There is more to ransomware recovery than decrypting the systems
INSIGHT ARTICLE |
Authored by RSM US LLP
You’re a well-rounded CIO, your staff is competent, you’ve invested as much as possible in security (but of course, the budget is never enough). You’ve done the research and you know the essentials for reducing the risk of ransomware:
- Train the employees to recognize malicious emails and websites—DONE!
- Apply security updates and patches quickly and thoroughly—DONE!
- Tier your administrator accounts to limit access to devices as needed—IN PROGRESS (that turned out to be a bigger work effort than expected)
- Implement Multi-factor Authentication (MFA) for remote access and SaaS applications—STALLED (the user community simply does not understand the risk and is convinced it will inhibit their ability to work)
- Build a firewall between your backups and the rest of your systems—BUDGETED FOR NEXT YEAR
You know there are holes, but there’s a roadmap and budget. And, unlike most, you actually have a plan.
It’s Friday night. You’re just sitting down to dinner and finally relaxing; life is good. Meanwhile, your system administrator starts getting alerts that a server is going offline. It’s not a critical issue; they’ll address it after dinner. Another alert comes in, then another…now there’s a problem. Your sysadmin tries to connect remotely: “Authentication failed!” Panic sets in as he or she jumps in the car and heads to the data center. It’s too late. The message on all the screens reads, “All your files are encrypted.”
Your phone rings and you hear the words, “They got everything: servers, workstations, backups…and, for good measure, they extracted 2TB of data from our system and say they’ll post it on the web.” The whirlwind begins. There’s insurance, lawyers, consultants, investigators, negotiators. You pay the ransom, get the decryption keys and the process runs anew, albeit painfully slower than you would have thought.
A bad actor’s goal is to inflict maximum damage in order to extort as much as possible. He or she can start with a user’s PC and carefully navigate laterally until privileges are elevated to the level needed to stage and execute the attack. The bad actor uses malware like Emotet and TrickBot and tools such as Mimikatz, Cobalt Strike and Metasploit, spreading them to as many machines as possible and replacing files you might have never known were changed. The bad actor continues until—BINGO: he or she has your domain administrator credentials: the golden ticket for forging Kerberos tickets. It’s not even hacking anymore when the bad actor can just log in to whatever he or she wants. Game over.
Attempting to reuse any part of your environment is a huge risk: The systems are still compromised, and the exploits used for the infiltration are still there. Consequently, you need a plan and resources to rebuild everything as quickly as possible. This includes sterile networks, fresh installs and data restoration as well as significant monitoring to ensure security holes are not left open.
The recovery will be a dynamic situation in regard to priorities, resources and roadblocks to navigate. However, the following can facilitate a faster recovery:
- Have up-to-date documentation in an offline location, including a password vault. Often, the system that contains your documentation is encrypted. The inability to access documentation slows down the recovery process, as resources become dependent on the one staff member who has the information memorized.
- Shut down systems immediately upon recognizing that they’re being encrypted. The number of machines encrypted can be minimized with simple monitoring tools that recognize services going offline and responsive administrators who recognize the threat and make quick decisions to take them offline. This prevents the encryption process from propagating, which greatly decreases the time to recover business systems.
- Have local copies of your backups. One of the most time-consuming components of recovery is moving a large volume of data. Cloud backups are great as a last resort, but the amount of time required to download and then restore is prohibitive. In many cases, this is a primary reason companies decide to pay the ransom, as restoring from cloud backups simply takes too long.
- Have your contacts and critical information printed and accessible. Insurance contacts, policy numbers, lawyers, vendors and support contract information readily available minimizes chaos at the most critical times.
Call us at +1 213.873.1700, email us at email@example.com or fill out the form below and we'll contact you to discuss your specific situation.
This article was written by Braden Daniels and originally appeared on 2020-10-21.
2020 RSM US LLP. All rights reserved.
RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each is separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/about us for more information regarding RSM US LLP and RSM International. The RSM logo is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.
Vasquez & Company LLP is a proud member of RSM US Alliance, a premier affiliation of independent accounting and consulting firms in the United States. RSM US Alliance provides our firm with access to resources of RSM US LLP, the leading provider of audit, tax and consulting services focused on the middle market. RSM US LLP is a licensed CPA firm and the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.
Our membership in RSM US Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise and technical resources.
For more information on how Vasquez & Company LLP can assist you, please call +1 213.873.1700.
Subscribe to receive important updates from our Insights and Resources.