Plan, Pray, or Pay: What to Do After a Ransomware Attack

If you’re not planning, then you’re praying. And praying doesn’t lower your odds of having to pay when ransomware hits.

RansomwareIn the immediate aftermath of a ransomware attack—once you get past the initial confusion and shock—you’re likely to find the limited options available to you were determined by choices you made (or didn’t make) weeks and months ago.

Yes, there are things you can do to try to contain the infection, but as our research has indicated, ransomware acts incredibly fast. Once on a machine, it can take just minutes or even seconds to encrypt files and make them inaccessible. If the machine has a shared network drive, those files can be encrypted, too.

Most of the advice you’ll see on how to deal with ransomware involves wiping infected machines and restoring lost/encrypted data from backup. But that assumes a lot. For starters, you actually needed to be backing up your machines and their data prior to the attack. Even when that is the case, however, in order to restore everything from backup the conditions need to be right. It’s far from a given.

Are you ready to restore from backup?

By asking yourself the following questions and making preparations now you can make sure restoring from backup is a viable option when you need it most.

Questions you’ll have to ask yourself after a ransomware attack (that you should prepare for in advance):

  • Did you have backups for all the machines affected?
  • How often were backups running? Every day? Every hour? Every week?
  • Have you tested recovering from backup before to see how long it takes and make sure it reliably works?
  • Did you take measures to ensure your backups were separated from local machines to reduce the risk of them getting encrypted as well?
  • If restoring from backup isn’t an option, do you pay the ransom?

Of course, if backup doesn’t work you’ll have to weigh your other options. Deciding whether to pay up or not is rarely easy. It’s even harder when the clock is ticking down to a ransom-demand deadline and you have no idea how much the encrypted/lost data was worth.

More questions you’ll need to ask yourself:

  • Had you conducted any kind of assessment to determine the value of your data?
  • Can you calculate the value of the data that was encrypted/lost so you can weigh that against the ransom demand amount?
  • Can you quickly calculate the cost of any downtime associated with the attack?

By running through a mock scenario and answering these questions ahead of time, you’ll be much more prepared to make the tough call of whether to pay or not.

5 things to add to your ransomware preparation to-do list:

With all these questions in mind, here are five things you should do now to avoid having to deal with the unexpected if and when ransomware hits:

  1. Have an up-to-date inventory of the backup status for all your workstations, including your recovery point objective (the timeframe dictating how frequently backups are created).
  2. Run tests recovering data from backup in different scenarios. Keep track of how long it takes to restore and the success/failure rates.
  3. Practice a 3-2-1 backup strategy that requires you to have three copies of your data in two different locations, one of which is offsite. That will help you ensure your backup isn’t encrypted by a ransomware attack, as well.
  4. Conduct a risk assessment to identify and assign value to your organization's critical data assets. You need to know what data is important and where it resides.
  5. Determine the cost of downtime should critical assets become encrypted/inaccessible.

When it comes to ransomware, an ounce of prevention really is worth a pound of cure. Being prepared is critical, but avoiding infection altogether is ideal. That makes having strong, up-to-date endpoint protection and investing in security awareness training for employees absolutely key.

Ryan Berg is Chief Scientist at Barkly. He holds multiple patents and is a speaker, instructor, and author in the fields of security, risk management, and secure application development. Prior to joining Barkly, he was Chief Security Officer at Sonatype and Chief Scientist and cofounder of Ounce Labs, which was acquired by IBM in 2009. You can connect with him on Twitter @ryanberg00.

Posted on June 14, 2016

Ryan Berg

by Ryan Berg

Chief Scientist, Barkly

← View more Blogs

This document was retrieved from on Sat, 22 Oct 2016 21:20:44 -0400.
© 2016 EMC Corporation. All rights reserved.