How to recover from ransomware
-
Upload
databarracks -
Category
Travel
-
view
303 -
download
3
Transcript of How to recover from ransomware
How to recover from ransomware
2:00pm
29th September 2016
www.databarracks.com | 2www.databarracks.com | 2
INTRO & AGENDA
Duration: 30 mins
(including Q&A)
Type questions on
the rightQ
• What it is and how it works– How ransomware works and why it is breaching
organisational defences.
• Prevention & mitigation– Methods– The Incident and crisis management &
escalation process
• Recovery– A step-by-step guide to recovery
*Slides will be made available and sent out following this session
www.databarracks.com | 3www.databarracks.com | 3
THE BCPCAST
http://www.thebcpcast.com/
www.databarracks.com | 4www.databarracks.com | 4
WHAT IS RANSOMWARE AND HOW DOES IT WORK?
www.databarracks.com | 5www.databarracks.com | 5
FACTS TO NOTE
• The encryption is to all intents unbreakable so
backup data copies are the only guarantee to
limit data loss
• There is a deadline for payment – which forces
action –recovery or payment
www.databarracks.com | 6
WHO IS BEING TARGETED AND WHY IS IT SO SUCCESSFUL?
Who? Why?
www.databarracks.com | 7www.databarracks.com | 7
HOW DOES RANSOMWARE WORK -BACKGROUND
www.databarracks.com | 8www.databarracks.com | 8
HOW DOES RANSOMWARE WORK -BACKGROUND
InstallationContact with
command and
control
Search Encryption Ransom
www.databarracks.com | 9www.databarracks.com | 9
INCIDENT RESPONSE AND CRISIS MANAGEMENT ESCALATION
Preparation Identification Containment Eradication RecoveryLessons learned
Creating a written
policy and defining
severity
Identifying whether
something is, or is
not an incident
The steps to limit
the spread of
ransomware
Restoration of clean
data from before the
incident
Bringing the
recovered systems
back online
How do we improve?
www.databarracks.com | 10www.databarracks.com | 10
HOW TO RECOVER
vs
Backup Disaster recovery
www.databarracks.com | 11www.databarracks.com | 11
HOW TO RECOVER
• Increase the frequency of backups
• Review (and extend) retention
policies
• Optimise connection speed
between target and recovery
environment (general)
• Improve speed of finding most
recent clean backup
Improving the Recovery Point
Objective
Improving the Recovery Time
Objective
www.databarracks.com | 12www.databarracks.com | 12
THE INCIDENT RESPONSE PLAN:STEP-BY-STEP RECOVERY
Preparation Identification Containment Eradication RecoveryLessons learned
IT is notified and
confirm ransomware
infection
Isolate the infected
share / drive /server
Find the time of
infection and test
the first backup
Bring share / drive /
server online. Test
again, be vigilant
Review how infection occurred, data loss and time
to recover
www.databarracks.com | 13www.databarracks.com | 13
CYBER-DRaaS
1. Replication
2. Automated recovery
3. Detection
4. Reporting
5. Recursive scanning
www.databarracks.com | 14www.databarracks.com | 14
HOW IT WORKSSTEP 1Replication of servers to
the disaster recovery
service provider
www.databarracks.com | 15www.databarracks.com | 15
HOW IT WORKSSTEP 2
Automated failover
www.databarracks.com | 16www.databarracks.com | 16
HOW IT WORKSSTEP 3Automated malware
scan
www.databarracks.com | 17www.databarracks.com | 17
HOW IT WORKSSTEP 4
Report status
www.databarracks.com | 18www.databarracks.com | 18
RECURSIVE SCANNING –FASTEST TIME TO FIND MALWARE INSERTION
www.databarracks.com | 19www.databarracks.com | 19
HOW TO TEST?
Tutorial SAN Failure Cyber-Attack
http://www.databarracks.com/resources/tools/
www.databarracks.com | 20www.databarracks.com | 20
IF YOU REMEMBER NOTHING ELSE!
1. Have a specific incident response plan for
ransomware
2. Review backup schedules and retention policies
3. The only way to guarantee that you don’t lose your
data is with historic copies of your data in backup or DR
www.databarracks.com | 21
RESOURCES
• The Business Continuity Podcast
– http://www.thebcpcast.com/
• Tabletop testing simulator
https://tools.databarracks.com/dr-
tabletop-simulation/index.html
• History of ransomware– https://heimdalsecurity.com/blog/what-is-
ransomware-protection/
• Ransomware definitions– http://www.trendmicro.com/vinfo/us/security/defini
tion/ransomware
• SANS Institute, Incident Handler's Handbook – https://www.sans.org/reading-
room/whitepapers/incident/incident-handlers-handbook-33901
• CryptoLocker DGA– https://blog.fortinet.com/2014/01/16/a-closer-
look-at-cryptolocker-s-dga
QUESTIONS?