Ransomware Recovery 101: You’ve Been Hit, Now What Do You Do?

Ransomware is coming to your neighborhood. Now a $1 billion-per-year industry, ransomware has quickly become one of IT and security pros’ biggest fears. According to a recent study by CyberEdge Group, more than 60 percent of organizations are likely to experience an attack. The scariest part? Most aren’t fully aware of the consequences—and how to appropriately recover. When data is being held hostage, there’s no way to keep up with business as usual. Whether it’s identifying what is missing, deciding whether or not to pay the ransom, or determining how to recover lost files, there are key recovery aspects that go unaddressed. This eWEEK slide show, using industry information from Paula Long, CEO and co-founder of DataGravity

offers tips that can help businesses plan for and implement a ransomware counterattack.

One of the biggest mistakes organizations make when hit with ransomware is making a decision about whether or not to pay the ransom before they’ve done any preliminary investigation. Before jumping into a recovery plan, the first step is to secure the crime scene and shut down users immediately.

To ensure the issue isn’t propagated to other copies of the data, turn off snapshot schedules and double-check your stored snapshots to confirm that they’re not being deleted automatically. You may want to also turn off automated disaster recovery (DR) tools, especially if you aren’t doing synchronous replication. In the case of synchronous replication, the DR site is already contaminated. In snap-copy scenarios, there’s a chance things have propagated.

Once you’ve stopped the spread of the attack, establish what data was impacted. Don’t forget to take inventory of audit logs and previous snapshots. Depending on who was infected and the timing of the attack, it is possible, at times, to unwind what happened.

Here’s where the math comes in. Do a cost analysis of the ransom versus the data. Is the cost of being out of business for hours, days or weeks worth more than the ransom? It’s important to remember, however, that there is a risk associated with paying up. There’s no guarantee that the data will be returned in its original state—if at all.

Remember there’s more than just the financial consequences that come with downtime and paying the ransom itself. In addition to the legal costs, employee time and reputational damage, consider how IT operations are going to be affected. Acknowledge that there’s a chance the IT department (and many others) will not be able to continue to operate if the data becomes unavailable. 

After analyzing the situation, it’s time to decide whether or not to pay the ransom. If you choose to pay up, keep in mind that there’s no promise that you’ll get your data back. Cross your fingers and hope everything works out. If it doesn’t, go to the next slide. If it does, move on to Slide 10.

If you choose to not pay the ransom, now the work begins. In determining whether to pay or not pay, you have scoped, at least at a high level, the extent of the damage. If the damage was isolated to a small set of users on dedicated resources, the recovery should be straightforward.

However, if the issues made it into shared infrastructure, you need to figure out what was impacted. If you have some form of audit or network logs, you might be able to identify which shared resources were affected and may even be able to determine which files could have potentially been accessed.

Without access to the information you uncovered in Slide 8, you could find yourself rolling back to a time before the issue happened, and losing data that was still good. To avoid wasting time (and perfectly good data), invest in tools that can get you lists that can help you make smart restores. 

While frequent backups are often a good thing, turning to them for ransomware recovery isn’t always a wise idea. The more frequent they are, the more likely your backups will be infected with ransomware as well. It is important to remember that backups are read-only, so cleaning them up is going to be a challenge too.

Every organization has a different experience when responding to ransomware, and there will always be a learning curve. Determine what worked (and what didn’t) and take that into account to ensure that your organization is prepared for a future attack.