Recovering from a Ransomware Attack: The road to recovering your data

Threat actors don’t just react and neither should you. A pandemic is no excuse for not testing your backup system

In recent months, we have seen a rapid rise in ransomware attacks. Covid-19 has forced businesses to make fast changes, occasionally leaving holes in their IT systems for cybercriminals to creep through.

These attacks could be through the means of phishing, attachments, hidden links or in more direct formats like leaked passwords or guest passwords. Whatever the cause, these attacks have the potential to lay dormant for quite some time. Lying dormant allows the initial infection to take hold before spilling over and causing a noticeable event that alerts IT teams to its presence. Dormant and slow attacks allow a wider range of infection; singular computers may not only be at risk but put user ID’s – with access to multiple machines, operating systems and backup software – at risk.

Although dormant attacks are perhaps the more damaging, some attacks will be immediate and brutal, destroying as much data as possible in as little time as possible. The threat here is that IT teams don’t have enough time to scramble and halt the infection.

So, let’s say your organisation has been the victim of a ransomware attack. Now what? Where do you go from here? It might seem like there are endless possibilities and roads to go down, but one thing is clear:

You need a recovery plan

“But we already have one, why do we need another one?” The thing about ransomware attacks is that, like a real infection or virus, they change and adapt. Cybercriminals will often analyse the effectiveness of their attack methods and alter code. Organisations must understand this. They should be making a commitment to incrementally update and manage their backup and recovery processes to ensure the most effective protection of their data. Ransomware avoidance is simply is not enough; it will happen sooner rather than later. It must be followed by flexible backup and recovery plans that aim to prevent as much data loss as possible following a ransomware attack.

Let’s think back to 2017, when the infamous ransomware ‘WannaCry’, infected over 300,000 computers in 150 different countries, simply by spreading through a local network – no harmful links, no dodgy email attachments. It’s all very well the malware was eventually put a stop to but by then, data had already been compromised and cybercriminals were free to adapt the code and worsen the effects of the next planned attack.

Backup but not forgotten

It bodes well to remember that the aim of a sturdy backup and recovery plan is not to protect the perimeter. The aim of backup and recovery is to recover the overall environment, understand the level of infection and research the backup catalogues in order to find the earliest uninfected files. By promoting a culture where infection intelligence is ongoing, backup and recovery can be made into a flexible and compliant process.

The scanning processes of some backup vendors can detect locked files and directories alerting the user to the effects of ransom activities after the fact. Others can search backup images for infection signatures in an effort to avoid reseeding the environment by recovering infected backups. However, these measures really only signal how far the horse has bolted.

Take a step

Predatar uses a mixture of methods and approaches to help automate the backup and recovery process, taking the initial heat off of IT teams. Ultimately, rapidly recovering environments and ensuring that organisations have the best of their data back after disaster strikes.

For more on this topic why not watch this 20 minute presentation taken from our Control 2020 conference. It can be viewed from the Predatar You Tube channel here