There are very few things that genuinely worry me in cybersecurity. Recovering from ransomware is one of them.
Ransomware is the digital equivalent of someone breaking into your house, while you’re in it, and deliberately destroying everything. There are no other, prevalent, cyber weapons that do that. Ransomware is the only one. It is the cruellest, most violent, and most invasive type of malware on the internet. If someone did it in the physical world they would be imprisoned for a long time.
The catch with ransomware is that it offers you a lifeline. An undo button. A chance to reverse all damage. ‘Pay us and we’ll put it all back the way it was.’ Like it never happened. But it did.
Ransomware is Generally Indiscriminate
Ransomware doesn’t care who you are. The threat of ransomware affects both my personal and professional life. The photographs and videos of my daughter’s entire existence are just as vulnerable as the data and systems of FTSE listed companies.
Wannacry, one of the most famous ransomware variants, originally spread from machine to machine through an unpatched file-sharing service. Once a host becomes infected it encrypts all local files and begins looking for other vulnerable hosts to attack. Whoever owns the host is irrelevant. If you’re on a network connected to a compromised host then you’re going to see infection attempts coming your way. Internet, home network, corporate office, or public Wi-Fi, it makes no difference.
The vulnerable hosts that allowed Wannacry to spread initially have been patched or are already compromised. Now ransomware tends to spread through user interaction. A phishing email or drive-by download is the most likely cause of infection. Some malware variants even request permission to run to as an administrator to ensure no chances to access everything a missed. The recipient doesn’t matter, the outcome is the same.
But Ransomware Criminals Will Discriminate
The only thing that differs between victims is the size of the ransom demand. If an attacker is able to identify the system as belonging to a registered company then the price of the decryption key will be proportionate to the company’s annual returns. The victim’s goal is to recover from the ransomware attack. The attacker’s goal is to receive payment. Therefore, ransomware criminals walk a fine line between ‘I can’t afford to do that’ and ‘I can’t afford to not do that’.
While individuals may struggle to pay more than a few hundred dollars, a big corporation can usually afford to pay a lot more. Many cyber insurance providers will willingly negotiate the value of the ransom demand on behalf of their customer. Paying for the decryption key can be cheaper than recovering everything from backups. It’s not always a certainty though as it’s hard to rely on criminals to honour the terms of an agreement. That said, ransomware criminals rely on the general public consensus of their own compliance in order to make money. Unless the majority of people who pay for a decryption key actually get what they pay for, people will stop paying.
Criminals are Getting Smarter
In the early days of ransomware, criminals would compromise a system then almost immediately trigger the encryption process. This generated a lot of short term profits but reduced the size of overall payouts possible from corporations. For many companies, restoring from backups was a painful but acceptable solution to the problem. For a criminal, this isn’t the outcome that makes money.
Now, ransomware attacks against corporations have evolved. Instead of immediately starting the encryption process, criminals are hanging around, observing, exploring, and waiting for the right moment to strike for maximum effect. If you were watching them you’d find them slowly poisoning backups, corrupting stale data, and monitoring backup software until retention periods have expired. In the style of Mr Robot, criminals are going after production systems and their online and offline backups through corruption and expiration.
This evolution makes it much, much harder to recover from ransomware. If you can’t recover from offline backups your only option is to buy the decryption key. At least that’s the reasoning of the new approach. Another other attack vector is to exfiltrate data before encrypting it locally and using the threat of GDPR fines to coerce payment. By leaking sensitive information to the press bit by bit until payment is made, a stronger case for paying the ransom demand can be built. Especially if someone is trying to keep the breach a secret. (By the way, don’t ever do that. Transparency and honesty are key.)
So How Will I Recover from Ransomware?
Thankfully I haven’t been hit by ransomware, yet. Unfortunately, it’s only a matter of time. No matter how hard you try you will always get hacked in the end. That’s why we apply our focus on response and recovery as much as on the protection against and detection of threats. Just like everyone else, the best way to recover from ransomware is to ensure you have offline backups of everything. Not just the data but full images of servers, installation files, license keys, processes and documentation, your active directory database in a tested, recoverable form… literally everything you could need to rebuild everything from scratch.
As evolved ransomware attacks are targeting offline backups, the solution here is longer retention periods. If you only keep backups for 30 days it is really easy to lose everything. If you keep a combination of daily, weekly, monthly, and yearly backups, you’ll at least have something to work with. It’ll be less than ideal but something is better than nothing. Long retention and early detection are your best defences.
In my personal life, I take the same approach. I use a combination of different online backup solutions with different retention policies. I combine that with offline snapshots of everything important to me on multiple disks. Simply replicating everything to a cloud-based mirror of isn’t enough as ransomware changes to your local files will be replicated offsite just like your regular updates. Even if you use a backup provider that guarantees immutability of your data for a given period of time, all an attacker has to do is observe your password and delete your account before encrypting everything. Offline backups are the only safe option. Just don’t plug them back in again unless you’re sure your machine is safe.
You Can’t Backup Your Reputation
The only thing you can’t backup is your reputation. No matter how well you respond, if you were the one responsible for protecting against a ransomware threat and you ‘failed’, you will be blamed. Even if only by yourself. Just remember, there’s only so much you can do with the time, money, and people available to you. Make sure you have offline backups that can’t be corrupted and at least you’ll be able to recover something in the end. You might not be able to backup your reputation, but with perseverance, you’ll be able to restore it.