Danish shipping company Maersk, which was heavily affected by the NotPetya ransomware last year, reported that it recovered from the attack by reinstalling its entire infrastructure, including more than 4,000 servers; 45,000 PCs; and 2,500 applications. Is a full reinstall the best option for a system infected by ransomware or is there a risk the malware will remain even after the reinstall? What other options are available for ransomware recovery?
The nuclear option when responding to a cybersecurity incident may call for a company to format and reinstall a server or, in more extreme cases, rebuild an Enterprise Active Directory. In the most extreme situations, it may require an enterprise to reinstall all of its servers and endpoints.
Anything malicious that could survive a format and reinstall would need to persist in the firmware, hardware, backups or system management tools, and it would be very difficult to detect and remove. This could be very costly for an enterprise; for most companies, reinstalling the operating system on a compromised device is sufficient.
Maersk apparently took the nuclear option for ransomware recovery last year in response to the NotPetya ransomware and reinstalled all of its servers and endpoints. It is possible Maersk took this extreme response because the attackers compromised its Active Directory, as well as its endpoint management tools and the system used for logging.
If all of those systems were compromised, the enterprise wouldn't be able to tell what systems weren't compromised and wouldn't be able to use their existing systems to rebuild. Because Maersk had to start from the ground up to rebuild the network, incorporating this process into the company's business continuity and disaster recovery plan would have been a good idea.
The standard advice for ransomware recovery is to reinstall the compromised systems and restore system data from backups. However, it is important for defenders to only restore data from a known good state to avoid inadvertently restoring the ransomware -- or the vulnerability the ransomware exploited to attack the system.
When the system is reinstalled, it should be brought up to date with patches and have a securely configured image installed. If your endpoint security tool doesn't address ransomware, then you may want to choose a different tool or take other steps to ensure that protection from future ransomware attacks is in place.
Within the ransomware recovery process, if the ransomware affected a file share or server, then you must take the additional step of investigating how malware could affect a server to adequately secure the server, including fixing share or file system access control before bringing it back online.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)