Download - How to recover from ransomware

How to recover from ransomware

2:00pm

29th September 2016

www.databarracks.com | 2www.databarracks.com | 2

INTRO & AGENDA

Duration: 30 mins

(including Q&A)

Type questions on

the rightQ

• What it is and how it works– How ransomware works and why it is breaching

organisational defences.

• Prevention & mitigation– Methods– The Incident and crisis management &

escalation process

• Recovery– A step-by-step guide to recovery

*Slides will be made available and sent out following this session


THE BCPCAST

http://www.thebcpcast.com/



WHAT IS RANSOMWARE AND HOW DOES IT WORK?


FACTS TO NOTE

• The encryption is to all intents unbreakable so

backup data copies are the only guarantee to

limit data loss

• There is a deadline for payment – which forces

action –recovery or payment

www.databarracks.com | 6

WHO IS BEING TARGETED AND WHY IS IT SO SUCCESSFUL?

Who? Why?


HOW DOES RANSOMWARE WORK -BACKGROUND


HOW DOES RANSOMWARE WORK -BACKGROUND

InstallationContact with

command and

control

Search Encryption Ransom


INCIDENT RESPONSE AND CRISIS MANAGEMENT ESCALATION

Preparation Identification Containment Eradication RecoveryLessons learned

Creating a written

policy and defining

severity

Identifying whether

something is, or is

not an incident

The steps to limit

the spread of

ransomware

Restoration of clean

data from before the

incident

Bringing the

recovered systems

back online

How do we improve?


HOW TO RECOVER

vs

Backup Disaster recovery


HOW TO RECOVER

• Increase the frequency of backups

• Review (and extend) retention

policies

• Optimise connection speed

between target and recovery

environment (general)

• Improve speed of finding most

recent clean backup

Improving the Recovery Point

Objective

Improving the Recovery Time

Objective


THE INCIDENT RESPONSE PLAN:STEP-BY-STEP RECOVERY

Preparation Identification Containment Eradication RecoveryLessons learned

IT is notified and

confirm ransomware

infection

Isolate the infected

share / drive /server

Find the time of

infection and test

the first backup

Bring share / drive /

server online. Test

again, be vigilant

Review how infection occurred, data loss and time

to recover


CYBER-DRaaS

1. Replication

2. Automated recovery

3. Detection

4. Reporting

5. Recursive scanning


HOW IT WORKSSTEP 1Replication of servers to

the disaster recovery

service provider


HOW IT WORKSSTEP 2

Automated failover


HOW IT WORKSSTEP 3Automated malware

scan


HOW IT WORKSSTEP 4

Report status


RECURSIVE SCANNING –FASTEST TIME TO FIND MALWARE INSERTION


HOW TO TEST?

Tutorial SAN Failure Cyber-Attack

http://www.databarracks.com/resources/tools/

http://www.databarracks.com/resources/tools/


IF YOU REMEMBER NOTHING ELSE!

1. Have a specific incident response plan for

ransomware

2. Review backup schedules and retention policies

3. The only way to guarantee that you don’t lose your

data is with historic copies of your data in backup or DR

www.databarracks.com | 21

RESOURCES

• The Business Continuity Podcast

– http://www.thebcpcast.com/

• Tabletop testing simulator

https://tools.databarracks.com/dr-

tabletop-simulation/index.html

• History of ransomware– https://heimdalsecurity.com/blog/what-is-

ransomware-protection/

• Ransomware definitions– http://www.trendmicro.com/vinfo/us/security/defini

tion/ransomware

• SANS Institute, Incident Handler's Handbook – https://www.sans.org/reading-

room/whitepapers/incident/incident-handlers-handbook-33901

• CryptoLocker DGA– https://blog.fortinet.com/2014/01/16/a-closer-

look-at-cryptolocker-s-dga


https://tools.databarracks.com/dr-tabletop-simulation/index.html

https://heimdalsecurity.com/blog/what-is-ransomware-protection/

http://www.trendmicro.com/vinfo/us/security/definition/ransomware

https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901

https://blog.fortinet.com/2014/01/16/a-closer-look-at-cryptolocker-s-dga

QUESTIONS?

Download - How to recover from ransomware

Top Related