By Ryan Francis
Jan. 3, 2017
Getting duped online by a cybercriminal is infuriating. You let your guard down for a minute and the thieves find their way in to your machine.
And then the “fun” begins if ransomware is involved. Hopefully you have your data backed up, but if not now starts the dance with those who have ultimately taken you hostage. Ransomware is obviously analogous to kidnapping, and dealing with the perpetrators can feel much like negotiating with a jumper standing on the edge of high-rise roof.
Look no further for help than the Institute for Critical Infrastructure Technology report that in part describes how to deal with criminals when they are holding your data hostage. The report talks of what to do once a breach has been found.
ICIT says the proper response will depend on the risk appetite of the organization, the potential impact of the hostage data, the impact on business continuity, whether a redundant system is available, and the sectorial regulatory requirements.
Hopefully the information security team has already planned out a procedure to follow in the event of a ransomware attack. They should begin by notifying the authorities and applicable regulatory bodies. The plan identifies the organization’s recovery time objective (RTO), and recovery point objective (RPO) for data breaches. In the event that a backup exists, then cyber-forensic evidence of the incident should be preserved and documented for/by law enforcement.
In the event that there are no redundancy systems or if the secondary systems are compromised, then the information security team can find and implement a vendor solution or decryption tool.
In many cases, files may be partially corrupted or incompletely decrypted. Even if a vendor solution is a simple executable, the victim may not be able to assure that their system is not still compromised by inactive ransomware, backdoors, or other malware.
Another option is to attempt to recover the data. System backup and recovery are the only certain solutions to ransomware. If you have a backup system, then recovery is a simple matter of restoring the system to a save point. Otherwise, you could attempt to recover data through shadow copies or through a file recovery software tool; however, many ransomware variants delete shadow copies and some even detect file recovery software. Since many variants infect the registry, system restore from a save point may not be possible even if the recovery point remains unaffected.
If you don’t like those options, you can put your head in your hands and do nothing. In lieu of an information security team or vendor solution, options are limited to paying the ransom or accepting the loss of the system or data. If the system is backed up, and the backup remains reliable, then the victim can ignore the ransom demand and restore the system according to the backup. If there is no backup, but the ransom outweighs the cost of the system, then the victim may have to purchase a new device and dispose of the infected system with extreme prejudice.