NCSAM Day 16: Ransomware Happens

Sometimes, despite our best efforts, ransomware will successfully invade our systems.  The need for good back ups should be well known by now, but here are a few recommendations:

  • Several organizations impacted by the likes of SAMSAM have opted to pay the ransom to recover their data, despite having good backups. This is apparently happening because the time and cost to restore all the impacted systems and data from backup is substantially higher than the cost of the ransom.   I previously wrote about why it’s a bad idea to simply clean an infected or compromised system and paying the ransom to get back to operations faster is basically doing just that.  I argue that an organization that is tempted to pay the ransom in such a case probably did not properly assess the RTO and RPO that were needed when designing and implementing its recovery program.
  • Be aware that some “backup” schemes use real time or near real time replication between systems in remote sites. Ransomware-encrypted files will be replicated to the backup location nearly instantaneously.  Remember to make backups or take snapshots if you’re using such a recovery scheme.
  • This shouldn’t have to be said, but you (probably) don’t have a backup if you haven’t tested your backup. Test them.
  • Over time, we will likely see a shift to injecting techniques that render backups useless to help force ransom payment.
  • One of the insidious aspects of some ransomware like SAMSAM is that is can effectively take out all systems on a network. Consider your ability to initiate recovery if all of your administrators have locked up workstations and your (ugh) Sharepoint repository of recovery plans are all encrypted.
  • I previously wrote a longer post on how to prevent ransomware infections.


Leave a Reply

Your email address will not be published. Required fields are marked *