Tech & Innovation

Best practices to remediate a ransomware attack

By Business & Finance
25 May 2020

To pay or not to pay? That is the question confronting the growing number of businesses hit by ransomware. Filip Verloy, Field CTO EMEA of Rubrik, guides companies through the steps.

According to the FBI, ransomware will be a $1 billion market in 2021. If a strong ransomware remediation plan is not in place prior to an attack, paying a ransom can seem like the only option. And why do organizations pay? Recovery can be painful and time-consuming, and in many cases, the backups themselves can be compromised.

Filip Verloy, Field CTO of Rubrik, states: “As the use of remote working rises, so do potential threats and vulnerabilities, especially within a smaller business which might not have stringent home working security measures in place. People have been forced to adopt new ways of working at an accelerated pace.

“I’ve seen previously discarded laptops with outdated operating systems brought back for use, or worse, people being asked to install VPN software on home machines. Usually these machines do not have a secondary admin, could potentially have more users using the same log-in and lack enterprise security.”

Filip Verloy, Field CTO EMEA, Rubrik

Organisations should not be forced to trade off paying a ransom and costly downtime. Instead, they should be able to rely on their backups to recover quickly and reliably. This requires developing and testing a strong remediation strategy before ransomware strikes.

Verloy continues: “Protecting a business from a cyberattack that could come from remote working requires preparation long before an attack actually occurs. A large component of passive survivability includes developing a cyberattack safety net that incorporates tools and processes designed to get you back on your feet quickly. My advice to any company would be to create a ‘work from home guide’ for employees, explain which tools are ok, what basic security measures are expected and who is responsible for implementing them.”

Protecting a business from a cyberattack that could come from remote working requires preparation long before an attack actually occurs.

Don’t wait for a cyber attack in order to develop your remediation plan. To eliminate the potential pain of ransomware recovery, decide now on a backup and recovery solution you trust to keep your data secure. Rubrik is the only solution with built-in immutability, impact assessment, and instant recovery, ensuring that your backups remain unaltered during an attack. 

This guide will help you develop your ransomware remediation plan, so when an attack occurs, you can resume business operations quickly without paying a ransom.

How do you ensure the fastest recovery possible?

  1. Build and test a strong business continuity plan.
  • Implement a holistic, cross-functional instant response team. Elect experts from the following areas: Network, Storage, Information Security, Business Continuity Management, and PR. Tailor this team to your own needs and expertise.
  • It is critical that you backup data regularly, verify the integrity of those backups, and test the restoration process to ensure it is working prior to an attack.
  1. Train your team.
  • Run simulated exercises with your response team on a regular basis to test your ransomware readiness. Keep in mind how standard operating procedures differ based on region, business organization, etc.

You’ve been hit by ransomware – what now?

  1. Isolate the infected station from the network.
  • Prevent the infection from spreading by disconnecting the network cable, WiFi, Bluetooth, and all external storage devices such as USB or external hard drives.
  • Power-off affected devices that have not yet been completely corrupted to contain the damage.
  1. Ensure backups have not been compromised.
  • Backup data should never be available in read/write mode. Otherwise, it can be vulnerable to known protocols and easily manipulated or deleted by an attacker.
  1. Identify the infection.
  • Investigate the type of ransomware you’re facing, how it entered your system, and how it spreads in order to sealthe breach. Was it a phishing scam? Internet-facing vulnerability? Stolen user credentials? Your response may vary depending on the ransomware entry point.
  1. Determine your options.
  • Option 1: Pay the ransom.

» The FBI cautions against paying the ransom. Paying a ransom does not guarantee an organization will regain access to their data. Ransomware victims may be subject to another attack or asked to pay an additional sum.

  • Option 2: Try to remove the malware.

» It is questionable whether or not you can successfully remove an infection. Ransomware has become increasingly sophisticated and mutates frequently, making it less likely a decryptor is available.

  • Option 3: Recover from backups.

» A strong backup strategy should allow you to restore from the most recent clean backup to avoid paying the ransom.

  1. Engage your incident response team.
  • Notify the appropriate stakeholders to activate your business continuity plan.
  1. Diagnose the scope of infection.
  • Quickly identify which files have been impacted and where they are located.
  • Visibility into how widespread the attack helps the incident response team recover only the impacted data and minimize data loss.
  1. Recover quickly.
  • Restore your files to the most recent clean version of impacted data.
  1. Alert the authorities
  • Inform law enforcement, customers, and any other necessary authorities. This is highly dependent on your business and industry.

How can you secure your environment for the future?

  1. Implement security controls.
  • After an attack, it is recommended to fix any identified vulnerabilities to ensure hackers can’t re-access your environment.
  1. Strengthen your existing recovery plan.
  • Use learnings from the attack to bolster your business continuity efforts. Adjust training exercises to help your team perfect areas of weakness and build off areas of success.

Conclusion: Rubrik makes it easier and faster to recover from security attacks while providing greater intelligence on how an incident impacted your global applications and data. Recover Faster. Stay Smarter.