{"id":112,"date":"2024-09-02T07:00:00","date_gmt":"2024-09-02T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=112"},"modified":"2024-09-02T07:00:00","modified_gmt":"2024-09-02T07:00:00","slug":"ransomware-recovery-8-steps-to-successfully-restore-from-backup","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=112","title":{"rendered":"Ransomware recovery: 8 steps to successfully restore from backup"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

According to a Sophos survey<\/a> of 5,000 IT and cybersecurity leaders released in April, 59% of organizations have been hit by a ransomware attack in 2023, from which 56% paid a ransom to get their data back.<\/p>\n

And the amounts paid were not trivial. In 63% of cases the ransom demand was for $1 million or more \u2014 $4.3 million, on average. Of the 1,097 respondents who shared their payment details, the average payment was $4 million \u2014 up from $1.5 million in 2023.<\/p>\n

What is ransomware?<\/h2>\n

Ransomware is a type of\u00a0malware<\/a>\u00a0that encrypts a victim\u2019s files. The attacker then demands a ransom from the victim to restore access to the encrypted data.<\/p>\n

Many organizations are paying ransom<\/h2>\n

According to a report released in July by Semperis<\/a>, based on a survey of 900 IT and security leaders, ransomware attacks disrupted business operations for 87% of companies.<\/p>\n

But paying ransomware is a losing game. Of those who were hit, 74% were hit multiple times, sometimes within the span of the same week. And of those who paid up, 72% paid more than once. In fact, 32% of victims paid ransoms four or more times last year.<\/p>\n

And, to rub salt into the wound, 35% of organizations who paid up didn\u2019t receive decryption keys or had other problems with recovering files and assets.<\/p>\n

Ransomware has been around for a long time. Why are we still paying for it? Part of the reason is the lack of backups \u2014 specifically, the lack of usable backups. Backups must be safe from malware, quick and easy to recover, and include not just important files and databases but also key applications, configurations, and all the technology needed to support an entire business process. Most importantly, backups should be well-tested.<\/p>\n

Here are eight steps to ensure a successful recovery from backup after a ransomware attack.<\/p>\n

1. Keep the backups isolated<\/h2>\n

According to the Sophos survey<\/a>, in 94% of cases ransomware actors attempted to compromise the backups. And 57% of those attempts were successful. When attackers were able to successfully compromise the backups, the average ransom payment was $2.3 million \u2014 compared to $1 million for companies whose backups weren\u2019t compromised.<\/p>\n

In addition, companies whose backups were compromised were twice as likely to pay the ransoms \u2014 67% versus 36%. Those with compromised backups also had eight times higher recovery costs, separate from the ransom payments \u2014 $3 million versus $375,000.<\/p>\n

\u201cWe do see some of our clients that have on-prem backups that they run themselves, as well as cloud-based ones,\u201d says Jeff Palatt, former vice president for technical advisory services at MoxFive, a technical advisory services company. \u201cBut ideally, if someone has both, they don\u2019t cascade. If the encrypted files get written to the local backup solution and then get replicated to the cloud, that doesn\u2019t do you any good.\u201d<\/p>\n

Some cloud-based platforms include versioning as part of the product for no additional cost. For example, Office 365, Google Docs, and online backup systems like iDrive keep all previous versions of files without overwriting them. Even if ransomware strikes, and the encrypted files are backed up, the backup process just adds a new, corrupted version of the file\u2014it doesn\u2019t overwrite the older backups that are already there.<\/p>\n

Technology that saves continuous incremental backups of files also means that there\u2019s no loss of data when ransomware hits. You just go back to the last good version of the file before the attack.<\/p>\n

2. Use write-once storage techniques<\/h2>\n

Another way to protect backups is to use storage that can\u2019t be written over. Use either physical write-once-read-many (WORM) technology or virtual equivalents that allow data to be written but not changed. This does increase the cost of backups since it requires substantially more storage. Some backup technologies only save changed and updated files or use other deduplication technology to keep from having multiple copies of the same thing in the archive.<\/p>\n

According to a report released in June by Veeam<\/a>, many companies are already using immutable storage. According to the survey, 70% of companies use hardened disks on-premises and 89% use immutable clouds. However, of the overall backup storage used by companies, only 54% is immutable. That means that the rest is at high risk from ransomware.<\/p>\n

3. Keep multiple types of backups<\/h2>\n

\u201cIn many cases, enterprises don\u2019t have the storage space or capabilities to keep backups for a lengthy period of time,\u201d says Palatt. \u201cIn one case, our client had three days of backups. Two were overwritten, but the third day was still viable.\u201d If the ransomware had hit over, say, a long holiday weekend, then all three days of backups could have been destroyed. \u201cAll of a sudden you come in and all your iterations have been overwritten because we only have three, or four, or five days.\u201d<\/p>\n

Palatt suggests that companies keep different types of backups, such as full backups on one schedule combined with incremental backups on a more frequent schedule.<\/p>\n

4. Protect the backup catalog<\/h2>\n

In addition to keeping the backup files themselves safe from attackers, companies should also ensure that their data catalogs are safe. \u201cMost of the sophisticated ransomware attacks target the backup catalog and not the actual backup media, the backup tapes or disks, as most people think,\u201d says Amr Ahmed, EY America\u2019s infrastructure and service resiliency leader.<\/p>\n

This catalog contains all the metadata for the backups, the index, the bar codes of the tapes, the full paths to data content on disks, and so on. \u201cYour backup media will be unusable without the catalog,\u201d Ahmed says. Restoring without one would be extremely hard or impractical. Enterprises need to ensure that they have in place a backup solution that includes protections for the backup catalog, such as an air gap.<\/p>\n

5. Back up everything that needs to be backed up<\/h2>\n

When Alaska\u2019s Kodiak Island Borough was hit by ransomware in 2016, the municipality had about three dozen servers and 45 employee PCs. All were backed up, says the company\u2019s former IT supervisor Paul VanDyke, who ran the recovery effort. All servers were backed up, that is, except one. \u201cI missed one server that had assessed property values,\u201d he says.<\/p>\n

The ransom demand was small by today\u2019s standards, just half a Bitcoin, which was then worth $259. He paid the ransom, but only used the decryption key on that one server, since he didn\u2019t trust the integrity of the systems restored with the attackers\u2019 help. \u201cI assumed everything was dirty,\u201d he says. Today, everything is covered by backup technology.<\/p>\n

Larger organizations also have a problem ensuring that everything that needs to be backed up is actually backed up. According to the Veritas survey, IT professionals estimate that, on average, they wouldn\u2019t be able to recover 20% of their data in the event of a complete data loss. It doesn\u2019t help that many companies, if not all companies, have a problem with shadow IT.<\/p>\n

\u201cPeople are trying to do their jobs in the most convenient and efficient way possible,\u201d says Randy Watkins, CTO at Critical Start. \u201cOftentimes, that means running under the radar and doing things yourself.\u201d<\/p>\n

There\u2019s only so much companies can do to prevent loss when critical data is sitting on a server in a back closet somewhere, especially if the data is used for internal processes. \u201cWhen it comes to production, it usually hits the company\u2019s radar somewhere,\u201d says Watkins. \u201cThere\u2019s a new application or a new revenue-generating service.\u201d<\/p>\n

Not all systems can be easily found by IT so that they can be backed up. Ransomware hits, and then suddenly things are no longer working. Watkins recommends that companies do a thorough survey of all their systems and assets. This will usually involve leaders from every function, so that they can ask their people for lists of all critical systems and data that needs to be protected.<\/p>\n

Often, companies will discover that things are stored where they shouldn\u2019t be stored, like payment data being stored on employee laptops. As a result, the backup project will often run concurrent with a data loss prevention project, Watkins says.<\/p>\n

6. Back up entire business processes<\/h2>\n

Ransomware doesn\u2019t just affect data files. Attackers know that the more business functions they can shut down, the more likely a company is to pay a ransom. Natural disasters, hardware failures, and network outages don\u2019t discriminate either.<\/p>\n

After they were hit by ransomware, Kodiak Island\u2019s VanDyke had to rebuild all the servers and PCs, which sometimes included downloading and re-installing software and redoing all the configurations. As a result, it took a week to restore the servers and another week to restore the PCs. In addition, he only had three spare servers to do the recovery with, so there was a lot of swapping back and forth, he says. With more servers, the process could have gone faster.<\/p>\n

A business process works like an orchestra, says Dave Burg, cybersecurity leader at EY Americas. \u201cYou have different parts of the orchestra making different sounds, and if they\u2019re not in sequence with each other, what you hear is noise.\u201d<\/p>\n

Backing up just the data without backing up all the software, components, dependencies, configurations, networking settings, monitoring and security tools, and everything else that is required for a business process to work can make recovery extremely challenging. Companies too often underestimate this challenge.<\/p>\n

\u201cThere\u2019s a lack of understanding of the technology infrastructure and the interconnections,\u201d says Burg. \u201cAn insufficient understanding of how the technology really works to enable the business.\u201d<\/p>\n

The biggest infrastructure recovery challenges after a ransomware attack typically involve rebuilding Active Directory and rebuilding configuration management database capability, Burg says. It used to be that if a company wanted a full backup of its systems, not just data, that it would build a working duplicate of its entire infrastructure, a disaster recovery site. Of course, doing so doubled the infrastructure costs, making it cost prohibitive for many businesses.<\/p>\n

Today, cloud infrastructure can be used to create virtual backup data centers, one that only costs money while it is being used. And if a company is already in the cloud, setting up a backup in a different availability zone\u2014or a different cloud\u2014is an even simpler process. \u201cThese cloud-based hot-swap architectures are available, are cost effective, and are secure, and have a great deal of promise,\u201d says Burg.<\/p>\n

7. Use hot disaster recovery sites and automation to speed recovery<\/h2>\n

According to Sophos, only 35% of ransomware victims are fully recovered within a week \u2014 down from 47% in 2023 and 52% in 2022. And a third takes a month or longer to recover. \u201cI know companies who are spending a lot of money on tapes and sending them off to Iron Mountain,\u201d says Watkins. \u201cThey don\u2019t have the time to wait an hour to get the tapes back and 17 days to restore them.\u201d<\/p>\n

A hot site, one that\u2019s available at the switch of a key, would solve the recovery time problem. With today\u2019s cloud-based infrastructure, there\u2019s no reason not to have one.<\/p>\n

\u201cIt\u2019s a no-brainer,\u201d says Watkins. \u201cYou can have a script that copies your infrastructure and stands it up in another availability zone or another provider altogether. Then have the automation ready to go so that you hit play. There\u2019s no restore time, just 10 or 15 minutes to turn it on. Maybe a full day if you go through testing.\u201d<\/p>\n

Why aren\u2019t more companies doing this? First, there\u2019s a substantial cost to the initial setup, Watkins says. \u201cThen you need that expertise in house, that automation expertise and cloud expertise in general,\u201d he says. \u201cThen there are things like security controls that you need to set up ahead of time.\u201d<\/p>\n

There are also legacy systems that don\u2019t transfer to the cloud. Watkins points to oil and gas controllers as an example of something that can\u2019t be replicated in the cloud.<\/p>\n

For the most part, the initial cost of setting up the backup infrastructure should be a moot point, Watkins says. \u201cYour cost to set up the infrastructure is much less than paying the ransomware and dealing with the reputation damage.\u201d<\/p>\n

For companies struggling with this, one approach could be to focus on the most critical business processes first, suggests Tanner Johnson, principal analyst for data security at Omdia. \u201cYou don\u2019t want to buy a million-dollar lock to protect a thousand-dollar asset,\u201d he says. \u201cDefine what your crown jewels are. Establish a hierarchy and priority for your security team.\u201d<\/p>\n

There\u2019s a cultural barrier to investing proactively in cybersecurity, Johnson admits. \u201cWe are a reactionary society, but cybersecurity is finally being seen for what it is: an investment. An ounce of prevention is worth a pound of cure.\u201d<\/p>\n

8. Test, test, and test again<\/h2>\n

\u201cA lot of people are approaching backups from a backup point of view, not a recovery point of view,\u201d says Mike Golden, senior delivery manager for cloud infrastructure services at Capgemini. \u201cYou can back up all day long, but if you don\u2019t test your restore, you don\u2019t test your disaster recovery, you\u2019re just opening yourself to problems.\u201d<\/p>\n

This is where a lot of companies go wrong, Golden says. \u201cThey back it up and go away and are not testing it.\u201d They don\u2019t know how long the backups will take to download, for example, because they haven\u2019t tested it. \u201cYou don\u2019t know all the little things that can go wrong until it happens,\u201d he says.<\/p>\n

It\u2019s not just the technology that needs to be tested, but the human element as well. \u201cPeople don\u2019t know what they don\u2019t know,\u201d Golden says. \u201cOr there\u2019s not a regular audit of their processes to make sure that people are adhering to policies.\u201d<\/p>\n

When it comes to people following required backup processes and knowing what they need to do in a disaster recovery situation, the mantra, Golden says, should be \u201ctrust but verify.\u201d<\/p>\n

What steps should companies take if they\u2019ve experienced a ransomware attack<\/h2>\n

The US Cybersecurity and Infrastructure Security Agency (CISA) has a framework<\/a> for companies to follow that covers the main steps that need to be taken after a ransomware attack.<\/p>\n

Evaluate the scope of damage<\/strong>: The first step is to identify all affected systems and devices. That can include on-premises hardware as well as cloud infrastructure. CISA recommends using out-of-band communications during this stage, such as phone calls, to avoid letting the attackers know that they have been discovered and what actions you are planning to take.<\/p>\n

Isolate systems: <\/strong>Remove affected devices from the network or turn off their power. If there are several affected systems or subnets, take them offline at the network level, or power down switches or disconnect cables. However, powering down devices might destroy evidence stored in volatile memory, so should be a last resort. In addition, protectively isolate the most mission-critical systems that are still untouched from the rest of the network.<\/p>\n

Triage affected systems for recovery: <\/strong>Prioritize systems critical for health or safety, revenue generation, and other critical business services as well as the systems that they depend on. Restore from offline, encrypted backups and golden images that have been tested to be free of infection.<\/p>\n

Execute your notification plan:<\/strong> Depending on your cyber incident response and communications plan, notify internal and external teams and stakeholders. These can include the IT department, managed security service providers, cyber insurance company, corporate leaders, customers, and the public, as well as government agencies in your country. If the incident involved a data breach, follow legal notification requirements.<\/p>\n

Containment and eradication: <\/strong>Collect system images and memory captures of all affected devices, as well as relevant logs and samples of related malware and early indicators of compromise. Identify ransomware variant and follow recommended remediation steps for that variant. If data has been encrypted, consult federal law enforcement for possible decryptors that may be available. Secure networks and accounts against further compromise, since the attackers may still have their original access credentials or obtained more during the breach. In addition, extended analysis should be conducted to find persistent infection mechanisms to keep them from reactivating.<\/p>\n

How long does it take to recover from ransomware?<\/h2>\n

According to Sophos, only a minority of ransomware victims recover in a week or less. On average, 35% took less than a week. About a third took between a week and a month. And the final third, 34%, took a month or more to recover. Only 7% of victims recovered in less than a day \u2014 and 8% of victims took three months or longer.<\/p>\n

Recovery times are significantly reduced, however, if a company has good backups.<\/p>\n

If a company\u2019s backups were also compromised, only 25% of companies recovered in less than a week. But if the backups were not compromised, 46% of companies took less than a week to get back on their feet.<\/p>\n

Ransomware best practices for prevention<\/h2>\n

CISA has a detailed list of best practices for preventing ransomware<\/a>.<\/p>\n

Backups: <\/strong>CISA recommends maintaining offline, encrypted backups of critical data and testing these backups and recovery procedures on a regular basis. Enterprises should also have golden images of critical systems, as well as configuration files for operating systems and key applications that can be quickly deployed to rebuild systems. Companies may also consider investing in backup hardware or backup cloud infrastructure to ensure business continuity.<\/p>\n

Incident response plan<\/strong>: Enterprises should create, maintain, and regularly exercise a cyber incident response plan and associated communication plan. This plan should include all legally required notifications, organizational communications procedures, and make sure that all key players have hard copies or offline versions of this plan.<\/p>\n

Prevention: <\/strong>CISA recommends that companies move to a zero-trust architecture to prevent unauthorized access. Other key preventative measures include minimizing the number of services exposed to the public, especially frequently targeted services like remote desktop protocol. You should conduct regular vulnerability scanning, regularly patch and update software, implement phishing-resistant multi-factor authentication, implement identity and access management<\/a> systems, change all default admin usernames and passwords, use role-based access instead of root access accounts, and check the security configurations of all company devices and cloud services, including personal devices used for work. CISA also has specific recommendations for protecting against the most common initial access vectors, such as phishing<\/a>, malware, social engineering<\/a>, and compromised third parties.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

According to a Sophos survey of 5,000 IT and cybersecurity leaders released in April, 59% of organizations have been hit by a ransomware attack in 2023, from which 56% paid a ransom to get their data back. And the amounts paid were not trivial. In 63% of cases the ransom demand was for $1 million […]<\/p>\n","protected":false},"author":1,"featured_media":113,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-112","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/112"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=112"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/112\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/113"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=112"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=112"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=112"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}