What would you do if you found out your data has been encrypted by Ransomware? Should you consider paying the ransom to the bad guys? Do you have a plan in place?
We have been hit twice by Ransomware (that we know of) and each time were able to identify the infected machine and mitigate the extent of the encrypted files. Both times the attack started with our network file shares which would have been a bigger issue had we not caught it fairly early on in the encryption process. We have both on and offsite backups and were able to first locate the machine where the malware was installed, stop the encryption from continuing and restored the affected folders from backups within an hour or two. We were fortunate in both cases that it was caught early, otherwise recovery could have taken several hours or even a few days to get fully restored.
At a previous company we had a user get hit by Ransomware via their personal email account on a company asset. It encrypted the primary hard drive and a shared mapped network drive. On the server it was stopped via endpoint protection software and we were able to restore the encrypted files from backup, however, this user had important files on their laptop that WERE NOT backed up. For a time, we discussed actually paying the ransom, but ultimately, did not since the work lost was easily recreated with a little extra work by the affected user.
Great answers from the Pack. While Ransomware continues to be top threat to organizations and consumers, members are reminding everyone the essential role that a robust data backup process lends to mitigate this and many other risks. Even with current endpoint and other cyber security protections, Ransomware can still find its way into an organization. You best defense is to continue to educate your organization on the threats and have your data regularly backed up and secured where it can not be infected. And keep in mind that failure to have these and other best practices in place will negatively reflect on your IT organization and leadership.
When I was an FBI Agent I always told folks not to pay the ransom for obvious reasons. However the calls continued everyday and there was a reoccurring trend. None of the companies had a good back up. Had a few examples where the backups didn’t work. Think about how long can a company survive without access to their information. The. Answer is not very long. This is called the pay and prey method. Not a good place.
Sharing horror stories from the outside helps the business understand the need for both security and backup expenses. For the MOST part we make sure folks know that if you lose your local drive the IT response is going to be "who cares, let me re-image / replace for you". If you keep important data on a workstation drive there is positively no sympathy.
In general, we recommend not paying the ransom to avoid becoming a frequent target. It is important to have a good backup & recovery strategy, with backups themselves protected.
First & foremost, our program begins with Education & Phish Testing to drive awareness at the user level. After that, having good detection (SIEM, SOC, etc.), end point protection (AV), hardened end point devices (remove as many admin rights as possible without hampering productivity), and DNS sinkhole configuration, and data center segmentation in place can help with quick identification and/or containment.
If ransomware still gets through all those traps, periodically testing your Security Incident Response & DR Recovery plans for this specific scenario will ensure you can respond rapidly.
I was just in an excellent presentation at the Siouxland IT Symposium by Greg Rosenberg on Today's Threat Landscape in which he mentioned that one of the main drivers of companies opting to pay the ransoms is cyber security insurance! It's actually creating a vicious cycle.
A year ago, my answer would have been yes - pay up, get business going and then ensure that challenge doesn't appear again. Today, my answer is no. We would restore the server from a snapshot stored away in isolation or rebuild server from ground up. We'd restore data from backup stored away in isolation or just face the consequence. In the last year we have put several practices in place to allow us to recover from such an attack.