Any major cybersecurity event puts a disaster recovery plan in effect. These plans help IT, employees and executives follow the right steps when recovering from data loss or critical downtime. In a ransomware attack, companies suffer from data loss if they do not have the backups necessary to fully recover from the malware’s encryption. The company could pay the ransom, but there is no guarantee that the private key will be provided after the attacker receives payment. Instead of suffering from huge data loss, a disaster recovery plan and the right backup procedures can return the network to its original state and roll back changes to data prior to the event.
What Ransomware Does to Data
Ransomware is a software application that scans local and network drives for important files. The method of attack and encryption levels depend on the malware creator, but ransomware generally uses secure cryptographic algorithms so that the targeted company cannot use brute-force dictionary attacks to identify the private key.
Malware creators assume certain file extensions are too important for a company to simply recreate. Excel, Word, PowerPoint, and Access files are just a few types ransomware searches for. Some applications scan for image files, because the attacker assumes that individuals will want their personal pictures back and pay the ransom. Any file on a shared network drive or local directory will be encrypted.
In a Windows operating system environment, ransomware takes advantage of vulnerabilities in a protocol called server message block (SMB). This protocol makes it easy to share printers and directories, but the protocol also makes it easy for ransomware to scan the network and encrypt files. Malware can also upload malicious files to shared directories and sit dormant until a user finds the executable. It only takes one user to find the file, run it, and cause a cybersecurity event on the network.
Finally, most ransomware uses symmetric encryption called Advanced Encryption Standard (AES). AES256 is the current cryptographically secure algorithm that is not vulnerable to brute-force attacks. The private key used to encrypt data is also used to decrypt it. It’s this key that a targeted company needs to recover data, but not every attacker responds to users when the ransom is paid. Because ransomware uses cryptographically secure algorithms, companies cannot hire anyone to recover data and decrypt it. Until AES256 is cracked, any files encrypted with it will remain under the attacker’s control.
Backups and Disaster Recovery
A disaster recovery plan is a long document that takes the entire IT staff and executives from the start of an attack to mitigation, containment and recovery of data. Although backups are not the entirety of a disaster recovery plan, they are a large part of the process, especially after a cybersecurity event involving ransomware. Since ransomware files cannot be decrypted, backups can be used to recover data and restore systems back to their original state.
If the organization is large, then frequent backups should be created. A full backup is always needed as a baseline, but additional backups can be incremental. Incremental backups only contain files that have changed since the last incremental backup or the last full backup. Backups can be used to recover a large data set or just a single file should a user accidentally delete the original one, but they are critical to cybersecurity recovery.
One issue with backups is that ransomware also targets backup files for encryption. Administrators who store backup files on the network should also store them in a secondary location. Most administrators choose to store a secondary backup copy in the cloud. Cloud backups are not vulnerable to network scans like a standard network share, so they are immune to some ransomware attacks. Storing backups in the cloud also covers all three of the 3-2-1 rule requirements for backups, which means that backups should be stored on three different mediums, two different locations, and one must be off-site.
Incorporating Disaster Recovery Plans
With backup procedures defined, IT administrators should incorporate backups into the disaster recovery plan. Disaster recovery plans lay out every step of recovery during critical, stressful times for IT as they mitigate damage and return the network to its productive state. Without a plan, certain aspects of recovery could be missed, or data could be destroyed in the process.
Disaster recovery plans contain where backups are stored, where they must be used for recovery, and any executives that should be contacted once it’s determined that the plan must be executed. The plan reduces the time the company must be down, because IT staff can follow the instructions step-by-step. The plan could also cover mitigation and how to contact law enforcement for forensics.
It’s not easy creating a disaster recovery plan, so they are often created by a third-party to help an organization ensure that their plan covers all critical aspects of cybersecurity recovery. Since ransomware always involves backups and recovery, having a good plan reduces the time the organization’s systems are down, which also reduces the cost associated with a cybersecurity attack.
Conclusion
Most small businesses have trouble with creating an effective backup plan. It’s one reason ransomware is very effective with small businesses or ones with overworked, inexperienced IT staff. Backups are vulnerable to a number of attacks, so they are damaged. If no backups are in place, the company is left desperate for its data and usually pays the ransom fees.
Disaster recovery plans can help reduce the damage from ransomware by taking IT staff step-by-step through the mitigation and recovery procedures. It’s a critical component of any company’s cybersecurity protocols. Ransomware can destroy an organization financially, and the only way to recover is using backups.
User training and anti-phishing methods also stop ransomware from its starting point, but even the best cybersecurity defenses aren’t 100 percent secure. Should an attacker be able to get malware on the network, backups and disaster recovery would still be necessary. If the organization does not have a disaster recovery plan, a professional can help create one and lead IT in proper cybersecurity development.
