Responding to and Recovering from a Ransomware Attack

Thanks to Dr. Jim Angle, Michael Roza, and Vince Campitelli

After learning what ransomware is, how to protect your organization against it, and how to detect it, it’s time to learn how to respond and recover if a ransomware attack occurs. In this blog, we’ll explain how to mitigate and contain a ransomware attack, as well as how to return to normal operations in a timely manner. To aid in our explanation, we’ll be referencing two of the functions from the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

Respond

The goals of the response phase are mitigation and containment, which provide the ability to limit a destructive event’s effect on your organization. A response can involve stopping the execution of associated programs, disabling user accounts, isolating systems, and more. This is where your incident response plan comes into play.

Once your organization has been hit with a ransomware attack:

1. Determine which systems were impacted and immediately isolate them. If several systems or subnets appear affected, the network must be taken offline at the switch level.
2. Identify the source of the ransomware. Security personnel should look for alerts from all the tools and monitoring that is in place. Log files should be checked for any anomalies that can identify the source. Look for suspicious traffic and any increase in file renames on local and network file shares.
3. Identify the specific strain of ransomware. The options for dealing with the infection may change based on the strain infecting the systems.
4. Triage impacted systems for recovery and confirm the nature of data housed on impacted systems. Restoration and recovery should be prioritized based on a predefined critical asset list.
5. Start to remediate the systems. There are several possible solutions: 1) Restore from a clean backup. 2) If there isn’t a good backup available, you can accept the loss and try to recreate the data. 3) Pay the ransom and hope they provide the decryption key.
6. Before the systems are put back online, make sure they are free of any hidden malware that the attacker may have left. Also verify that the system is up to date with all patches and that all vulnerabilities have been remediated.

Recover

Your next consideration is how to recover from the ransomware attack. If data is stored in the cloud, both the on-site systems and the cloud-based system may have to be recovered. If the disaster recovery plan calls for restoring the data from the cloud, there are two possible scenarios if the cloud is infected. First, the backup plan uses immutable/WORM storage and data can be restored from the backup. Second, the backup just used replication to a geographically separated location. Unfortunately, if that is the case, it must be assumed that the cloud data is also infected.

The second scenario requires you to build out an Isolated Recovery Environment (IRE) to ensure the data is clean before putting it back in a production environment. Cleaning data and applications via the IRE involves several steps:

1. Restore the data into the IRE, where it is completely isolated.
2. Scan the restored data with conventional malware detection tools.
3. Start the application in the IRE, then scan with malware scanning tools based on AI/ML to look for anomalous activity.
4. Move the data into the production environment.

It must be remembered that disaster recovery is as essential in the cloud as it is for any other technology. Disaster recovery should be designed using a risk-based approach. While some of these options are costly, they may be necessary due to the criticality of the data.

To explore these concepts in more depth, check out the publication Ransomware in the Healthcare Cloud by CSA’s Health Information Management Working Group. Written specifically with healthcare delivery organizations in mind, this publication covers information that is also applicable to anyone interested in ransomware.