How to recover from ransomware

transcript

2:00pm

29th September 2016

www.databarracks.com | 2www.databarracks.com | 2

INTRO & AGENDA

Duration: 30 mins

(including Q&A)

Type questions on

the rightQ

• What it is and how it works– How ransomware works and why it is breaching

organisational defences.

• Prevention & mitigation– Methods– The Incident and crisis management &

escalation process

• Recovery– A step-by-step guide to recovery

*Slides will be made available and sent out following this session

THE BCPCAST

http://www.thebcpcast.com/

WHAT IS RANSOMWARE AND HOW DOES IT WORK?

FACTS TO NOTE

• The encryption is to all intents unbreakable so

backup data copies are the only guarantee to

limit data loss

• There is a deadline for payment – which forces

action –recovery or payment

www.databarracks.com | 6

WHO IS BEING TARGETED AND WHY IS IT SO SUCCESSFUL?

Who? Why?

HOW DOES RANSOMWARE WORK -BACKGROUND

InstallationContact with

command and

control

Search Encryption Ransom

INCIDENT RESPONSE AND CRISIS MANAGEMENT ESCALATION

Preparation Identification Containment Eradication RecoveryLessons learned

Creating a written

policy and defining

severity

Identifying whether

something is, or is

not an incident

The steps to limit

the spread of

ransomware

Restoration of clean

data from before the

incident

Bringing the

recovered systems

back online

How do we improve?

HOW TO RECOVER

Backup Disaster recovery

HOW TO RECOVER

• Increase the frequency of backups

• Review (and extend) retention

policies

• Optimise connection speed

between target and recovery

environment (general)

• Improve speed of finding most

recent clean backup

Improving the Recovery Point

Objective

Improving the Recovery Time

Objective

THE INCIDENT RESPONSE PLAN:STEP-BY-STEP RECOVERY

Preparation Identification Containment Eradication RecoveryLessons learned

IT is notified and

confirm ransomware

infection

Isolate the infected

share / drive /server

Find the time of

infection and test

the first backup

Bring share / drive /

server online. Test

again, be vigilant

Review how infection occurred, data loss and time

to recover

CYBER-DRaaS

1. Replication

2. Automated recovery

3. Detection

4. Reporting

5. Recursive scanning

HOW IT WORKSSTEP 1Replication of servers to

the disaster recovery

service provider

HOW IT WORKSSTEP 2

Automated failover

HOW IT WORKSSTEP 3Automated malware

HOW IT WORKSSTEP 4

Report status

RECURSIVE SCANNING –FASTEST TIME TO FIND MALWARE INSERTION

HOW TO TEST?

Tutorial SAN Failure Cyber-Attack

http://www.databarracks.com/resources/tools/

IF YOU REMEMBER NOTHING ELSE!

1. Have a specific incident response plan for

ransomware

2. Review backup schedules and retention policies

3. The only way to guarantee that you don’t lose your

data is with historic copies of your data in backup or DR

www.databarracks.com | 21

RESOURCES

• The Business Continuity Podcast

– http://www.thebcpcast.com/

• Tabletop testing simulator

https://tools.databarracks.com/dr-

tabletop-simulation/index.html

• History of ransomware– https://heimdalsecurity.com/blog/what-is-

ransomware-protection/

• Ransomware definitions– http://www.trendmicro.com/vinfo/us/security/defini

tion/ransomware

• SANS Institute, Incident Handler's Handbook – https://www.sans.org/reading-

room/whitepapers/incident/incident-handlers-handbook-33901

• CryptoLocker DGA– https://blog.fortinet.com/2014/01/16/a-closer-

look-at-cryptolocker-s-dga

QUESTIONS?

How to recover from ransomware

Travel