World Backup Day 2022: Recovering From A Ransomware Attack

In 2022, ransomware is continuing to wreak havoc across the globe. With organisations of all sizes storing increasing volumes of sensitive customer data, there is no place for a ‘it won’t happen to me’ mindset. Leaders need to be thinking of the worst case scenario and prepare for rapid recovery after an attack. For World Backup Day 2022, Pure Storage shared their insights on how organisations can ensure not just a secure backup strategy, but also prepare for rapid recovery from a ransomware attack.

“Unfortunately, while backup systems have provided an insurance policy against an attack in the past, hackers are now trying to breach these too. Once an attacker is inside an organisation’s systems, they will attempt to find credentials to immobilize backups. This will make it more difficult, time consuming and potentially expensive to restore,” according to Chua Hock Leng, VP of ASEAN and Greater China, Pure Storage.

Cybercriminals are renowned for profiting from uncertainty and change, and the global workplace has undergone significant transformations in recent years, first with the COVID-19 pandemic catalysing a shift to remote work, and now with many organizations welcoming their employees back into the office in a hybrid working format.

These personnel are bringing gadgets that may have been linked to insecure networks, used for private purposes, or shared with partners in the last two years, making them open to malware attacks. If any of those devices become infected, the threat can quickly spread to other systems once they are joined to the corporate network.

So, how can attackers get into your systems in the first place, and what can you do if you get hit by ransomware?

1. How Do Attackers Find Their Way Into Your Systems?

It usually starts with a trojan. A trojan is a sort of malware that masquerades as legitimate software to fool victims into believing it’s safe. According to a warning issued by the CISA, Emotet is a particularly infamous trojan that was initially found in 2014 and has recently reared its ugly head in a series of attacks, making it one of the most prominent ongoing risks that companies are now facing.

Emotet Trojans are primarily spread via spam emails. If the recipient opens the attached file or clicks on the URL, the trojan is unintentionally downloaded, giving it the ability to steal sensitive data. However, it can also be used to transmit other viruses such as TrickBot or Qbot. The second layer of malware then spreads laterally throughout the organization, collecting passwords, installing backdoors, and, most critically, attempting to reach the domain controller. If the attacker gains access to the domain controller, ransomware like Ryuk can be used to encrypt the company’s data and extort a payment.

However, some ransomware does not require user involvement in order to spread. WannaCry is a sort of malware that replicates itself in order to spread like wildfire across a system with no need for someone to continuously pass it on via malicious URLs or files.

2. What Can You Do To Recover From A Ransomware Attack

Organisations need a two-pronged strategy: advanced, immutable ‘snapshots’ of their data and an ability to not just backup fast but to restore fast and at scale. Immutable snapshots are protected because they can’t be eradicated, modified or encrypted – even if an attacker gains access to sensitive data. They are also relatively easy to restore, but depending upon how much data needs to be restored, snapshots might not be a viable option.  

Traditional tape or disk-based backup can restore roughly one to two terabytes an hour. That’s not going to cut it for most organisations. Some flash based solutions can offer speeds of up to 270TB an hour and are needed to get an organisation up and running with minimal negative impact. 

Chua Hock Leng, VP of ASEAN and Greater China, Pure Storage added that, “With a multi-faceted cybersecurity strategy reinforced with snapshots and a rapid restore solution, the restoration phase after a ransomware attack can be reduced from several weeks to just a few hours.”

Such restorative solution will minimise the impact on users, customers and potential reputational damage suffered from being offline for a prolonged period of time. With that said, here are some things companies can take note of when handling a ransomware attack. 

Do Not Pay The Ransom

First and foremost, refuse to pay the ransom. Unless you have no copies of your data stored anywhere else, in which case you must assess the cost of data loss against the demanded payment. There are several reasons for this, and you must understand that you’re dealing with a criminal while dealing with a ransomware assault. Paying the ransom does not ensure that your data will be returned.

If you pay the ransom, you’re demonstrating that the attacker’s method works, which will embolden them to target more businesses, who will then follow your lead and pay – it’s a vicious spiral. The expense of dealing with an attack is doubled if you pay the ransom. Even if you recover your data, the infection will remain on your servers, necessitating further cleaning. On top of the ransom, you will have to pay for downtime, people’s time, device costs, and so on.

Report The Attack

You must report the attack after you have calmed down and decided to place your wallet aside. This will aid authorities in identifying the attacker and how they select their targets, as well as preventing other businesses from being targeted in the future. In most cases, you can call your local police, who will refer you to a Cyber Security Agency. In Singapore, you can report a cyber incident using the SingCERT Cyber Incident Reporting Form.

Cleanse The Systems 

There are various software packages on the market that promise to be able to remove ransomware from your computer, but there are two issues with this. The first is that you can’t be certain that anyone except the attacker will be capable of removing the ransomware entirely. The second issue is that you may not be able to retrieve your data even if your system has been thoroughly cleansed. Tragically, there is not a decryption solution for every type of ransomware, and the newer and more complex the ransomware is, the longer it will take specialists to create a program to unlock your files.

Encryption, on the other hand, is putting a decryption key and the original file through a function together in order to recover the original file. Modern attacks, on the other hand, employ a unique key for each target, so even a powerful supercomputer could take years to find the proper key for a single victim. As a result, the best course of action is to wipe all of your storage devices and start over, reinstalling everything from scratch. This will ensure that there are no traces of ransomware lingering in the shadows, and you’ll have a fresh start when it comes to restoring your data.

Restore Your Data

Data backup has long been thought of as an IT compliance issue that must be completed in order to check boxes and pass audits. It is, however, increasingly being considered as a security issue, and with good reason. It’s not always possible to prevent a cyberattack, but reducing the damage is, which is why backups should be regarded as a security problem. When a company is hit by ransomware, it is presented with a choice: pay the ransom, which is never recommended, or move forward without the data. If a solid backup system is in place to protect against cyberattacks, the firm may swiftly recover by retrieving its backed up data and prevent expensive downtime.

Point-in-time recovery, also known as ongoing data security or journaling, is a feature of the best backup and recovery solutions meant to aid enterprises in recovering from ransomware attacks. This version-controlled form of data recovery allows businesses to restore data from as far back as seconds before the ransomware attack.Organizations may ensure that their data is always available and secure by implementing a backup strategy that incorporates continuous data protection (CDP). CDP enables businesses to fully recover their data, with the precision to go back to a specific moment in time prior to the assault, limiting data loss.

The best CDP solutions are adaptable enough to restore exactly what the business need, whether it’s a few files, virtual machines, or the entire application stack. This ensures a quick restoration to normal operation. Traditional backup systems that rely on snapshots expose an organization to data loss in the interim.

There’s a good chance you’ll be hit by ransomware at some point. The key is knowing what to do in the event of a malware attack and being able to safely restore your data once your machine has been cleaned of all traces of the malware.

---