Ransomware response and recovery can broken down into four steps:
1. Isolate, Assess, Call for Help:
- Call professionals and stakeholders:
- Call your cybersecurity insurance provider. They often require specific steps and vendors that supersede any other steps on this list or even the preferences of the victim organization.
- Call expert ransomware response professionals. Most organizations do not have incident response or forensic staff and will need to call in expertise to stop the attack and recover systems and data.
- Call executives, attorneys, and law enforcement that may need to authorize or document the next steps.
- Stop the attack:
- Break the access of the attackers to the device under attack.
- Stop the processes executing the ransomware (if still active).
- Determine the type of attack to determine the options for recovery.
2. Recover what can be recovered, replace what cannot be recovered.
3. Apply lessons-learned and block future attacks.
4. Revise (or create) the ransomware incident response plan.
1. Isolate, Assess, Call for Help
The initial incident response requires the team to perform several tasks nearly simultaneously. Not only must the attack be contained and assessed, the team might also need to let stakeholders, executives, authorities, and insurance companies know about the attack.
Insurance Evaluation and Insurer Notification
Organizations with insurance policies need to first consider if they will involve their insurance company. Insurers often will require specific steps to be followed to fulfill the claims process.
If lucky, the attack may be small enough that no cyber insurance claim may need to be filed. For example, an attack on a single machine or a simple ransomware attack involving a limited number of users. An attack of such minor impact may not even need to involve executives or other stakeholders because of the limited damage to the organization.
However, in the case of a broad, sophisticated or Advanced Persistent Threat (APT) attack, damages will be significant. Cybersecurity insurers often strictly outline the steps permitted in order to qualify for reimbursement and in larger attacks, the insurance company should be one of the first calls.
Few internal IT and security teams maintain expertise in incident response and forensics. Internal teams can usually handle recovery from limited attacks, but sophisticated attacks require professional help. Engineers from incident response, forensic, managed IT security services, and managed detection and response specialists can determine the full extent of the attack, stop the attack, and aid in recovery..
Isolate the Attack
Assuming no instructions to the contrary from insurers, the first step is to contain the damage. Whether using internal specialists or professional assistance, the incident response team will cut off network and internet access for the affected devices (computer, server, etc.), network segment, or office. If necessary, the organization can shut down all networks for the organization to stop the spread.
Shutting down all networks is an extreme step and should not be taken lightly. Not only will normal operations suffer, but full shutdown can lead to other consequences such as:
- Lost Business
- Reputational damage
- Organization-specific risks such as:
- Disabled refrigeration monitoring for a seafood distributor
- Impaired service for a emergency call center
- Impaired health outcomes for a hospital
Also keep in mind that isolating either specific devices or the organization as a whole will prevent remote access so responding IT teams will need to go onsite – which will increase time and money required for the recovery.
Next, assess the direct damage from the ransomware and evaluate the potential reach of the attack. Some ransomware attacks automatically launch when someone clicks a phishing link and will be more simple to remediate because the source of the attack can be quickly identified and the extent of the damage rapidly assessed.
Other attacks only launch after attackers have significantly penetrated the environment, accessed many different systems, downloaded company information, and deleted backups. In the latter case, the advanced persistent threat (APT) nature of the attack will not be stopped by isolating affected devices and more advanced methods will be required to eliminate the threat.
2. Recover What Can Be Recovered
Once the active attacks are contained, the team can then turn to recovery of the systems and the data. Some simple ransomware cases can be handled by in-house teams because of their limited scope and damage.
Larger attacks involve exponentially more complexity and variance, and unwinding an APT attack will require deep forensic investigation of the systems, logs, and possibly even the backups. Most organizations need to reach out to service providers to obtain suitable experts for this type of recovery.
The high variance of ransomware attacks and response easily exceeds what we can cover in an article, so we will limit the rest of this article’s focus to a limited, manageable scope involving automated ransomware striking only a handful of endpoint computers. This example will still provide an overview of the basic steps of ransomware recovery at a high level without going into the more technical details involved in broader threat hunting processes necessary for sophisticated attacks.
How Long Does it Take to Recover from Ransomware?
Short answer: It depends. The high variance of the types of attacks and the characteristics of the environment prevent easy estimation of ransomware recovery time.
However, the variables that affect recovery time consist of:
- Available Backups: The better an organization protects their backups, the faster the recovery of the data can be performed.
- Backup Quality and Scope: The more frequent the backups occur can minimize how much data will be lost from an attack. However, in APT attacks, data corruption might be extensive and long term and require restoration from older recovery dates. System backups (operating systems, installed software, etc.) can also speed up recovery time for instances where APT actors corrupted local settings and software.
- Ransomware Attack Sophistication: Complex, long-term attacks might open persistent back doors on unaffected systems or even in backups. The more sophisticated the attack, the longer it takes to unroot them from the systems.
- Extent of the Damage: The more systems affected, the more time it takes to recover. Additionally, the deeper ransomware attackers penetrate into each system, the faster costs will escalate for investigation and recovery.
- If only data is affected, reloading data can be simple (although time consuming).
- If the ransomware infects the operating system and the registry the system software may need to be entirely reloaded.
- If the ransomware infects memory on the motherboard, recovery may not be possible and the entire system, including hardware, may need to be replaced.
- Incident Response Team: The quality (skill, experience, familiarity with ransomware incident response, etc.) of a team can affect the speed of stopping the attack and the recovery time. The size of the team also matters for extensive attacks involving a high number of devices.
- Recovery Tools: Some ransomware recovery tools can speed up the recovery process, but it depends upon the type of ransomware attack.
- Outside Influence: Recovery can be straightforward, but cybersecurity insurance providers and law enforcement may require evidence to be gathered, which can delay recovery processes. Internal payment and approval procedures can also take time away from recovery if these processes are not approved in advance. Lastly, active attackers can further disrupt recovery if they continue to have access to the network or use Distributed Denial of Service (DDoS) attacks to distract the incident response teams.
Simple Ransomware Recovery
Ransomware typically announces its presence by locking the victim’s computer with a message screen with the ransom instructions. This will provide information regarding the type of ransomware infecting the computer and provide some guidance regarding the next steps.
If we are lucky, a google search for the specific ransomware on the screen may yield free decryption tools, but beware of or through anti-ransomware tools that remove the ransomware and fully restore the system and files. Unfortunately, as covered in How to Decrypt Ransomware Files, the recovery of ransomware encrypted files has a low success rate.
The decryption difficulty stems from:
- poor encryption that garbles files
- unavailable decryption algorithms
- attacks that intentionally corrupt or delete files
Ransom Payment (Not Recommended)
Some organizations may be tempted to pay a ransom. Organizations that depend on uptime such as hospitals, law enforcement, or emergency services have mandates to be available and responsive that go beyond simple financial considerations. Deaths associated with ransomware are rare, but at least one death is directly associated with a ransomware attack and roughly 25% of healthcare providers noted an increase in mortality rates following ransomware attacks.
Unfortunately, there are three big reasons not to pay a ransom.
- The FBI discourages payment. If we need law enforcement cooperation later, it may not help to have gone against their published advice.
- U.S. Treasury sanction violations: The Office of Foreign Assets Control (OFAC) issued an advisory reminding companies that payments to entities under sanction may trigger significant penalties. Some ransomware actors operate within sanctioned countries (Iran, North Korea, etc.) and others have been sanctioned as separate entities (terrorists, organized crime, etc.).
- It doesn’t work. Sophos conducted a survey and found that of victims who paid the ransom:
- 4% paid and received no decryption keys
- 8% paid and were able to fully recover
- 92% of those who paid did not fully recover their systems.
Restoration from Backups
Full recovery of our systems will test the quality and thoroughness of our backup processes. We will need to go back far enough to locate data and OS system backups free of malware, but the further back we need to go, the more work product that could be lost. Our preparation prior to the attack will be critical to our data recovery success.
Hopefully, backups can be accessed through System Restore. If we know the date of the infection, we can roll back the computer to a system restore point prior to the infection, which should automatically remove the ransomware, clean the registry, and restore the operating system.
If we are unlucky, a sophisticated ransomware attack encrypted or deleted any backup files and system restore points. In this case, we may need to completely wipe the system and reinstall all software.
While it is possible to manually restore systems instead of wiping them, this time-consuming process requires a deep understanding of Windows Registry to carefully examine it to remove any lingering infections. Generally, this option consumes too much time to be practical and will be much more expensive than wiping the computers.
Once the system has been cleaned, we still have to restore the data itself from backup. Keep in mind that some backups may be of corrupted data so incident response teams may need to go through multiple backups until they find clean data. Any changes made since the last clean backup will probably be lost.
Further reading on ransomware protection and recovery:
- Best Ransomware Removal and Recovery Services
- Best Ransomware Removal Tools
- Best Backup Solutions for Ransomware Protection
3. Conduct Post-Attack Tasks
Whether we can restore our systems ourselves or we must hire incident response specialists, fully recovering our systems from an attack only marks the start of the process. We will also need to:
- Deal with other ransomware attack issues
- Report to regulators and stakeholders
- Apply lessons learned
Deal With Other Ransomware Attack Issues
Many ransomware gangs have adopted the tactic of exporting sensitive data prior to triggering the ransomware attack and extorting the victim company with the threat of publicly releasing their data. If exfiltration has occurred, what types of data was stolen?
Depending upon the type of data affected, a full forensic investigation of the attack may need to be performed to gather evidence for criminal prosecution or to defend the organization from civil and regulatory action. Complex attacks involving more than one ransomware attacker or more than one exfiltration will increase the time and headaches involved in resolving the issues.
Report to Regulators and Stakeholders
The theft of regulated data protected by law will trigger reporting requirements regarding the full extent of personal information, credit card data, healthcare information, or other protected data accessed, breached, or publicly released. Once the type of breached data is known, legal counsel will determine what types of internal and external reports may be required.
IT teams also need to work with legal counsel and executives to determine the required internal reports and the timing and content of information released to authorities, affected parties, or the public. Even if not required by law, breached customer data may trigger contractual and moral obligations to report the extent of the breach to the affected parties.
Apply Lessons Learned
Once the recovery is complete and required reports are delivered, our incident response teams need to perform a post mortem analysis. The method of attack must be reviewed to determine how to prevent such attacks in the future.
Often this will be referred to as a Lessons Learned report and it should cover:
- What security was bypassed to allow the ransomware attack, such as email screening or firewall security
- What adjustments have been made or could be made to existing security
- What additional security controls must be added or what new security tools may need to be installed.
Some organizations may not have the budget or time to immediately address all issues, so unaddressed issues will also need to be evaluated for risk to the organization. For example, it may not be practical to prevent phishing attacks from leading to future ransomware attacks, but the organization may decide to encrypt more data or block email access from critical systems to limit the future risk to the organization.
Additionally, the team will want to analyze their response to the attack to determine if improvements need to be made to the incident response plan (or to create an incident response plan). Common issues encountered in this process are incorrect phone numbers, obsolete IP addresses, or broken recovery processes.
4. Create or Revise the Ransomware Incident Response Plan
Preparation remains the key to successful ransomware recovery. An organization must:
- Prepare a good backup policy and procedure
- Prepare a good good incident response policy and procedure
- Install layered ransomware security
- Test security and policies for effectiveness
Prepare Policies to Protect Against Ransomware
Some IT professionals dismiss policies as words on paper that protect nothing. The validity of that complaint depends upon the organization. Organizations that use the policies to enact procedures and to set the tone of the organization will enjoy more benefits from policies than organizations that just go through the motions for compliance check boxes.
Backup policies should include the type of backup (full data, changed data, full system), frequency (daily, monthly, quarterly), retention period (60 days, six months, etc.), and the location of the backup (on the device, in connected network repositories, offline, etc.). Best practices recommend three backups with at least one backup offsite and offline to prevent an attacker’s access.
For an incident response plan or policy, we must be honest about our valuable assets, our security capabilities, and our team’s ability to respond to an incident. The key is functionality. A robust plan that cannot be executed by our team is worthless.
The plan does not require sophistication or even technical ability. It could simply be a list of different types of incidents (power outage, ransomware attack, etc.) and important numbers to call for each type of incident such as incident response experts, an attorney, key executives, insurance contacts, and so on.
Some attorneys will recommend specific processes that require their involvement. These recommendations hope to extend the protection of privilege to the work product and communication of the process so that it cannot be introduced as evidence in future lawsuits.
The incident response plan may also need to involve the CFO. Purchasing limitations that may normally require extended processes with multiple signatures may need to be bypassed with pre-approved budgets and vendors that would be triggered in the event of an attack.
Ideally, any cybersecurity insurance policy requirements should also be determined and added to the incident response plan. The more accurate the information, the smoother the process will be executed and the less risk of mistakes during an incident.
All policies should be reviewed periodically as well as after an event to revise or update the policies as needed.
Install Layered Ransomware Security
When installing layered security we need to focus on the most likely target and the most likely attack paths.
We must cover the basics. A zero-trust architecture with continuous authorization might be the preferred option for some, but a traditional security framework can provide adequate security for many.
Budgets and IT capabilities may limit how much security we can afford to deploy, but not all security costs a fortune. Many of us ignore the embedded options and features of our current operating systems and software that can significantly reduce the effectiveness of attacks.
This is particularly true of server protection, where, as Symantec Endpoint Security VP and General Manager Adam Bromwich notes, “traditionally IT has not turned on all the protection technologies available to them. They have become a weak point that attackers are exploiting.”
“Lay of the land” attacks that exploit legitimate tools, such as PowerShell, WMI and PsExec, add to that insecurity. Symantec has added behavioral blocking around such tools and sandboxing, and the Broadcom company’s new Adaptive Protection tool shuts down processes that aren’t in use, further hardening systems and disrupting the attack chain.
“By the time you can react to an EDR alert, it is too late,” Bromwich told eSecurity Planet.
Planning and Testing
Testing involves periodic checks of our security, processes, and procedures.
First, we must verify that our security has been correctly installed and is functioning. Internal assessments are okay, but can miss critical issues our team did not consider.
Paying for third-party assessments and penetration tests can provide fresh thinking and a level of assurance for stakeholders such as customers, the board of directors, and the cybersecurity insurance company. Penetration tests and vulnerability scans may also be required to comply with various regulations (PCI DSS, etc.).
Our processes and procedures will often be planned in advance, but may overlook critical data or steps. Tabletop exercises and drills to go through the processes and procedures ensure our staff confidently can smoothly execute them should a ransomware attack or other incident occur.
It can also be wise to ensure that all employees in the company receive and understand the incident response policy. Intermedia surveyed employees and estimated that 59% personally paid to recover from ransomware rather than admit to becoming a victim. However, our IT teams need to make sure that the malware has been removed from the system and we can only do that if we are informed about the attack.
The best way to recover from a ransomware attack is to execute a carefully practiced incident response plan. However, many organizations have no plan at all. Instead, they not only have to conduct recovery steps with no planning or preparation, they also need to figure out those steps under immense pressure.
While the recovery steps are the same, a written plan enables a security team to be much better prepared. A security team that practices a plan gains even more benefits because they can respond to attacks faster, with fewer mistakes, and with better results.
All organizations should take steps to prepare for future ransomware attacks so that when an attack arrives, they will be prepared and react quickly, effectively, and comprehensively to limit damage.
Get the Free Cybersecurity Newsletter
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.