how to recover from ransomware

Download How to recover from ransomware

Post on 15-Apr-2017

295 views

Category:

Travel

3 download

Embed Size (px)

TRANSCRIPT

  • How to recover from ransomware

    2:00pm

    29th September 2016

  • www.databarracks.com | 2www.databarracks.com | 2

    INTRO & AGENDA

    Duration: 30 mins

    (including Q&A)

    Type questions on

    the rightQ

    What it is and how it works How ransomware works and why it is breaching

    organisational defences.

    Prevention & mitigation Methods The Incident and crisis management &

    escalation process

    Recovery A step-by-step guide to recovery

    *Slides will be made available and sent out following this session

  • www.databarracks.com | 3www.databarracks.com | 3

    THE BCPCAST

    http://www.thebcpcast.com/

    http://www.thebcpcast.com/

  • www.databarracks.com | 4www.databarracks.com | 4

    WHAT IS RANSOMWARE AND HOW DOES IT WORK?

  • www.databarracks.com | 5www.databarracks.com | 5

    FACTS TO NOTE

    The encryption is to all intents unbreakable so

    backup data copies are the only guarantee to

    limit data loss

    There is a deadline for payment which forces

    action recovery or payment

  • www.databarracks.com | 6

    WHO IS BEING TARGETED AND WHY IS IT SO SUCCESSFUL?

    Who? Why?

  • www.databarracks.com | 7www.databarracks.com | 7

    HOW DOES RANSOMWARE WORK -BACKGROUND

  • www.databarracks.com | 8www.databarracks.com | 8

    HOW DOES RANSOMWARE WORK -BACKGROUND

    InstallationContact with

    command and

    control

    Search Encryption Ransom

  • www.databarracks.com | 9www.databarracks.com | 9

    INCIDENT RESPONSE AND CRISIS MANAGEMENT ESCALATION

    Preparation Identification Containment Eradication RecoveryLessons learned

    Creating a written

    policy and defining

    severity

    Identifying whether

    something is, or is

    not an incident

    The steps to limit

    the spread of

    ransomware

    Restoration of clean

    data from before the

    incident

    Bringing the

    recovered systems

    back online

    How do we improve?

  • www.databarracks.com | 10www.databarracks.com | 10

    HOW TO RECOVER

    vs

    Backup Disaster recovery

  • www.databarracks.com | 11www.databarracks.com | 11

    HOW TO RECOVER

    Increase the frequency of backups

    Review (and extend) retention

    policies

    Optimise connection speed

    between target and recovery

    environment (general)

    Improve speed of finding most

    recent clean backup

    Improving the Recovery Point

    Objective

    Improving the Recovery Time

    Objective

  • www.databarracks.com | 12www.databarracks.com | 12

    THE INCIDENT RESPONSE PLAN:STEP-BY-STEP RECOVERY

    Preparation Identification Containment Eradication RecoveryLessons learned

    IT is notified and

    confirm ransomware

    infection

    Isolate the infected

    share / drive /server

    Find the time of

    infection and test

    the first backup

    Bring share / drive /

    server online. Test

    again, be vigilant

    Review how infection occurred, data loss and time

    to recover

  • www.databarracks.com | 13www.databarracks.com | 13

    CYBER-DRaaS

    1. Replication

    2. Automated recovery

    3. Detection

    4. Reporting

    5. Recursive scanning

  • www.databarracks.com | 14www.databarracks.com | 14

    HOW IT WORKSSTEP 1Replication of servers to

    the disaster recovery

    service provider

  • www.databarracks.com | 15www.databarracks.com | 15

    HOW IT WORKSSTEP 2

    Automated failover

  • www.databarracks.com | 16www.databarracks.com | 16

    HOW IT WORKSSTEP 3Automated malware

    scan

  • www.databarracks.com | 17www.databarracks.com | 17

    HOW IT WORKSSTEP 4

    Report status

  • www.databarracks.com | 18www.databarracks.com | 18

    RECURSIVE SCANNING FASTEST TIME TO FIND MALWARE INSERTION

  • www.databarracks.com | 19www.databarracks.com | 19

    HOW TO TEST?

    Tutorial SAN Failure Cyber-Attack

    http://www.databarracks.com/resources/tools/

    http://www.databarracks.com/resources/tools/

  • www.databarracks.com | 20www.databarracks.com | 20

    IF YOU REMEMBER NOTHING ELSE!

    1. Have a specific incident response plan for

    ransomware

    2. Review backup schedules and retention policies

    3. The only way to guarantee that you dont lose your

    data is with historic copies of your data in backup or DR

  • www.databarracks.com | 21

    RESOURCES

    The Business Continuity Podcast

    http://www.thebcpcast.com/

    Tabletop testing simulator

    https://tools.databarracks.com/dr-

    tabletop-simulation/index.html

    History of ransomware https://heimdalsecurity.com/blog/what-is-

    ransomware-protection/

    Ransomware definitions http://www.trendmicro.com/vinfo/us/security/defini

    tion/ransomware

    SANS Institute, Incident Handler's Handbook https://www.sans.org/reading-

    room/whitepapers/incident/incident-handlers-handbook-33901

    CryptoLocker DGA https://blog.fortinet.com/2014/01/16/a-closer-

    look-at-cryptolocker-s-dga

    http://www.thebcpcast.com/https://tools.databarracks.com/dr-tabletop-simulation/index.htmlhttps://heimdalsecurity.com/blog/what-is-ransomware-protection/http://www.trendmicro.com/vinfo/us/security/definition/ransomwarehttps://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901https://blog.fortinet.com/2014/01/16/a-closer-look-at-cryptolocker-s-dga

  • QUESTIONS?