Incident Response – Recovery

Depending on the results of your root cause analysis, if the attack was made possible by vulnerable systems, those will have to be patched to prevent them from being re-exploited in the future. If those systems cannot be patched, segregate, place compensating controls, and ensure the exposure to risk has been minimized.

X-Force recommends organizations initially rely on their internal backup infrastructure to restore affected files before other options are considered. This requires that a backup process already exist for the affected data and an analysis be done on the frequency and completeness of the backups to ensure that the data will be completely restored. It is important to verify the status of backups at the time of required recovery. If the attackers have been in the networks for months, and backup files are also encrypted, using backups to restore systems is not a viable option.

Attackers who remain silent in networks for long periods of time can also plant persistence mechanisms in the backups to ensure they can return to threaten the organization even after payment has been made. A best practice for backups is redundancy, and keeping backups checked, segregated or offline, to limit the potential for tampering. In cases where a network share was impacted by malicious encryption, there’s still a chance that several of the most recent backups may contain partially encrypted files. For example, if an organization’s file share is backed up daily, but an infected employees’ device takes five days to encrypt everything on the file share before discovery of the attack, the last five backups are likely to contain files that have been encrypted. It is recommended to have a reliable backup process in place — one that utilizes industry best practices, such as ensuring that not only local backups are kept, but that backups are also archived to removable media (tapes, optical disks or removable hard disks) and to cloud based resources. Simply relying on local disk images, replication, and other local network backups may not be sufficient, as these can be encrypted by ransomware as well, or the backup could run after the files have been encrypted by the ransomware, rendering it useless for the purpose of internal recovery.

Fully restoring files from backups can sometimes be impossible. In these cases, organizations may seek to find ways to break the encryption without paying the ransom, or perhaps locate decryption keys on infected systems. While both can happen, it is rare for either of these options to succeed. Knowing the variant and version of the ransomware infection may help determine options. It can also aid the Recovery phase and inform decisions about how to approach recovery, as well as the consequences of each potential route. The first way to approach the question of encryption reversal is to work with a subject matter expert that can potentially offer insight into the malware variant and explore options.