you need to have a plan for how you will protect and recover the data if it is compromised. Backup are a start, but a blind restore can mean you lose some of the data that changed since the last backup. In many cases, it’s difficult to know what was lost, but there are tools that can help with this. Audit tools can keep track of what’s changed and can help build the list of files that were impacted and do a more planned restore. It starts with knowing who is patient zero that has triggered ransomware. Use the audit logs to determine what files they changed. Once you have this, you can start a smart recovery.
Even if the backup looks promising, there is no easy button. The people creating ransomware know that backups can stand between them and their payday. There are a lot of cases where Microsoft Volume Shadow Copies have been destroyed by ransomware. If you leave your backups online so you can have quick recovery, you may find that ransomware can actually delete or corrupt your backups. This is not uncommon; ead the user groups from various backup companies and you’ll see the sad tales of woes.
If you are not concerned enough, there are other potential dangers to your backups. They need to be airlocked from systems your users have access to. Before you bring your backups online, make sure the affected computers are off of the network. You need to be absolutely certain that those systems can’t access the backup. You also need to ensure that the backups are brought online as read-only.
Ransomware is not likely going away anytime soon. You need to change how your organization operates to protect the data that is critical for maintaining operations. The cost of these changes could greatly outweigh the cost of a single ransomware payment. In the long run it, will protect your customers which is the primary concern.