When you’re hit by a ransomware attack, it’s tempting to think that just restoring from backup can make the problem go away — but according to DataGravity CEO Paula Long, it’s not necessarily that simple.
While backups can be key to recovering from ransomware, Long told eSecurity Planet, restoring correctly may be more complex than you expect. “First of all, you have to figure out what it is you have and what’s been damaged — and if you don’t have everything in place, that can be a time-consuming process,” she said.
If the damage is significant enough that you have to do a full restore, you may sidestep the ransomware itself, but be left not knowing what data may have been lost or changed since the last backup. “So now you’ve got sanctioned data loss, and you don’t know what happened,” Long said.
Even more importantly, Long said, there’s a decent chance your backup is infected with ransomware as well.
“You’ve got to understand what your risk exposure is,” she said. “Are your backups infected, so when your restore, are you just causing a different problem? Potentially, depending on how well you’re automated, ransomware could hit your DR site — so you could go from incident to epidemic pretty quickly.”
Setting Up a SWAT Team
A larger company, Long said, should ideally have a kind of multi-function SWAT team ready to determine what to shut off when, who touched what, and what to restore. “The people involved may not be the same people who are involved in most data loss — there may be other people in your organization that have the information you need,” she said.
Because their job is to monitor who has access to what information and what they do with it, Long said, your compliance office may be a good place to start. “So as an IT person, you may go to your compliance officer and say, ‘Olivia had ransomware — what resources did Olivia have access to, and what has she done in the last 24 hours?'”
“I don’t think the IT guys and the compliance people necessarily hang out together, but they might need to start — because the compliance team has a good view of who has access to what,” she added.
Ultimately, Long said, it’s important to treat ransomware like a disaster recovery event — anticipate key issues and plan ahead. “You want to be able to know what changed so you can do a surgical restore, and so you can know what you lost,” she said. “It’s not impossible, but you have to think through it and have a plan.”
For many organizations, though, that’s simply not the case.
No Plan in Place
A recent Varonis survey of 230 people at organizations in the U.S., U.K., Canada and Asia found that while 76 percent of respondents see ransomware as a significant business threat, and 21 percent say ransomware is evolving in menacing new ways, just 56 percent currently have a ransomware response plan in place.
The survey, conducted by the Information Security Media Group (ISMG), also found that just 21 percent of respondents said their anti-malware solution is completely effective against ransomware.
Only 37 percent of respondents who have suffered an attack responded by improving internal access controls, and just 36 percent sought to improve detection and recovery capabilities.
Fully 82 percent of respondents expect ransomware to be a larger threat to organizations globally in 2017.
“A lot of organizations like to think they aren’t vulnerable to insider threats, but oftentimes it’s the loud intrusion of ransomware that alerts an organization to over-exposed, unmonitored permissions and ata,” Varonis technical evangelist Brian Vecci said in a statement.