“The average downtime due to a ransomware attack is 21 days”
Malware is every company’s worst nightmare and in 2021, cyberattacks are on the rise. We spoke with Bryan Patton, CISSP and Quest Strategic Systems Consultant about ransomware, how to protect your team against it, what to do after an attack, and why we’ve seen a spike in ransomware.
JAXenter: Malware: It’s every company’s worst nightmare. When we talk about security, we often discuss ways to prevent malware and avoid cyberattacks, but what steps should companies take after they are affected? How does the recovery process begin?
Bryan Patton: There is a combination of things that organisations need to keep in mind. From an action standpoint, using a phased approach to restoring Active Directory (AD) is crucial. This will allow you to identify which applications are most critical for businesses operations and you can start on restoring them first. Then determine which Domain Controllers (DC) are essential for those applications. Often, the key domain controllers are the ones in the data center, rather than in remote offices. Once you have recovered them, the application teams, database teams and others can start their recovery process while the Active Directory team moves on to restoring less critical DCs.
It is also just as important to think about your plan of action. Have one person in charge and clear delineation of responsibilities. Keeping everyone updated is key and you have a virtual war room where teams can come together as well as a way for subgroups to collaborate and strategise so you are making the best use of everyone’s time. It is easy to be caught up in a ransomware attack but the moments afterwards are critical. It is also essential to make sure that your business plan is accessible and store this in a location where you can access it even if you have been hit by the most severe ransomware attack you can imagine. Printing it out is a tried-and-true tactic; another option is to store it in a separate cloud storage, such as Dropbox.
While you need a dedicated Active Directory recovery plan, don’t forget to consider the impact on things like your network, routers and switches. Also think about how your VPN concentrators are communicating with your directory. In addition, remember that you may want to enhance your servers with security hardening and endpoint detection and response software.
JAXenter: After the initial attack, what are some best practices to prevent malware re-infection and keep sensitive data safe?
Bryan Patton: Ransomware recovery is not just about speed. It’s equally important to ensure the job gets done right and you don’t get reinfected. Therefore, it’s important to have a recovery solution that helps you reduce risk by giving you the flexibility to choose the best way to restore each of your Domain Controllers. Ransomware has lots of places it can hide and reinfect the organisation, so it is important to take the time and understand where the weaknesses could be.
Scanning backups for malware is also a simple but very effective step. It allows organisations to implement the added safety of regularly checking files for viruses after the backup file is created, during storage when updates are added and before a restore is started.
You can’t restore from backup if your backups have been corrupted.
Today’s ransomware attacks now seek out and destroy any network-connected backups in order to maximise the chances that you’ll have to pay the ransom to restore your data. Therefore, it’s essential to not just make regular and trustworthy backups of your Active Directory, but to keep them in air-gapped storage. That means a place that they are offline — disconnected and inaccessible from the internet and internal networks as well.
JAXenter: What is ransomware and how can we best protect ourselves from it? What does it most affect and target?
Bryan Patton: There are many forms of ransomware, but in a nutshell, ransomware is malware that infects your networks and handcuffs the data your business needs to remain in operation. The ransomware encrypts files, and ensures the encrypted data remains inaccessible, until a ransom is paid. Typically, ransomware comes with some form of instructions on how to pay the ransom being demanded, often via difficult-to-trace cryptocurrencies like Bitcoin, which make it tougher to identify and prosecute perpetrators. Upon payment, ransomware perpetrators claim they will provide you with the decryption keys needed to restore critical data, although there’s no guarantee.
When it comes to the best line of defense, organisations must use an in-depth approach and realise that not one single strategy, tactic or tool will be enough to defend against modern attacks. But from a disaster recovery standpoint, you must plan for ransomware attacks and test your plan. Accordingly, it’s wise to have an automated solution and a documented plan that you test on a regular basis. Be sure the plan specifically covers recovering AD after a ransomware attack. Too many organisations make the mistake of focusing only on application recovery — your plan needs to assume that you will have no domain controllers to run any applications.
There are also lots of other quick wins beyond disaster recovery, such as using an antivirus software at all times, patching, implementing security products that block suspicious sites and educating and training users to avoid clicking on links and other traps.
When it comes to targets of ransomware, organisations of all stripes are suffering devastating ransomware attacks; a few of the highest profile ones include Colonial Pipeline, JBS and Kaseya. But the problem is not limited to corporations — SMBs, government agencies, school districts, healthcare providers and many other sectors have been hit hard as well.
JAXenter: What is the average downtime after a ransomware attack?
Bryan Patton: There are lots of reports that look at downtime and one of the most recent cited the average downtime due to a ransomware attack is 21 days. However, some customers report being down for much longer. It really depends on the time of attack, how much and what data is encrypted as well as how prepared the organisation is.
JAXenter: Is ransomware more of a threat than other types of malware and cyberattacks?
Bryan Patton: While there are many types of malware, including wiper viruses, trojans, keyloggers, worms and spyware, ransomware is more of a risk today because it is so pervasive and more likely to happen. It’s not a matter of “if”, but “when”. Every organisation needs to assume they will be breached and prepare for ransomware attacks.
JAXenter: Has there been a rise in cybersecurity attacks this year? If so, why do you think that is? What does the security landscape look like in 2021?
Bryan Patton: Yes, there has certainly been a significant rise. The IT world is a dangerous place today. Consider that 69% of organisations were compromised by ransomware in 2020. The threat is being taken seriously at the highest levels. White House officials have also sent letters to US businesses, urging them to “immediately convene their leadership teams to discuss the ransomware threat and review corporate security posture and business continuity plans to ensure [they] have the ability to continue or quickly restore operations.”
A reason for this rise could be that ransomware profitability keeps going up while the barrier for entry goes down. Consider that the average ransom fee requested has increased from $5,000 in 2018 to around $200,000 in 2020. Ransomware will continue to be profitable and pervasive as long as companies continue to pay the ransom, encouraging more bad actors to enter the market.
So for 2021, it could be fair to say that the landscape is bleak. With Ransomware as a Service, organisations now not only have to worry about a sophisticated hacker, but also regular people being recruited to deploy ransomware. So in the past, many organisations were worried about highly sophisticated attackers, whereas now you also have to worry about employees in your own organisation. But with the geo-political climate as it is, we also may see an increase in nation-state attacks. You now need to consider who would be trying to access your data and whether the ransomware attack is simply a cover-up to raise questions or cause confusion about the attribution of the attack.
Whilst this may seem like a bleak outlook, the good news is that basic security hygiene can go a long way in terms of prevention. Recovery is one the most lengthy, disruptive, and costly aspects of a ransomware attack, so organisations that put in place a solid recovery plan will be in a vastly better position to minimise the damage and cost of these attacks.