grandeduc - Fotolia

Tip

How to navigate a ransomware recovery process

If you find your systems locked up from a ransomware attack, what should you prioritize? Before you start your recovery, follow this plan to avoid additional trouble.

If your defenses and backups fail despite your best efforts, your ransomware recovery effort can take one of several paths to restore normalcy to your organization.

Ransomware is bad enough. Don't rush to bring systems and workloads back online and cause additional problems. The first item on your agenda is to take inventory of what still functions and what needs repairs. This has to be done quickly, but without mistakes. Management will want to know what needs to be done, but you can't give a report until you have a full understanding. While you don't need to break down every single server, you will need to have everything categorized. Think Active Directory, file servers, backups, networking infrastructure, email and communication, and production servers to start.

Take stock of the situation

The list of affected systems and VMs won't be comprehensive. You have to start with machines that are a priority, and production servers are not in this case. If Active Directory is down, then it's a safe bet most of your production servers -- and the IT infrastructure -- won't be running correctly even if they weren't directly affected.

To start with a ransomware recovery effort, check your backups first before anywhere else. Too many folks have deleted encrypted VMs only to find the malware wiped out their backup systems and end up going from bad to worse. Mistakes happen when you rush.

A somewhat easy path of restoring servers does exist if your backups are intact, current and operational. The restoration process needs to be tested before you delete any VMs. Rather than removing affected machines, try relocating them to lower-tier storage, external storage or even local storage on a host. Your goal is to get the encrypted VMs out of the way to give yourself space to work, then try the restores and get the VMs running before you remove their encrypted counterpart.

It might be time to make difficult choices

If the attack corrupted your backup system or the ransomware recovery effort failed, then someone above your pay grade will have to make some decisions. You will have to have a few difficult conversations, partly because the responsibility of the backups -- and their reliability -- rested on you. It's possible it's not entirely your fault for different reasons, such as not getting proper funding. This will have to be a conversation for a later time. At the moment, it's time to make a decision: Pay the ransom, rebuild the systems or file a report.

Reporting requires the involvement of senior management and the company legal team. If you work for a government entity or public company, then you might have very specific guidelines that you must follow for legal reasons. If you work for a private company, then you still have possible legal issues with your customers about what you can and cannot disclose. No matter what you say, it will not be taken well. You want to be honest with your customers, but you also need to be mindful and limit how much data you share publicly.

The other aspect to reporting involves the authorities. Your organization might not even have been the intended target if you were hit by an older ransomware variant. If that's the case, it's possible there might be a decryption tool. It's a long shot, but something worth check before you rebuild from scratch.

While distasteful, paying the ransomware is also an option. You need to consider how much will it cost to rebuild and recover versus handing over the ransom. It's not an easy call to make because a payment does not come with any guarantees.

Most companies that pay the ransom typically don't disclose that they paid or that they were even attacked. I suspect most organizations get their data unlocked, otherwise the ransomware business model would collapse.

The challenge with rebuilding is the effort involved. There are relatively few companies that have people who fully understand how every aspect of their environments work. Many IT infrastructures are the combined result of in-house experts and outside consultants. People install systems and take that knowledge with them when they leave. Their replacements learn how to keep these systems online, but that is very different from installing or building them from scratch. Repairing Active Directory is a challenge, but to rebuild an Active Directory with thousands of users and groups with permissions from documentation -- with any luck -- is next to impossible unless you have a lot of time and expertise.

Recovering from a ransomware attack is not an easy task, because not every situation is identical. If your defenses and backup recovery fail, the reconstruction effort will not be easy or cheap. You will either have to pay the ransom or spend money in overtime and consultants to rebuild mission-critical systems. Chances are your customers will find out what is happening during this recovery process, so you'll have to have a communication plan and a single point of contact for the sake of consistency.

Ransomware isn't something just for the IT department to handle; the decisions and the road to recovery will involve several stakeholders and real costs. Plan ahead and map out your steps to avoid rushing into bad choices that can't be reversed.

Next Steps

How to stop ransomware: 4 steps to ransomware containment

Dissect open source ransomware code to understand an attack

Dig Deeper on Windows Server OS and management

Cloud Computing
Enterprise Desktop
Virtual Desktop
Close