Ransomware Can be Stopped and Removed Through Disaster Recovery
Ransomware is now the single most prolific malware threat. Surveys suggest that around 50% of organizations have had a ransomware incident over the last year. Every week there seems to be a new product, or new routine within an existing product, specifically designed to mitigate against ransomware. But the basic advice remains: maintain good back-up/disaster recovery; and don’t pay the ransom unless you literally have no other option. Nevertheless, according to Osterman research, 40% of companies affected by ransomware actually pay the ransom.
The value in the back-up recommendation was illustrated in August when the Barnstable Police Department (PD) survived and recovered from ransomware without any recourse to ‘anti-ransomware’ software; and without paying any ransom. In this instance, the disaster recovery (DR) system used by the small town Police Department on Massachusetts’ Cape Cod was Reduxio.
Barnstable PD’s CIO, Craig Hurwitz, had deployed his DR system just two months earlier in July 2016. He told SecurityWeek that he had not been thinking about ransomware when the purchase decision was made.
“The enablement of our police force and management of our data is of the utmost importance when considering public safety. It is our mission to be proactive and having a solution in place that we were confident would protect our team and our town was an important and worthy investment this year,” said Paul MacDonald, chief of police, at Barnstable Police Department. The purpose was straightforward DR, not anti-ransomware.
Two months later, Barnstable PD was hit by ransomware.
“Along with death and taxes, one new certainty in life is getting hacked. No matter how sophisticated your security protocols are, there will always be intruders trying to access your organization’s data,” said Mike Grandinetti, chief marketing and corporate strategy office at Reduxio.
SecurityWeek has seen the support log transcripts following this incident. Hurwitz spoke to support at 14:05pm: “It seems that I have some ransomware running on one of my VM machines. Some files are becoming encrypted and I can no longer access them.” Support asked how urgent it was. Hurwitz replied, “This is very urgent, this is the Police, you know…”
‘Support’ was driving at the time. He pulled over to a Costco Gas Station, and everything was done from there. Hurwitz could tell from his logs the precise time at which the encryption started. He requested a systems ‘BackDating’ to just 2 minutes before the encryption commenced.
This was delivered in just 35 minutes from the initial request. A 14:40 log entry reads, “14:40pm Running the machine, Craig verified the ransomware is gone.”
The advantage of a DR approach to ransomware is that it is conceptually simple and actually works; and it doesn’t depend on any solution that isn’t already necessary. Ransomware tends to work very rapidly for fear of detection and removal before it can do its work. But even if it had lain dormant for a week or more, systems could be backdated very precisely to a clean moment immediately prior to its action.
At this moment Hurwitz doesn’t even know which ransomware variant is the culprit. He’s got it safely sandboxed for future investigation. For now he is happy that his priorities have been met: the ransomware was mitigated and eradicated with a maximum downtime of less than 40 minutes, and no more than 2 minutes of lost data.
Related Reading: Disaster Recovery – Confidence High, Experience Low