Don’t want to pay ransom gangs? Test your backups. – Krebs on security
Go through the comments on virtually any story about a ransomware attack and you will almost certainly come across the opinion that the victim organization could have avoided paying its extortionists if only they had had proper data backups. But the sad truth is that there are many non-obvious reasons that victims end up paying even when they’ve done almost everything right from a data backup perspective.
This story is not about what organizations do in response to cybercriminals who keep their data hostage, which has become a best practice among most of the major ransomware criminal groups today. Rather, this is why victims always pay for a key needed to decrypt their systems, even when they can afford to restore everything themselves from backups.
Experts say the main reason ransomware targets and / or their insurers are still paying when they already have reliable backups is because no one in the victim organization bothered to test in advance how long this data restoration process might take.
“In a lot of cases, companies have backups, but they’ve never tried to restore their network from backups before, so they have no idea how long it will take,” said Fabien Ousar, CTO at Emsisoft. “Suddenly the victim notices that she has a few petabytes of data to restore from the Internet, and she realizes that even with their fast connections, it will take three months to download all these backup files. Many IT teams never even do a bottom-to-top calculation of how long it would take them to restore from a data throughput perspective.
Wosar said the next most common scenario involves victims who have offsite encrypted backups of their data, but find that the digital key needed to decrypt their backups was stored on the same local file-sharing network that was encrypted. by ransomware.
The third most common obstacle preventing victim organizations from relying on their backups is that ransomware vendors also successfully corrupt the backups.
“It’s still pretty rare,” Wosar said. “It does happen, but it’s more the exception than the rule. Unfortunately, it’s still quite common to have backups in one form or another and one of these three reasons prevents them from being useful.
Bill Siegel, CEO and co-founder of Coveware, a company that negotiates ransomware payments for victims, said most companies that pay do not have properly configured backups, or have not tested their resilience or capacity to recover their backups from the ransomware scenario.
“It can be [that they] have 50 petabytes of backups… but it’s in a… facility 30 miles away.… And then they start [restoring over a copper wire from those remote backups] and it’s going really slow … and someone pulls out a calculator and realizes it’s gonna take 69 years [to restore what they need]”said Siegel Kim zetter, a veteran Wired journalist who recently launched a cybersecurity newsletter on Substack.
“Or there are a lot of software applications that you actually use to restore, and some of those applications are in your network. [that got] encrypted, ”Siegel continued. “So you’re like, ‘Oh great. We have backups, the data is there, but the application to perform the restore is encrypted. ‘ So there are all these little things that can trip you up that keep you from doing a restore when you’re not working out.
Wosar said all organizations need to both test their backups and develop a plan to prioritize critical system recovery needed to rebuild their network.
“In many cases, companies don’t even know their various network dependencies and therefore don’t know in what order to restore systems,” he said. “They don’t know ahead of time, ‘Hey, if we’re affected and everything goes down, it’s the services and systems that take priority for a backbone that we can rely on. “
Wosar said that it is essential for organizations to train their violation response plans in periodic tabletop exercises, and that it is in these exercises that companies can begin to refine their plans. For example, he said, if the organization has physical access to its remote backup datacenter, it might make more sense to develop processes to physically send backups to the restore location.
“Many victims are faced with having to rebuild their network in ways they did not anticipate. And it’s usually not the best time to make these kinds of plans. This is why tabletop exercises are incredibly important. We recommend that you create a complete playbook so that you know what you need to do to recover from a ransomware attack.