There is an old proverb, attributed to various cultures, which says: “The best time to plant a tree was 20 years ago. The second best time is now.”
The same goes for backups.
If you've been hit by a ransomware incident, the best way to recover is to restore from your most recent backup. But let's say your backup process isn't as mature as it could be. And if that's true, your backups, or lack of backups, has created a gap in your business data that you cannot endure. What then, are your options, if any?
Well, to be honest, there aren't many and they aren't great. The first thing you are going to do is formulate a simple backup strategy and be ready to execute it. We'll address that later.
Report The Incident
Federal police and anti-fraud centers want you to contact them about issues of ransomware.
They will not be able to help you directly, but they do have some resources, and they track data related to ransomware events. You can find your local field office here:
Some decryption keys are known
Now, to deal with the event. Try to clearly identify the ransomware variant you are dealing with, and then research ways to decrypt it. For example, checking the instructions files and searching on the language or terms in there can help. Sometimes the actual name of the variant will appear in the text file.
If you have been hit by an older, known ransomware, you can possibly get tools or decryption keys from the internet. A quick Google search of “known ransomware decryption keys” comes up with two helpful links:
Kaspersky has created NoRansom, a site which has tools to handle decryption of some known ransomware. They have a useful How To guide on the site.
This Tripwire article details 10 known cases of ransomware and has links to known decryption keys.
Before you attempt any kind of decryption, make a backup and try it out on the backup copies. That way if the data is destroyed or otherwise transformed, you will have a version that can hopefully be restored to normal.
Paying the ransom
Ransomware is very diverse, however, so it's quite possible that your incident does not have a known decryption tool or key. In this case, you have very few options. The most obvious one is to pay the ransom. The FBI points out there are risks associated with this, and does not encourage paying a ransom. Consider the following issues, which the FBI has been tracking:
- Paying a ransom does not guarantee an organization will regain access to its data; in fact, some individuals or organizations were never provided with decryption keys after having paid a ransom. Ars Technica has a report of the malware simply deleting the files after decrypting!
- Some victims who paid the demand have reported being targeted again by cyber actors.
- After paying the originally demanded ransom, some victims have been asked to pay more to get the promised decryption key.
- Paying could inadvertently encourage this criminal business model.
Just like with the known recovery options, doing research on the type of ransomware affecting you can help mitigate the risk of paying. Some ransomware variants even have helpful customer service available!
Another option, which is probably the least palatable option, is to simply throw out the data and start over. This can be a viable choice for new data which can be easily and cost effectively regenerated.
Planting your tree
Whatever option you choose, the first thing after reporting your case to the FBI/USSS is to create a backup plan. Backups come in many varieties, sizes and pricing options. You should evaluate what would work best for your organization based on size of the data being backed up, the sensitivity of the data and its value to your organization. You'll notice I specifically excluded pricing as a consideration. Pricing could very well be the reason you're in this position! That said, you don't have to sell the farm to buy a backup solution.
A very simple, first –tier, low tech solution is to back up your data to external drives using simple copy commands or software. This is the least cost option, but it is resource intensive, failures aren't always evident and is difficult to maintain. If you choose this option, make sure you make multiple backup copies because external hard drives, especially if they are consumer models, do not hold up well to constant operations. To avoid a recurrence of ransomware, keep these copies offline when not in use.
This solution really is a stop-gap solution until you can get into a better one. Simple software here can include open source solutions such as Amanda, Bareos and Fbackup. Use these tools with discretion, as many do not have support options. Most operating systems come with basic backup tools that can also be used, such as Windows XCOPY or Linux cp –r.
The second tier would have some sort of mass storage available. This could be a SAN or NAS unit in your data center, or it could be a cloud solution. You could still leverage these solutions with simple copy commands and software. This solution is easier to support and more reliable than the USB external drive but it does not lend itself to being very scalable. If you have a small business, and don't expect a large amount of data growth, this could be viable for you. Amazon's AWS solutions are offered at a reasonable price for low amounts of data storage and growth.
The third tier would be an enterprise-class backup solution. This requires a great amount of resource allocation, both in terms of dollars and in support. However, this is the most desirable option for organizations with large amounts of data growth. The big players in this space are very recognizable names such as IBM, EMC, Veritas and others.
Once you have your solution chosen and are implementing it, take the time to document your recovery plan, or integrate this into your existing one. During an emergency, it's always helpful to have that run book so the difficult choices are already made and people can execute faster.
And remember, if your backups are always accessible from PCs or servers, they could be impacted by ransomware, so ensure you have permissions set to only allow writing new backups and not deleting or modifying old ones.