With any ransomware attack or security event, there’s going to be a before, a during, and an after. To understand how to protect your organization at each phase is to understand how an attack unfolds.
In this article, I’ll cover what happens in the aftermath of an attack. Hopefully, you’ve followed the necessary ransomware recovery steps to prepare for the “before” and “during” of an attack. Here, I’ll discuss what to do next as you bounce back, reduce reputational damage and risk, and minimize the overall cost to your organization.
Once an Attack Has Run Its Course…
After an attack or security event has occurred, you can expect a few things to happen:
- If files are encrypted, you’ve likely found the note with the attacker’s demands.
- You’ll be faced with the choice to pay the ransom—perhaps sent to a website on a .onion domain where you can meet a negotiator for the attacker to agree to an amount and arrange the transfer of a cryptocurrency payment to the attacker. Read this article to see what could happen if you decide to pay or not. After payment is received, the attacker might provide the private keys required to decrypt/recover the files—but there are no guarantees.
- Aside from getting your data unencrypted or restored, the attacker may also use any exfiltrated data in a secondary attack, demanding payment not to post those files on the public internet.
At this point, you’re working to minimize the damage, get back online, and alert the right people. Let’s look at how to do that.
5 Steps for Ransomware Recovery After an Attack
Ransomware recovery efforts will depend on your organization, your data, and the nature of your security event, but it’s helpful to start with these five steps in the immediate wake of an attack.
1. Prioritize systems for recovery and restoration efforts based on your response plan.
In my last article, I listed one of the key things to do mid-attack. You’ll want to get a clean copy of your data available to migrate to a staged recovery environment to get you back online. Those systems were the bare minimum, mission-critical operations you needed to get back online. Now, you’ll want to begin prioritizing recovery and restoration of other systems.
Work with fellow executives to ensure that tiers of recovery are agreed on with other stakeholders. Application restoration priorities or tiers should be well defined so that business units know the timeline for restoring applications and there are no surprises. The planning should also include critical infrastructures such as Active Directory and DNS. Without these, other business applications may not come back online or function correctly.
2. Continue forensics efforts and work in tandem with the proper authorities, your cyber insurance provider, and any regulatory agencies.
Continue working with your forensics experts to uncover more details, such as:
- Were encryption measures enabled when the breach happened?
- What’s the status of backed up or preserved data?
- Review logs to determine who had access to the data at the time of the breach. Who currently has access, do they still need that access, or can their access be limited/revoked?
- What types of data were compromised? Who was affected, and do you have their contact information?
As you gather forensic reports, it’s important to do so in collaboration with the proper authorities—law enforcement, such as the FBI, and regulatory agencies that need to be involved—and your insurance provider.
3. Begin recovery efforts by restoring to an offline, sandbox environment that allows teams to identify and eradicate malware infections.
I’ve recommended leveraging tiered security architectures and “data bunkers” on a few occasions. This approach can help you retain and protect large amounts of data and make it available immediately.
As you begin to restore, check your network segmentation. When you set up your network, you likely segmented it so that a breach on one server or in one site couldn’t lead to a breach on another server or site. Work with your forensics experts to analyze whether your segmentation plan was effective in containing the breach. If you need to make any changes, do so now.
4. Communicate consistently and continually to keep the business informed of the progress of recovery efforts.
Create a comprehensive plan that reaches all affected audiences—employees, customers, investors, business partners, and other stakeholders. Don’t make misleading statements about the breach. It’s helpful to anticipate questions that people will ask. Address top-tier questions and provide clear plain-language answers. This can help limit customers’ concerns and frustration, saving your company time and money later.
Also, don’t publicly share information that might put consumers or the company at further risk.
Download “10 Questions to Ask Your Security Team” for help with mapping out response and communication plans.
5. Investigate the service provider angle.
Were any service providers, partners, or suppliers involved in the breach? Examine what personal information they may be able to access and decide if you need to change their access privileges. Now is a good time to ensure your service providers are taking the necessary steps themselves to prevent another breach. If your service providers say they have remedied vulnerabilities, ask for verification this has occurred.
Be Ready for Action and Recovery with Pure Storage®
Knowing the challenges you’ll face first and the immediate steps you can take after an attack’s early stages can help to minimize loss, cost, and risk. Pure can help you take swift action at the “after” stage by:
- Driving the industry’s fastest rapid recovery rates of backed up data (petabytes per day)
- Supporting fast forensics recovery processes via instant, space-saving snapshots
For more information and guidance, check out these two helpful resources:
- The “Hacker’s Guide to Ransomware Mitigation and Recovery,” written by me and Hector Monsegur, a former black hat and member of the LulzSec and Anonymous hacking collectives
- “10 Questions to Ask Your CISO” Download
Revisit part one for the “before” of an attack and part two for the “during” of an attack.
Like this article and want to read more? Sign up for our monthly Perspectives email today. And we promise not to spam you, just inform and inspire you!