Tales of Dealing with Ransomware Attacks

Tales of Dealing with Ransomware Attacks
Photo by Carlos Muza / Unsplash

I have just come across a  ransomware survey report released in June by Keeper Security, dumbfounded. The report shows that just about half of companies hit by a ransomware attack paid the ransom. Then about another quarter of companies declined to comment if they paid the ransom or not. A big part of the reason is the issues of people keeping proper usable backups.

The backups, applications, and configurations – including all of the technology that is needed for the business to run – all need to be safe from malware and ransomware. You must remember that the backups also need to be well tested.

[Read More: Denial of Service Attacks are Returning to use for Extortion]

According to a survey by Veritas released fall of last year, only about forty percent of companies have three or more copies of their data – this also includes one that is off of the site. Keeping the backups away from the production environment is critical when you need them to restore from ransomware attacks and natural disasters.

Backups must be Isolated

I have seen a few of my clients in the past – when I was working in Cybersecurity – keep them on-premise along with some stored in the cloud.  In a theoretically perfect world, they share information with all trusted users to make sure the backups are somewhat up to date. I have had an issue where they encrypted a backup, placed it in the cloud, then accidentally overwrote the local copy. This messed up a few things for a few days for them.

Some cloud backup providers include versioning tools for their backup services at no added charges – which I recommend using when possible. A good example of this is Google Docs, Office 365, and iDrive by Apple. They keep all previous versions of documents and files without overwriting them. So, let's say you get hit by a ransomware attack., and the files that you need to restore are backed up to those services in their encrypted form. The latest backup which was created at the start of the week or end of the week – meaning on a Friday, Saturday, or Sunday each week – became corrupted. One might say that you are totally screwed by this. Well, you aren't. These services keep copies of all backups, and the one from a week before is still good.

Technology that offers version control to their backup processes means there is no or very little data lose when a ransomware attack hits. You just go back to the last working, good version of the files before the attack.

Keep Multiple Backups

In another case that I had to handle which shows issues with a lot of other companies is that they usually don't have the storage space or capabilities to keep backups for a long period of time. This case is where the company only had three days of backups. The first two were overwritten and or corrupted. The last one saved their company a lot of money and time. Yet if the ransomware attack hit over a long holiday weekend, all of the backups would have been useless.

I highly recommend that companies keep different types of backups, such as full backups on one schedule combined with incremental backups on a more frequent schedule.

Backup Everything that needs to be Backed Up

This is one of my favorite cases about a client. The IT Manager has about four servers and fifty people in the company total. Everything that was needed to operate the business was backed up – this includes all files on the PCs that employees use and three of four of the servers – yes, you read that right. There was one server that was not backed up because he forgot to add it to the backup routine.

The ransom was small compared to what is happening now. If I remember correctly, the ransom which was asked for – in Bitcoin if you could guess – was about $300 in total. That was way smaller than the dollar amounts that are asked for in ransomware attacks. He ended up paying the ransom, then only used the decryption key on that one not backed-up server. He was smart not to trust the integrity of the system that was restored. You should assume that the files were compromised or dirty. Now, everything is completely covered by the backup system he has set up.

Now, the sad part is that larger corporations have a really hard time telling if everything they needed to be backed up is actually backed up. In the survey, it is estimated that companies couldn't recover about twenty percent of the data if they were to lose data.

Not all systems and computers can be found to make sure they are a part of the backup routine – meaning that there could be a few employees' computers or devices forgotten by mistake. I highly recommend that large companies go through and do a thorough survey of all their systems and assets. They should even contact Department Leaders to find what systems and assets are mission-critical to backup in the future of data loss.