The role of continuity practices in surviving ransomware

The advice from the government provides a solid foundation but it is imperative organisations have an effective response plan and backup strategy to support it.

Recently, the National Crime Agency (NCA) and National Cyber Security Centre (NCSC) launched its first joint report into The cyber threat to UK businesses. The document outlined what it expects to be the major trends seen across the cyber security industry over the coming months. Ransomware, which has experienced rapid growth over the last year and presents a hugely lucrative industry for cybercriminals, was acknowledged as an escalating threat to UK businesses.   

Creating and deploying ransomware has never been easier. Malicious code needed to create the ransomware can now be readily outsourced, with “Ransomware as a Service” models already available on the dark web, where wannabe attackers can purchase ready-made malware packages. This ease of procurement, coupled with the financial opportunity associated with targeted attacks, means ransomware will continue to be a huge threat in 2017.

Who is being targeted, and why?

This increased accessibility has significantly broadened the variety of potential attackers in recent years, and as such it’s hard to generalise around the motivations of individuals. Whether it’s lone actors operating from a bedroom, a politically-motivated hacktivist, or an international criminal organisation with salaried employees, everyone is a target to someone.

Low-value

Individual consumers and smaller organisations represent low value targets. At this end of the spectrum, ransomware is a numbers game, and attackers tend to follow the path of least resistance. In practice, that means working through organisations that meet certain basic criteria (e.g. charities in London, with <£5m turnover), or individuals that represent demographics with little to no education in cyber security. 

High-value

Larger organisations with valuable datasets and a public reputation to protect obviously represent high-value targets, and often attract the most sophisticated attacks as a result. One of the key dictators of severity is the level of access privileges held by the infected user. This makes power users such as sysadmins and senior executives far more valuable targets than ordinary users. Attackers can spend weeks or even months probing attack vectors in order to locate senior individuals susceptible to compromise.  

Why are these attacks so successful?

Whoever the target is, the rise of cryptocurrencies has increased the degree of anonymity afforded to criminals taking ransom payments. Cyber criminals balance risk and reward.  Taking payments as cryptocurrency means the reward has stayed constant, whilst the risk of being caught has dropped significantly. 

Although the government’s report advised UK organisations to combat cyber-attacks by reporting attacks, promoting awareness and adopting cyber security programmes, it failed to acknowledge the more immediately actionable role that good continuity practices can play in surviving and recovering from cyber-attacks. Whilst outright prevention of a ransomware attack may be impossible, good continuity practices, such as a carefully tailored backup solution, can effectively negate the consequences. 

What continuity practices can organisations implement to ensure they recover as quickly as possible? 

Devising a specific incident response plan for cyber attacks

Something that was omitted from the government’s advice report is the importance of having an effective incident response plan in place. We typically advise that companies should plan for impacts and test for scenarios. Impact-based planning works on the basis that while there are an infinite number of possible disasters, the number of potential consequences at the operational level is much smaller. Scenario-based planning asks users to anticipate the consequences of a disastrous event and to create solutions ahead of time. 

However, certain threats do warrant specific response plans, and this is certainly the case for ransomware. Ransomware can lie dormant on servers for a period of time to deliberately out-last a backup strategy.  As a result, it needs a different approach and plan to recover effectively. 

Recovery testing for cyber incidents

Once this plan has been established, it is vital to then test that plan and make sure it works. Where this isn’t possible, organisations should run exercises such as a tabletop test as a minimum. This involves organisations responding to a simulated disruption by walking through their recovery plans and outlining their responses and actions.  

Plans should be regularly reviewed, updated and tested. This ensures that in the event of an incident, plans can be executed as effectively as possible with minimum impact to everyone concerned. It would be advisable for UK organisations to make a ransomware attack the next focus of any future continuity planning if they have not done so already.  

Recovery 

In the event of a ransomware attack a business will have two options: recover the information from a previous backup or pay the ransom. In many cases, even when a ransom has been paid, the data has not been released, so paying does not guarantee you will get your data back.

There are two main objectives when recovering from ransomware. To minimise the amount of data loss and to limit the amount of IT downtime for the business. The fastest way to recover from most incidents is to fail-over to replica systems hosted elsewhere. But these traditional disaster recovery services are not optimised for cyber threats. Replication software will immediately copy the ransomware from production IT systems to the offsite replica. This software will often have a limited number of historic versions to recover from so by the time an infection has been identified, the window for recovery has gone. This means that ransomware recovery can be incredibly time consuming and requires reverting to backups. This often involves trawling through historic versions of backups to locate the clean data. 

The rise of ransomware will only increase so organisations must regard infection as a matter of ‘when’ rather than ‘if’ and take the appropriate steps to mitigate the risks. The advice from the government provides a solid foundation but it is imperative organisations have an effective response plan and backup strategy to support it. 

Peter Groucutt, managing director at Databarracks
Image source: Shutterstock/Carlos Amarillo