Recovering from Third-Generation Ransomware Attack
Decision-makers need to understand the impacts of a third-generation ranwomware attack so that they can properly allocate budgets and set priorities for recovering from ransomware, including:
- Safeguards that can reduce the likelihood of an attack in the first place
- Measures that can mitigate the impact of one does occur
- Preparations to allow for rapid restoration if one does occur
The potential impact of a third-generation ransomware attack (see “3rd Generation Ransomware – Worst Cyber Threat Yet for DD Boards“) can be serious. Impacts can include lost productivity from extended (days to weeks) system downtime, costs to recover lost data, costs for both internal IT staff and outside expert help, and the potential cost for data breach notifications.
The best scenario is when the organization has a good backup and a good incident response/data recovery plan. Even in this scenario, recovery is not as simple as reconstructing the servers from the backup. This is because the ransomware and other hacker tools might be installed on dozens or hundreds of individual workstations across the network. Here is a simplified, typical recovery playbook:
- Place all servers, and have all users place their computers, in “hibernation” mode, which shuts the computers down while preserving the current state for forensic analysis.
- Activate the Incident Response Plan and/or Disaster Recovery Plans, which assembles an internal team. Staff will implement their “Emergency Mode Operations” plan so that they can function without usual critical resources, such as phone, email, and other systems.
- Notify various third parties, including any law enforcement and any cyber-insurance carrier. The cyber carrier will often have a panel of forensic consultants and other resources. Contact these third-party resources who will then join the team.
- With assistance of forensic consultants, gather evidence to determine the specific strain of ransomware. Based on the specific strain, a tailored recovery plan will be implemented.
- Using appropriate forensic procedures, retain evidence as may be advised by legal counsel and law enforcement.
- Based on priorities identified in the disaster recovery plan, restore servers and applications from backup, and remove ransomware, which may be included in the backup images.
- Identify workstations affected by the ransomware and restore any workstations that may be affected, typically by reinstalling as a fresh PC.
History has shown that this process can take days, weeks, or even months. The first impact is that staff productivity is affected and services to citizens may be slowed or delayed. A DD Board’s high-priority applications, such as Phone, Email, Gatekeeper, and Intellivue, will be brought back on-line first. Lower priority applications will take longer. It is very common for organizations to learn through this process the limitations and imperfections of their backup strategy. Some data may be permanently lost. Based on a determination by the County Prosecutor and/or other legal counsel, HIPAA data breach notification may be required.
Costs and other impacts include:
- Reduction and/or delays in services to individuals served, with lost staff productivity
- Delays in projects
- Significant expenses for forensic consulting and incident response costs, which could exceed $100,000 for a large Board and tens of thousands for a small Board
- Potential costs for notification of individuals when required by HIPAA Breach Notification rules
- Damage to reputation and loss of trust from citizens
While Eagle does not recommend paying ransom, when an organization does not have good backups, decision-makers often choose the decision to pay the ransom. This year, small local governments have paid ransoms in excess of $500,000.