Resolving Ransomeware Incidents

+ Full Text


with Disaster Recovery as a Service As well as other cybersecurity threats


A single ransomware attack can halt an organization with sophisticated encryption methods that make computer networks and files inaccessible. When IT departments and business leaders don’t act fast in this scenario, they risk losing critical data forever and ending up with a significant reputational impact if news of the breach leaks to the public. This leaves victims with an immediate decision: 1) pay the ransom for data back, or 2) replace the encrypted data with clean copies. Companies with no copies of data must pay the attacker’s fee if they want to get out of the situation without data loss. The problem is that this only perpetuates the cycle of cyber criminality, as it feeds into the multi-billiondollar industry of ransomware. Worse, those who pay the ransomware fines are susceptible to future attacks, as word spreads within the cybercriminal community that they were willing to pay. Plus, just because you pay the fee doesn’t mean you’ll actually receive the key to decrypt your data.


Different from other forms of cybersecurity events like malicious probing or malware infections, ransomware criminals aren’t primarily focused on information theft. In fact, they tend to have little interest in the data itself, so long as it’s sensitive and urgent enough to prompt payment from the victim. Attackers have gotten sophisticated in selecting lucrative opportunities, especially when a specific industry could have a stigma of legacy or inadequate infrastructure. When notifying these businesses, cybercriminals often do so with the assumption that the IT department has no recent backups and will pay the fine rather than lose data and valuable time. Industries with sensitive data are especially susceptible to ransomware attacks—and where there is sensitive information like file shares, databases and other business-critical applications, there may be compliance responsibilities or cascading liabilities related to compliance. For example, the legal industry is subject to a code of conduct that requires firms to allocate their resources appropriately to manage risks and protect their clients’ assets. If a ransomware breach compromises data that belongs to a client under compliance, law firms may need to pay regulatory fines too.



"Customers and clients want to know that you're going to prevent unwarranted access to their sensitive information. So, if you end up in the news with a catastrophic ransomware attack this will make them uneasy

  • and significantly hinder their retention. Also, it should go without saying that fleeing customers will impact the acquisition of new ones."


The evolving threat landscape, for all cybersecurity events not just ransomware, is bringing IT roles for disaster recovery (DR) and cybersecurity together. Historically, these two groups would have covered their respective specialties and seldom worked together. But now, given that security professionals have long been known for their quick incident responsiveness and DR professionals are committed to avoiding data loss, companies are recognizing the value both realms have in preserving overall business continuity. This means that company leadership is increasingly asking DR and security professionals to join forces for full IT resiliency – which doesn’t just mean working cooperatively. IT security requires a two-pronged approach to mitigate risk: an equal balance of preventative and restorative measures. Bridging these two important focuses, threat detection is also a critical component, since it helps to identify when a breach has occurred.

– Jeff Ton, SVP of Product Development & Strategic Alliances at InterVision




Companies have long been using Disaster Recovery as a Service (DRaaS) to solve for downtime and data loss. But now that more companies are formally considering security incidents disasters—and rightly so, given the similar impacts on data loss, downtime, reputation, etc. people are looking at DRaaS as a mitigation solution for cybersecurity.


In the case of ransomware, where every second is lost money, organizations need to have a DR strategy in place that can bring them back online within minutes to hours, not days. For organizations relying on backups, for instance, the inconvenience and complications that can occur due to the days that it will likely take to restore systems may lead to preferring to pay the ransom. DRaaS offers recovery points of seconds-to-minutes with a faster recovery time, pairing continuous data replication and backup-based replication together for a full mitigation strategy. When a ransomware attack happens, you have more recovery options to locate the most recent clean copy of your data. Plus, depending on if you have a fully-managed or assisted model of DRaaS, you may have access to a team of experts who will help mitigate the situation after a breach (ideal for overburdened IT teams when reaction time can make a huge impact).


Self-Service DRaaS

You get the tools to assemble your DR plan yourself

Assisted DRaaS

You get the tools to assemble your DR plan yourself with DRaaS experts available for advice and assistance


Managed DRaaS

DRaaS experts assemble your DR plan and manage all maintenance


With DRaaS, the focus is getting an entire workforce returned to normal. Due to the complex business processes involved in a system restore, simply retrieving data is insufficient. For this reason, a company must not only have policies to retrieve and restore compromised data, but also have alternative means for employees to access the recovered data and systems at the DR site. Most companies tend to encounter problems in an event when they’ve not regularly tested connectivity scenarios for post-failover access.


Refer to your plan and contact your experts

First, initiate your incident response plan. Based upon the severity of the situation, this could include executing your DR plan as well (in which case, you should consult with your DR runbook). Your incident response plan should dictate the following: notifying your leadership, public relations, malware outbreak team, cyber forensics experts (to lead an investigation), cybersecurity legal counsel, insurance provider and – if data loss or extended downtime is a possibility – calling your DRaaS provider to be on high alert for failover.

Pause and make a decision In most cases, it is best to pause all replication and/or backup solutions so that you can prevent the intrusion from spreading pervasively across all IT systems. Potentially, you may want to keep a portion of your infected environment running to preserve evidence for a criminal investigation—if so, you’ll want to keep it isolated from the rest of the network. Don’t do anything in terms of recovery execution until you know the full extent of the damage, since restoring your IT systems with infected versions of your data will only be a waste of time. Make a decision whether to do a full or partial failover, or to simply repair a single infected application. This is where a malware outbreak service can help. In this type of service, a third-party expert will quarantine the issue, scrub it and ensure you are in a position to recover the data without a reoccurrence. The service should also offer root cause analysis as well as recommendations based upon your unique circumstance.

Execute your recovery process When your company is ready to proceed with the recovery execution of your IT systems, the goal is to locate the most recent clean copy of your applications and data. With cloud-based replication, you have several snapshots of data to look back at, all within seconds-to-minutes of each other, going back over a 12-hour period in most cases. If your replication solution doesn’t have a clean copy, then you should look to your cloudbased backups, which typically have a longer retention period. Keep in mind that, in an instance where the ransomware may have lied dormant before launching, it may be best to retrieve your backups and use the replication environment as a sandbox to identify and eliminate the infection before bringing systems back online.

If possible, stand up your IT systems in a separate offsite environment and run business operations out of this location until your cyber forensics experts have everything they need from the ransomware-infected production environment for criminal investigation. Before returning all functions to your normal production site, it may also be good to test the new environment in its failed-over state first—to ensure everything has been resolved.




  2. CONTACT YOUR EXPERTS Notify the following: • Your cybersecurity legal counsel • Cyber forensic experts or malware outbreak service (MOS) team to lead an investigation • Your DRaaS provider to take action or be on high alert for failover • Public relations


Do not propagate issues into the recovery environment to ensure you don't lose clean data


Should you failover the environment or can you simply repair one application?


Find the most recent recovery point prior to the attack to reduce data loss If possible, recover your environment at an offsite location to preserve evidence available in your production environment


Keep in mind that no solution will truly prevent ransomware 100% of the time, given ever-increasing cybercriminal sophistication, so the ability to recover takes precedence. DRaaS offers an offsite location to recover a clean copy of your data in, rather than restoring systems in your production site and risking lost forensic evidence. Plus, DRaaS allows for greater speed in locating the right copies of data and recovering them with minimized loss. From InterVision’s experience working with countless organizations, we’ve found: • •

Executive leadership tends to care more about time-to-recovery IT managers tend to care more about data loss

This is just another reason to use DRaaS as part of your overall security incident response plan, since it solves for both priorities. The recovery point makes all the difference when ransomware strikes, and DRaaS can give you the most granularity and widest range of options (for example, you can roll back to a backup if the intrusion wasn’t caught fast enough). DRaaS functions as a mitigation strategy not just for ransomware, but for any security breach. A provider like InterVision will guide your company through how to formally consider security events “disasters” and treat them with the same urgent attention, so that you can fully integrate DR and cybersecurity practices into your company’s wider business continuity strategy.




Because of InterVision’s commitment to the success of your business no matter the event, we offer both assisted and fully-managed DRaaS models, so you can select the perfect level of involvement for your company’s existing resources and objectives. Our solutions are always tailored to match your unique security, complexity and compliance needs, since DR and cybersecurity are never one-sizefits-all and leave-it strategies. In addition, we offer a specified ransomware solution and malware outbreak service within our NetDefend managed security suite. We secure, analyze and monitor your environment, then notify your team immediately if we discover unwarranted activity. If a breach should occur, we work in conjunction with your team to handle all of the containment, root cause analysis, and other incident response tasks, so that you can focus on notifying your company leadership and stakeholders to protect reputation. When paired with our DRaaS, these NetDefend security services can help to cover the entire spectrum of cybersecurity. Worried about personnel within your business inviting a breach by accident? We also offer IT staff and employee security awareness training for best practices when it comes to cybersecurity prevention. Unlike any other DRaaS provider, InterVision offers a Recovery Assurance™ program to all of our Managed DRaaS clients for complete confidence in the solutions you’ve purchased. Not only do you get a second pair of expert eyes with robust firewalls, patching and constant monitoring of your IT systems, you’ll also get the most comprehensive service level agreements (SLAs) in the industry for guaranteed responsiveness and recovery.

How a Strategic Service Provider Empowers Cybersecurity with DRaaS • • • •

Segmented networks in an offsite environment Testing and documentation to make sure protection practices stay up-to-date Ongoing monitoring and encryption Team of experts for methodology, maintenance and recovery execution (ideal for overburdened IT teams) – different levels of managed services exist