Texas Contractor

Dedicated to the people who make our built environment better and safer. We tell your stories and celebrate your successes.

Register with us and receive industry news and content only available to subscribers.

Subscribe
Contacts

Indianapolis, IN, USA (HQ)

903 E. Ohio St., Indianapolis, IN 46202

Call: (317) 423-2325

info@acppubs.com

There is More to Ransomware Recovery Than Decrypting the Systems

by: Braden Daniels
Braden Daniels
Braden Daniels
You’re a well-rounded CIO, your staff is competent, you’ve invested as much as possible in security – but of course, the budget is never enough. You’ve done the research and you know the essentials for reducing the risk of ransomware:
  • Train the employees to recognize malicious emails and websites – Done
  • Apply security updates and patches quickly and thoroughly – Done
  • Tier your administrator accounts to limit access to devices as needed – In progress (That turned out to be a bigger work effort than expected.)
  • Implement Multi-factor Authentication (MFA) for remote access and SaaS applications – Stalled (The user community simply does not understand the risk and is convinced it will inhibit their ability to work.)
  • Build a firewall between your backups and the rest of your systems – Budgeted for next year

You know there are holes, but there’s a roadmap and budget. And, unlike most, you actually have a plan.

It’s Friday night. You’re just sitting down to dinner and finally relaxing. Meanwhile, your system administrator starts getting alerts that a server is going offline. It’s not a critical issue; they’ll address it after dinner. Another alert comes in, then another…now there’s a problem. Your system administrator tries to connect remotely: “Authentication failed” Panic sets in as they jump in their car and head to the data center. It’s too late. The message on all the screens reads, “All your files are encrypted.”

Your phone rings and you hear the words, “They got everything: servers, workstations, backups and, for good measure, they extracted 2TB of data from our system and say they’ll post it on the web.” The whirlwind begins. There’s insurance, lawyers, consultants, investigators, negotiators. You pay the ransom, get the decryption keys and the process runs anew, albeit painfully slower than you would have thought.

A bad actor’s goal is to inflict maximum damage in order to extort as much as possible. They can start with a user’s PC and carefully navigate laterally until privileges are elevated to the level needed to stage and execute the attack. They use malware like Emotet and TrickBot and tools such as Mimikatz, Cobalt Strike, and Metasploit, spreading them to as many machines as possible and replacing files you might have never known were changed. The criminal continues until they have your domain administrator credentials – the golden ticket for forging Kerberos tickets. It’s not even hacking anymore when they can just log in to whatever they want. Game over.

Attempting to reuse any part of your environment is a huge risk. The systems are still compromised, and the exploits used for the infiltration are still there. Consequently, you need a plan and resources to rebuild everything as quickly as possible. This includes sterile networks, fresh installs, and data restoration – as well as significant monitoring to ensure security holes are not left open.

The recovery will be a dynamic situation in regard to priorities, resources and roadblocks to navigate. However, the following can facilitate a faster recovery:

Have Up-to-Date Documentation in an Offline Location, Including a Password Vault

Often, the system that contains your documentation is encrypted. The inability to access documentation slows down the recovery process, as resources become dependent on the one staff member who has the information memorized.

Shut Down Systems Immediately Upon Recognizing that They’re Being Encrypted
The number of machines encrypted can be minimized with simple monitoring tools that recognize services going offline and responsive administrators who recognize the threat and make quick decisions to take them offline. This prevents the encryption process from propagating, which greatly decreases the time to recover business systems.
Have Local Copies of Your Backups

One of the most time-consuming components of recovery is moving a large volume of data. Cloud backups are great as a last resort, but the amount of time required to download and then restore is prohibitive. In many cases, this is a primary reason companies decide to pay the ransom, as restoring from cloud backups simply takes too long.
Have Your Contacts and Critical Information Printed and Accessible
Having insurance contacts, policy numbers, lawyers, vendors and support contract information readily available minimizes chaos at the most critical times.

Braden Daniels is a Director in RSM US LLP’s Technology and Management Consulting Practice and is RSM’s West Region Infrastructure Practice Leader. He can be reached at Braden.Daniels@rsmus.com.

Stewart-Amos
Your local Stewart-Amos dealer
Closner Equipment Co Inc
Stewart-Amos
Your local Stewart-Amos dealer
Closner Equipment Co Inc
Cementech
Your local Cementech dealer
Romco Equipment Co