Penny Garbus, President Soaring Eagle Consulting.

This statement does not mean that businesses are not acquiring ransomware insurance rather that the insurance isn’t always enough, and they decide to not make the full precautions to keep from paying the ransomware. Not making a decision is in itself a decision to self-insure.

First, I would like to explain what I mean by fully protecting against ransomware.  Here is my list:

OBVIOUSLY DO THESE THINGS

  1. Firewalls in place
  2. Encrypt data at rest on the disk, traveling data and encrypt PCI HIPPA, PASSWORD, GDPR DATA Images etc., that reside in the database or in files.
  3. Use role management and user tracking
  4. Use track changes for application, data changes down to database schema changes
  5. Mask data
  6. Create phish testing for your employees. Train and then validate the training.
  7. Run vulnerability scans
  8. Keep your software versions up to date and compliant
  9. Test patches and then update as soon as possible
  10. Teach all employees the importance of following NDA and other privacy rules.
  11. BACK UP data, database schema, application code, certificate keys, procedural documentation, reports that are run, procedures and codes
  12. High availability or always on for a second standby is excellent protection against some scenarios.  For many ransomware attacks however, by the time you notice the attack the secondary environment has already been corrupted as well
  13. Test Disaster Recovery until you get it right, then test again. Document DR, teach more than one team for each process.
  14. Run maintenance jobs on the server and database. Test for backups for restore and run dbcc (data integrity scripts) to ensure data is clean.
  15. DOCUMENT EVERYTHING! (this is probably the step most often skipped)

What is the best solution to resume operations after a ransomware attack?

First silo as much as you can. Silo as much as you can so that your business can run if one system is out and so that you have multiple access points to retrieve data.

To fully silo all of your and applications data can be very pricey. For example, if you are running 100s of gigs of data or terabytes of data, then the expense if a production, development and secondary HA server is already extensive for any budget (perhaps you scale your QA environment to match prod, then use QA as prod while cleansing prod; though if the environments aren’t siloed you probably don’t have that capability). Then to expect to keep a siloed environment where backups are taken from a third party, paying for that storage then sending to the siloed environment creates costs that are astronomical for an issue they may occur once every 5 years or never.

The cost is just too high.

But consider doing these steps to help you roll your environment back up after paying the ransomware. Now just so you know I hate the fact that some organizations feel like they have to deal with this issue in this manner. But if that is your plan as to how to defend yourself against an attack consider developing a complete plan of recovery anyway.

  1. Practice DR and document the process and who is responsible. Each process should have at least two people trained to do that job. Write every unique aspect down and have another person test the documentation by redoing the steps directly as stated in the document
    1. Document server set up, application set up, Domain, security and any API setup that you will need to do when you restart the environment
      1. You don’t know what will be destroyed and what will come back completely
      1. It NEVER COMES BACK 100%
  2. Backup what you can, application code, reports, user access definitions, certificate keys, user access, roles, names, and passwords. (ENCRYPT THIS STUFF)
    1. Store outside of the environment in a siloed area.
  3. Any data that you can that is vital to your company’s ability to run. Inventory, Billing, Client, or recent vs historical if you can without breaking your budget.
    1. Don’t forget to backup individual devices or have policies and procedures to have current work backed up into File Server areas. I had a friend who ran a large architecture firm they were attacked it spread through every device. The worst part was getting the current project files back because they didn’t have a policy for protecting current work.
  4. Always run a virus scanner afterwards, sometimes when you are attacked spyware is left behind.

Good luck I hope this article helps you prepare and I hope if you prepare you never need to implement this to come back from an attack.