Let’s be frank: the worst-case scenario for a ransomware attack is that your business won’t recover and has to close shop. And it’s happened—many, like Lincoln College, simply can’t afford the associated costs of an attack and have to fold.
Is this avoidable? As the Benjamin Franklin saying goes, “If you fail to plan, you are planning to fail.” With the right plan and technologies in place, it is avoidable. That means mapping out every possible scenario (called tabletop exercises), assembling a response team, and having the right infrastructure in place.
As you’re mapping out those scenarios with your team, start with the worst-case scenario. Because if you’re ready for that, you’re ready for anything.
Worst Case Scenario for a Successful Ransomware Attack
- The attacker sends malware into your system and gains access to your data.
One of the most common ways a ransomware attacker gets access into your system is by buying credentials from an initial access broker on the dark web. Once inside, the attacker typically stays in the environment for some time to plant backdoors that allow for access retention. They then plant malware in the system, which usually runs undetected in the background for a period of time until the attacker decides to get the party started.
At this point, the attacker uses a command and control server to “call into” the environment to start the actual “encryption,” which is really just a copy-and-paste operation in which pre-encrypted files get moved from a volume shadow store into the place of good files.
The first sign that an organization has been attacked usually occurs when a user attempts to open an encrypted file. They can’t get in, or they get a message from the attacker saying the data has been compromised and requesting that ransom be paid. Another first sign might be a storage array that gets filled up with incompressible, encrypted data.
- The malware infects or deletes Active Directory.
Active Directory (AD) is a top target for attackers because it forms the foundation of most organizations’ accounts and data assets. If AD is infected, you’ve lost complete control of your IT infrastructure. When an attacker has domain admin privileges, they can go anywhere and do anything within your system.
- Your Domain Name System (DNS) gets corrupted.
Ransomware can result in DNS spoofing, cache poisoning, or hijacking. All of these attacks essentially mean you won’t be able to get to the websites you want, and you could be redirected to a malicious site. While spoofing and hijacking require a physical takeover of the DNS settings, cache poisoning can be done by inserting a false DNS entry into the DNS cache, which will send users to an alternate IP location. Some ransomware attackers are also beginning to use DNS tunneling instead of HTTP for data exfiltration, which is fairly simple for attackers to do but difficult for security programs to detect.
- The attacker messes with your system’s time services.
Your systems’ time services are critical to many IT operations. Backups and other tasks are scheduled as regular tasks and done automatically behind the scenes. If the network’s time or date gets changed, it could lead to a frustrating ripple effect of issues. Automated billing systems could wreak havoc by sending invoices too early or too late, backups could be missed, appointments could be missed or deleted, and so on. This attack would also render all Kerberos tickets in your environment invalid, creating major connectivity issues and essentially breaking or taking down all of your applications. It would also mess with your logs and make it very difficult (if not impossible) to correlate events across systems.]
- Your backups don’t work.
While this issue isn’t necessarily due to the actual ransomware attack, it could greatly exacerbate your troubles if your backups turn out to be destroyed, corrupted, or lost during a ransomware attack (we’re talking worst-case scenario, remember). Tapes and drives go bad over time, so testing them regularly is a crucial part of staying prepared for the worst. They should be checked to make sure they bring up the right data and are up to date. Also, ensure that people who have left the company are removed from access lists and that the right people know where the backups are and what to do with them.
To head off any issues with backup malfunctions, some enterprises are moving to more resilient snapshot-based architectures for recovery. Testing backups also helps ensure you have the “right” data backed up and that you’re not missing anything critical. Also, SafeMode™ snapshots can be the most effective tool to help you mitigate the effects of ransomware before, during, and after an attack, especially when implemented as part of a broader, Pure resiliency architecture.
- All of your arrays become off-limits as evidence for forensic investigations.
This means even if your backups work and you can restore your data, you have nowhere to restore it to for the sake of getting operations back online. Without clean arrays, you simply have no chance of getting things going again and no way to use them to figure out what went wrong and why.
- Your incident response firm doesn’t come through.
Choosing the right incident response (IR) team is also a critical part of your preparation strategy. There are many options out there today and it’s important to vet your choice, have it on retainer, and validate it with your insurance company. Just like you should test your backups, you should also test your IR provider—either with theoretical “what-if” scenarios, tabletop exercises, or full-blown simulated attack response.
Download 10 Questions to Ask Your CISO to help get the conversation started >>
- Your reputation could suffer in the press.
Your organization’s reputation is a valuable asset. While ransomware attacks are increasingly common, your customers still want to know you’re doing everything you can to protect their data and interests even if you’re under attack. Part of foreplanning is deciding how you will handle communication around an incident. Whether you hire a PR firm or have an in-house team to jump on crisis management and messaging, you should know beforehand at least generally how you will respond—in social media, on your website, in the press, etc.
- The legal ramifications are too costly to survive.
When ransomware hits, there are multiple legal implications to consider. In many cases, it could be illegal to pay the ransom if attackers are located in certain regions of the world. You’ll also need to decide whether you’re going to try and handle the incident in-house or hire an incident response or third-party legal firm for assistance. And once word of the attack is out, you could also face an onslaught of lawsuits from your customers.
One way to protect your organization from customer lawsuits is to ensure that your security logs are well-protected – so when you get sued, you can reproduce the incident and/or demonstrate the controls that were in place at the time of the event.
Prepare for the Worst with Confidence
If the worst-case scenario happens and all these factors converge to create a “perfect storm” of catastrophe, you’ll be hard-pressed to manage it all correctly or effectively when things get hairy. The bottom line is that preparation will serve you well. No one is guaranteed to be safe from a ransomware attack in today’s security climate, but having an emergency response team and plan ready just might keep you from going down completely—which can require an expensive, time-consuming manual rebuild process.
Make Pure Storage Part of Your Ransomware Strategy
Offered as an add-on service to Evergreen//One, Pure’s new ransomware recovery SLA guarantees:
- Next business day shipping of clean recovery array(s)*
- 48 hours to finalize a recovery plan
- 8 TiB/hour data transfer rate
- Bundled services, including technical services engineering to finalize the recovery plan and an onsite professional services engineer from time of array arrival through replacement of infected array(s)
[*If shipping to North America, Europe, or the UK. For Asia-Pacific, it will be 48 hours.]
You can also use Pure Storage FlashBlade and FlashArray to support security analytics with applications such as Splunk and Elastic – which can help strengthen your layered security approach with deep visibility into system actions and events that could create vulnerabilities or lead to a data breach.