how to recover from ransomware
TRANSCRIPT
![Page 1: How to recover from ransomware](https://reader033.vdocument.in/reader033/viewer/2022052418/587e45971a28ab9f5d8b847b/html5/thumbnails/1.jpg)
How to recover from ransomware
2:00pm
29th September 2016
![Page 2: How to recover from ransomware](https://reader033.vdocument.in/reader033/viewer/2022052418/587e45971a28ab9f5d8b847b/html5/thumbnails/2.jpg)
www.databarracks.com | 2www.databarracks.com | 2
INTRO & AGENDA
Duration: 30 mins
(including Q&A)
Type questions on
the rightQ
• What it is and how it works– How ransomware works and why it is breaching
organisational defences.
• Prevention & mitigation– Methods– The Incident and crisis management &
escalation process
• Recovery– A step-by-step guide to recovery
*Slides will be made available and sent out following this session
![Page 3: How to recover from ransomware](https://reader033.vdocument.in/reader033/viewer/2022052418/587e45971a28ab9f5d8b847b/html5/thumbnails/3.jpg)
www.databarracks.com | 3www.databarracks.com | 3
THE BCPCAST
http://www.thebcpcast.com/
![Page 4: How to recover from ransomware](https://reader033.vdocument.in/reader033/viewer/2022052418/587e45971a28ab9f5d8b847b/html5/thumbnails/4.jpg)
www.databarracks.com | 4www.databarracks.com | 4
WHAT IS RANSOMWARE AND HOW DOES IT WORK?
![Page 5: How to recover from ransomware](https://reader033.vdocument.in/reader033/viewer/2022052418/587e45971a28ab9f5d8b847b/html5/thumbnails/5.jpg)
www.databarracks.com | 5www.databarracks.com | 5
FACTS TO NOTE
• The encryption is to all intents unbreakable so
backup data copies are the only guarantee to
limit data loss
• There is a deadline for payment – which forces
action –recovery or payment
![Page 6: How to recover from ransomware](https://reader033.vdocument.in/reader033/viewer/2022052418/587e45971a28ab9f5d8b847b/html5/thumbnails/6.jpg)
www.databarracks.com | 6
WHO IS BEING TARGETED AND WHY IS IT SO SUCCESSFUL?
Who? Why?
![Page 7: How to recover from ransomware](https://reader033.vdocument.in/reader033/viewer/2022052418/587e45971a28ab9f5d8b847b/html5/thumbnails/7.jpg)
www.databarracks.com | 7www.databarracks.com | 7
HOW DOES RANSOMWARE WORK -BACKGROUND
![Page 8: How to recover from ransomware](https://reader033.vdocument.in/reader033/viewer/2022052418/587e45971a28ab9f5d8b847b/html5/thumbnails/8.jpg)
www.databarracks.com | 8www.databarracks.com | 8
HOW DOES RANSOMWARE WORK -BACKGROUND
InstallationContact with
command and
control
Search Encryption Ransom
![Page 9: How to recover from ransomware](https://reader033.vdocument.in/reader033/viewer/2022052418/587e45971a28ab9f5d8b847b/html5/thumbnails/9.jpg)
www.databarracks.com | 9www.databarracks.com | 9
INCIDENT RESPONSE AND CRISIS MANAGEMENT ESCALATION
Preparation Identification Containment Eradication RecoveryLessons learned
Creating a written
policy and defining
severity
Identifying whether
something is, or is
not an incident
The steps to limit
the spread of
ransomware
Restoration of clean
data from before the
incident
Bringing the
recovered systems
back online
How do we improve?
![Page 10: How to recover from ransomware](https://reader033.vdocument.in/reader033/viewer/2022052418/587e45971a28ab9f5d8b847b/html5/thumbnails/10.jpg)
www.databarracks.com | 10www.databarracks.com | 10
HOW TO RECOVER
vs
Backup Disaster recovery
![Page 11: How to recover from ransomware](https://reader033.vdocument.in/reader033/viewer/2022052418/587e45971a28ab9f5d8b847b/html5/thumbnails/11.jpg)
www.databarracks.com | 11www.databarracks.com | 11
HOW TO RECOVER
• Increase the frequency of backups
• Review (and extend) retention
policies
• Optimise connection speed
between target and recovery
environment (general)
• Improve speed of finding most
recent clean backup
Improving the Recovery Point
Objective
Improving the Recovery Time
Objective
![Page 12: How to recover from ransomware](https://reader033.vdocument.in/reader033/viewer/2022052418/587e45971a28ab9f5d8b847b/html5/thumbnails/12.jpg)
www.databarracks.com | 12www.databarracks.com | 12
THE INCIDENT RESPONSE PLAN:STEP-BY-STEP RECOVERY
Preparation Identification Containment Eradication RecoveryLessons learned
IT is notified and
confirm ransomware
infection
Isolate the infected
share / drive /server
Find the time of
infection and test
the first backup
Bring share / drive /
server online. Test
again, be vigilant
Review how infection occurred, data loss and time
to recover
![Page 13: How to recover from ransomware](https://reader033.vdocument.in/reader033/viewer/2022052418/587e45971a28ab9f5d8b847b/html5/thumbnails/13.jpg)
www.databarracks.com | 13www.databarracks.com | 13
CYBER-DRaaS
1. Replication
2. Automated recovery
3. Detection
4. Reporting
5. Recursive scanning
![Page 14: How to recover from ransomware](https://reader033.vdocument.in/reader033/viewer/2022052418/587e45971a28ab9f5d8b847b/html5/thumbnails/14.jpg)
www.databarracks.com | 14www.databarracks.com | 14
HOW IT WORKSSTEP 1Replication of servers to
the disaster recovery
service provider
![Page 15: How to recover from ransomware](https://reader033.vdocument.in/reader033/viewer/2022052418/587e45971a28ab9f5d8b847b/html5/thumbnails/15.jpg)
www.databarracks.com | 15www.databarracks.com | 15
HOW IT WORKSSTEP 2
Automated failover
![Page 16: How to recover from ransomware](https://reader033.vdocument.in/reader033/viewer/2022052418/587e45971a28ab9f5d8b847b/html5/thumbnails/16.jpg)
www.databarracks.com | 16www.databarracks.com | 16
HOW IT WORKSSTEP 3Automated malware
scan
![Page 17: How to recover from ransomware](https://reader033.vdocument.in/reader033/viewer/2022052418/587e45971a28ab9f5d8b847b/html5/thumbnails/17.jpg)
www.databarracks.com | 17www.databarracks.com | 17
HOW IT WORKSSTEP 4
Report status
![Page 18: How to recover from ransomware](https://reader033.vdocument.in/reader033/viewer/2022052418/587e45971a28ab9f5d8b847b/html5/thumbnails/18.jpg)
www.databarracks.com | 18www.databarracks.com | 18
RECURSIVE SCANNING –FASTEST TIME TO FIND MALWARE INSERTION
![Page 19: How to recover from ransomware](https://reader033.vdocument.in/reader033/viewer/2022052418/587e45971a28ab9f5d8b847b/html5/thumbnails/19.jpg)
www.databarracks.com | 19www.databarracks.com | 19
HOW TO TEST?
Tutorial SAN Failure Cyber-Attack
http://www.databarracks.com/resources/tools/
![Page 20: How to recover from ransomware](https://reader033.vdocument.in/reader033/viewer/2022052418/587e45971a28ab9f5d8b847b/html5/thumbnails/20.jpg)
www.databarracks.com | 20www.databarracks.com | 20
IF YOU REMEMBER NOTHING ELSE!
1. Have a specific incident response plan for
ransomware
2. Review backup schedules and retention policies
3. The only way to guarantee that you don’t lose your
data is with historic copies of your data in backup or DR
![Page 21: How to recover from ransomware](https://reader033.vdocument.in/reader033/viewer/2022052418/587e45971a28ab9f5d8b847b/html5/thumbnails/21.jpg)
www.databarracks.com | 21
RESOURCES
• The Business Continuity Podcast
– http://www.thebcpcast.com/
• Tabletop testing simulator
https://tools.databarracks.com/dr-
tabletop-simulation/index.html
• History of ransomware– https://heimdalsecurity.com/blog/what-is-
ransomware-protection/
• Ransomware definitions– http://www.trendmicro.com/vinfo/us/security/defini
tion/ransomware
• SANS Institute, Incident Handler's Handbook – https://www.sans.org/reading-
room/whitepapers/incident/incident-handlers-handbook-33901
• CryptoLocker DGA– https://blog.fortinet.com/2014/01/16/a-closer-
look-at-cryptolocker-s-dga
![Page 22: How to recover from ransomware](https://reader033.vdocument.in/reader033/viewer/2022052418/587e45971a28ab9f5d8b847b/html5/thumbnails/22.jpg)
QUESTIONS?