Recovering from Ransomware
Ransomware is clearly a topic that is at the forefront of many businesses and IT professional’s concerns. It seems that every week (if not almost every day) there is a new story in the global news about another attack on a prominent organization. Protecting ourselves from this threat and its potentially disastrous consequences has become a necessity. With that in mind it is important to understand what can be done to both shield ourselves from infection initially, and also recover from the virus as quickly as possible if it should gain access to any systems.
In order to effectively protect information and data it’s important to understand a little about what ransomware is, as well as what it does that makes it pose such a high level of risk to organizations everywhere.
CryptoLocker, CTB-Locker, CryptoWall, Locky – to name but a few…
These malicious pieces of software are designed to gain access to, and encrypt data and files, by generating a private-public pair of keys. The data is impossible to decrypt without the private key, which is usually stored on the attacker’s server, until the ransom is paid. Unfortunately, in many cases even once the ransom has been paid the attackers fail to provide the decryption key, leaving victims without their money or their files.
While ransomware has been around for many years, the more recent advancements in encryption technologies, coupled with the ease with which hackers can conceal their identities, has resulted in an increase in the number of them adopting this strategy.
The current wave of ransomware threats began in late 2013 with the emergence of what is probably the most well-known family of ransomware, CryptoLocker. Although the original CryptoLocker Trojan has been shut down, imitations of it are circulating while at the same time many other families of ransomware have since sprung up, the most prolific being CTB-Locker, CryptoWall, TorrentLocker and more recently, Locky and TeslaCrypt. Regardless of the name, they all aim to do the same thing – extort money from victims in return for decrypting their data and files.
These types of attack pose a considerable danger for several reasons;
- They use very clever and evasive techniques to circumvent security software. This often results in the creation of “Zero-Day Malware”, meaning the Trojan will be unknown to security experts so will not be have been identified as a risk in any security software.
- Security experts consider encrypted data to be unrecoverable. As many victims also report that the decryption key is not provided even if the ransom has been paid, it is not recommended to give in to the hacker’s demands.
- Through the use of the Tor network and virtual currencies such as Bitcoin, hackers are largely untraceable by security agencies.
- The attacks are directed for the most part at users in more affluent countries – In 2015 50% of all CTB-Locker attacks detected were in the US and 35% in Europe.
- The use of the Tor Network has also enabled cybercriminals to begin offering Ransomware-as-a- Service (RaaS) models, meaning more inexperienced cybercriminals will be able to leverage these attacks as well.
- Cybercriminals are also becoming more corporate focused as they understand that businesses rely on their critical systems to survive and so consider them more likely to pay – and pay a significantly higher amount – to have their data decrypted.
Protecting Ourselves from Ransomware Infection
As cybercriminals leverage more and more intelligent methods of attack, the need for data protection becomes ever-more crucial.
In an ideal world it’s always best to prevent the virus from entering the network in the first place and there are several actions that can help. Ransomware viruses can gain entry in numerous ways, be it through web browser sessions, emails and their attachments, files on USB devices or any other device that might be used as part of a BYOD policy – all these are potential sources of infection and might not just come from users, but even the IT department themselves or visiting customers.
By securing entry points into the network the risk of infection can be reduced in the first place. Simple methods such as filtering web traffic, scanning email attachments and ensuring they pass through a quarantine process, segregating BYOD networks and blocking web access on VM’s should all be considered ‘Best Practice’.
User education is also key, as most viruses gain initial access to systems through means designed to take advantage of the human element, be it official-seeming phishing scams, innocent-looking torrent files or inadvertent accessing of an infected website. Training users to understand the dangers and recognize what should and shouldn’t be accessed is vital to preventing that initial infection.
Human Error can and does happen though, so ensuring that suitable Anti-Virus and security software is in place as well as ensuring it is kept up-to-date is also crucial. It could perhaps be argued that if the users know what they are doing there is no need for Anti-Virus software, but in an environment where there is no direct control over the knowledge of individual users or guests, having this extra layer of security is a must.
It’s also worth auditing files shares and restricting unnecessary users – don’t give people access to data they don’t need. Restrict write and edit permissions to individual files, particularly where legacy data is concerned. Also ensure there are firewall policies between different servers and components – lock down access to only the ports that the application requires.
It Can Still Happen! Zero-Day Malware Exploits
Despite best efforts the crypto-viruses being created are often completely new to security experts (defined as “Zero-Day Malware”) and as such can bypass any security systems that may be in place. A large number of ransomware infections happen to people who have followed some or all of the above practices – in such cases a plan and process are necessary to enable recovery from the infection.
This means that there is a necessity to protect the data in the first place, to respond to the infection should it happen, and finally to recover from that infection if it does happen. Paying the ransom is never recommended as there is no guarantee that the encryption key will be provided – the capabilities should be in place so that option never even needs consideration.
Ransomware Removal using Zerto Virtual Replication
Sometimes it’s necessary to accept that prevention isn’t always possible, but mitigating the threat certainly is.
Once an organization becomes the unfortunate victim of a Ransomware attack, the files are locked down – and last backup might have been from last night, last week, or maybe last month. How much data can the company stand to lose? What’s the cost to the business going to be? How will the public perceive the inability to counter this threat? What happens when all public-facing services are down while the IT department is trying to fix the problem? How much time is it going to take to get back up and running?
Traditional data protection solutions may offer a certain degree of assurance but there is still an inevitable amount of data loss and downtime that can have a significant cost to the business.
Backup solutions typically have large windows between available recovery points, usually from 24hrs+, resulting in a significant amount of data loss and a good deal of time needing to be spent on actually recovering the data in a consistent and usable state.
It may be that instead of, or in addition to a backup solution, a form of snapshot-based replication will be running – but even then it’s unlikely that the data can be replicated any more frequently than every 4hrs+, still an undesirable amount of information to lose. Plus of course, there’s still the need to consider the ease with which all the systems and applications can be recovered.
Of course this doesn’t just apply in the instance of a ransomware virus attack – any power interruption or hardware failure, file deletion, application or human error, can have a similar impact and require the same considerations to be made when planning for these incidences.
With Zerto Virtual Replication though systems are protected with Continuous Data Protection in the form of incremental block-level replication, which combined with the Journal, Virtual Protection Groups and Enterprise-Class scalability gives the ability to:
- Re-wind sites, applications, VM’s and now with v4.5 individual files to any point-of-time within up to 14 days to within a matter of seconds.
- Recover all critical systems and applications with consistency in the space of a few minutes with only a few clicks of the button – Click Failover -> Select Apps -> Verify -> Start Failover.
- Test recovery data in an isolated bubble network to ensure that the recovery point selected is free from any form of infection before committing the failover.
So how exactly would an organization recover from a ransomware attack using Zerto Virtual Replication? Assume at this point that the infection is recognized, and any devices or portions of the network that have been exposed have been segregated, and the recovery process is ready to start.
Firstly, click Test Failover – ZVR will bring the recovered VM’s up in an isolated bubble network providing the ability to test and verify that the point-in-time selected to recover to is completely free of any trace of the infection before committing to it.
Next select the VM’s to recover, choose the point-in-time from the Journal to recover from and click start failover test.
Now Zerto is going to create the recovery VM’s and attach them to the isolated network – this will give access to the VM’s in the console inventory to be able to log in, check the files and services and allow validation of the point-in-time selected to recover to.
Once the recovery point is confirmed, simply stop the test in the ZVM and add any notes about it. Zerto will delete that test environment so the Live Failover can now be run at the point-in-time verified as free from infection.
It really is that simple.