Key Ransomware Strategies: Prevent, Recover, Repair and Resume

Ransomware is a hot topic for a good reason. In 2019, there were around 61M ransomware cases. Recently, Gartner reported that the average ransom cost to recover their data rose to $84K without accounting for the 5-10x cost for downtime and recovery efforts. A sneak attack that grinds your business and operations to a halt would be costly on multiple levels.

OFAC Advisory Update as of October, 2020

The Office of Foreign Assets Control’s recent advisory indicates that risks associated with ransomware are shifting toward posing some regulatory risks, as well as technological ones.

  • The FBI and other regulatory agencies have consistently voiced their concern and disapproval of paying ransoms as it rewards and perpetuates a disruptive and criminally lucrative activity
  • Unfortunately, a ZDNet article referenced a Crowdstrike report that found about 39 percent of ransomware victims opted to pay the ransom simply to resume business.
  • As regulatory advisories have consistently stated, paying the ransom does not guarantee the safe and functional return of access to your files. Moreover, free resources (including ID Ransomware and Crypto Sheriff below) are available to decrypt your files
  • Generally, approaching ransomware with mitigation methods, such as regular data backups and strict email filtering, will avoid regulatory risk in addition to data loss or compromise. Detecting and preventing these attacks will always lessen the strain and risk than recovering from them afterward or transferring the risk by taking advantage of an insurance policy.

In the event that you fall victim to ransomware, it is generally best to contact law enforcement no matter what course of action you take. Doing so is, as OFAC has stated, a critical component in deciding what regulatory actions they take.

Ransomeware Payment - SDLC Partners

Strategies to Avoid Ransomware Attack & What to Do if You Fall Victim

But, there are simple steps to take to prevent ransomware and definitive measures to minimize damage and cost in the event of a successful ransomware attack. We layout those strategies here to support avoiding ransomware and staying strong and whole if you become a victim.

The Cost of Being Unprepared

First, we need to understand a scenario that’s playing out more often — the cost of being unprepared. In March 2018, the City of Atlanta refused to pay the initial ransom demand of $51K in Bitcoin.Because they were not prepared for a ransom attack, they had to commit to a yearlong repair effort that cost them over $2.6M.

In addition to the cost, the city missed out on revenue while systems were down, including processing online or phone payments for traffic or parking tickets, court fees, as well as utility and sewage bills.

Preventing Phishing – Ransomware’s Primary Delivery Mechanism

The classic method of phishing is the most important delivery mechanism for transmitting ransomware. Increasingly, phishing campaigns take advantage of open source information – what we post and talk about in our digital lives – to pinpoint victims. For example, a social media post requesting referrals for or reviewing a plumber can provide some information a potential hacker can exploit to gain credibility for phishing. In this context, if you are looking for a plumber and talk about it online, you will likely be more willing to open an email from someone claiming to be one.

Phishing Emails Have Common Traits

  • Create urgency with wording that requires you to “act quickly” or imposing an artificial time limit
  • Address account security, such as password resets or unauthorized logins
  • Link to support services rather than specifying where you can find them on your ownbottlenecking users into clicking malicious links
  • Some distract with a lot of detail, including company addresses, phone numbers, and logos to lend credibility
  • Asking for sensitive information (i.e., human resource, payroll, account details)

Why Backups Are Critical and How to Properly Implement Them

The logic is compelling — if you do not need to access data within an infected system, you have effectively denied a ransomware attacker their bargaining chip.

If there’s one piece of advice you take from this article, it’s this. Your data backups must be conducted regularly, are easily accessible, and comply with your recovery plan. Backupsare critical to recovering from a ransomware attack with minimal downtime and cost.

Backup Best Practices

  • It may seem obvious, but can be overlooked. Ensure that you are accessing backups or activating recoveries from a separate system and have contained any risk of ransomware spread.
  • However, backups require consideration and planning based on objectives, risk tolerance, and resource commitment. Cloud services have likely already entered the conversation in your organization. While they represent the industry standard for flexibility and competitive pricing, bear in mind you are sharing cloud space with other clients. Depending on your services agreement, you will likely have some security obligations with your provider. Likewise, your cloud provider should offer at least some network and security configuration upfront.
  • By extension, keep backups segregated and separated based on the data they contain. Data regarding account preferences or recent shows watched, for example, would be kept separate from passwords or other identifying information. Likewise, passwords should ideally be backed up from dates of birth or other equally vital credentials.
  • Of course, keeping backups means little if they fail for technical or operational reasons. Based on the importance and data size, test your backup tools to make sure they are working as needed.
  • Likewise, you may have to activate backups at an inconvenient time. Testing should consider not only technical capabilities but recovery scenarios and emergency planning as well.

Create a Recovery Plan

  • Based on your company’s size and complexity, determine if your recovery plan is sufficient. Good security practice requires segregating higher risk data.This will complicate the migration to, and recovery from, your backup process, reinforcing why backup tests are critical. Proper segregation could be difficult, initially, but it could mean the difference between getting backups running timely.
  • Set recovery objectives based on the impact specific systems and processes will have on your organization. This requires an in-depth knowledge of how different operations are interconnected. A computer in your billing department, suffering a ransomware compromise, will likely have a much more significant impact than a single-use hotel laptop.
  • Each operation should have its recovery objectiveshow quickly recovery should occur before organizational losses become critical. Conversely, if a system is down for too long, services may become irrelevant. Ultimately, every application has time limit to come back online to preserve business function, which should be calculated based on the type and volume of data, users, and computing resources.
  • Run simulations with the same dedication that you conduct back-ups. Run a hypothetical situation, like a ransomware compromise, where users are instructed how to respond and how IT and administrators must isolate connected systems.

Ransomware Recovery Strategies

What will it take to recover, repair, and resume day-to-day operations? The time to plan is not when you’re looking at a ransomware screen that alerts you that your data is stolen and encrypted.

Here are two strategies we believe are often overlooked but the key to a quick and successful recovery.

Open Decryption Keys 

  • Several resources, such as Crypto Sheriff or ID Ransomware, are freely available to help you determine if you can or cannot decrypt files.
  • Some research firms have published their decryption tools for the public with other online publications aggregating them and providing links. Kaspersky, Avast, and the FBI have publicly available decryption tools to provide relief for certain ransomware types.

Lock vs. Encryption

  • Typically, ransomware relies on encryption technology to lock users out of files or directories, demanding payment as the only recovery.While you can navigate your computer’s directories or applications, accessing data on the hard drive will be blocked, routing you to an encryption screen or warning. The files are now under encryption, even if you have other computer functionality.
  • To recover your files, take cautionImmediately using an antivirus program to remove the ransomware will likely destroy the very encryption keys needed to unlock your files.There’s also the possibility that the ransomware copied your files, encrypted those, and deleted the original files. It’s key to try clean-up software before attempting the anti-virus program route. 
  • Alternative forms of ransomware impose a lock screen to prevent a user from navigating their entire computer rather than individual files or directories. As these do not encrypt files, the required decryption keys are not at risk if proper antivirus or antimalware software is used, making them more easily removed.

Steps to Take After a Ransomware Attack

  1. Keep the security mindset alive, in both your conduct with technology,as well as on a broader, organizational scale.
  2. If you do experience a ransomware attack, avoid panic. Perpetrators will want you in a distressed mindset to impair your judgment and hasten reckless action
  3. Do everything you can to disconnect the system from the Internet, record your actions, and identify the type of ransomware, if possible.
  4. When facing any type of ransomware, be sure to immediately disconnect the computer from the network and document what you see on screen, including what precautions you took. 
  5. Then, after running clean-up tools – like anti-malware or open-source software — and only after containing an infected system – begin activating backups. 
  6. As a last resort, Windows 10 is designed with a “factory reset” button, allowing a full reinstallation of the operating system.
  7. Although law enforcement may not provide immediate relief, contacting them is a crucial step in contributing to the collective knowledge of how ransomware works.

Ransomware Prevention Connected to Cybersecurity Maturity

While ransomware recovery and repair are typically achievable,prevention should remain your top priority.We believe that, as a cybersecurity program matures, it becomes more robust and resilient to ransomware. They go hand-in-hand. 

If you’re looking for ways to test your prevention measures and program maturity, consider our tabletop planning and simulation services. We can help you have the confidence to prevent and deal with ransomware threats.
Contact Us

 Ransomware Resources:  

CyLumena - Will Defeo

Insight Contributor:

Will Defeo, Consultant

Will DeFeo is a CyLumena consultant with experience in code release governance and risk management, having previously worked for PwC in anti-money laundering and as an AmeriCorps VISTA. He is a 2015 graduate of Mercyhurst University’s Ridge College.