Defeating Ransomware without Tears

If you turned on the news or read anything on the web last week, you’re keenly aware of the ransomware known as WannaCry. By the numbers, it is by far the most pervasive ransomware strain to date – 150 countries, over 200K infections, and encryption of nearly 200 file types. Its use of the NSA’s ETERNAL BLUE exploit made WannaCry even more dangerous, as the exploit allowed it to easily move laterally from one machine to another within a network.

And while the ransom was light – in comparison to other ransomware variants hitting organizations – it’s model of an escalating ransom (first $300, $600 after 3 days, and then no decryption possible after 7 days) over a short period of time created the urgency its designers wanted.

Why Ransomware Hurts

The threat of ransomware is the organization’s inability to access data and/or endpoints. In the case of WannaCry, it was data on potentially many workstations and servers within a given organization. Add on the loss of productivity, and the IT work necessary to rectify the situation, and the cost of a ransomware attack quickly rises well above $300.

According to a recent survey from phishing testing vendor, KnowBe4, the average ransom is much higher than seen with WannaCry – it ranges from 3-5 bitcoins (well above $6000), and takes IT an average of 12 hours to clean up affected machines and data, and bringing order to the chaos.

But does ransomware even need to hurt?

Because the pain of ransomware is the lack of access to data and systems that are critical to keep the business moving, the answer is found in determining how quickly and cost-effectively can you get things back to a state of normalcy.

So, you have two options:

Pay the ransom

To some organizations, the $300 bounty is an insignificant price to pay to get the ransom over and done with. But, as previously stated, most ransomware boasts a much higher ransom.  Additionally, I don’t think you want to trust that a criminal is going to honorably remove all traces of the ransomware, exploit kit, and/or Trojan used. So, IT is still going to want to reimage or reinstall any compromised endpoints.

Recover your endpoints and data

This is the least painful option, as it’s a matter of simply recovering and overwriting the affected data and endpoints. Think about it – 1000 files are encrypted? OK. Just overwrite them with unaltered versions from the last backup.  Endpoint infected?  Restore the a backed up image prior to infection and you’re in good shape.  

Making Ransomware Tear-Free

What makes the backup-as-your-ransomware-incident-response-strategy not work is when organizations aren’t preparing for it in the first place. So, what’s necessary is to proactively have a 3-step plan in place that outlines both the data sets and critical endpoints that need to be protected, and how to recover from an infection.

  1. Identify critical data and endpoints to be protected – this includes data on workstations and servers, as well as endpoints for high-profile users that cannot be without their client machine.
  2. Establish recovery objectives – Establishing recovery time and recovery point objectives will define what type of backup is necessary (e.g. file-level vs image) and how often backups should be run.
  3. Plan your Incident Response – The response plan should include detection/notification of infection, isolation of any affected endpoints, and recovery of the compromised data/endpoints meeting the established recovery objectives.

Ransomware – even a variant as sophisticated as WannaCry – doesn’t need to be a painful experience. Annoying and disruptive? Sure. But not painful.  With a recovery plan in place that protects both data and endpoints, surviving a ransomware attack will be a fast, cost-effective, and tear-free process.