Many organizations feel that being prepared for a ransomware attack is futile. This couldn’t be further from the truth as told by BleepingComputer. Their article about the REvil ransomware attack on Kaseya VSA customers mentioned that many victims refused to pay the ransom. The reason: Backups!
Trying to prevent a breach can be difficult but having backups can save your business from having to make a huge ransomware payment to cybercriminals. Most ransomware criminals will also employ a double ransomware attack, where they don’t just encrypt data, but also delete the backups and steal data. In this case, the cybercriminals didn’t do that: "In the Kaseya attack, they opted to try and impact EVERY Kaseya client by targeting the software vs. direct ingress to an MSP's network. By going for such a broad impact, they appear to have sacrificed the step of encrypting/wiping backups at the MSP control level," said Bill Siegel, CEO of ransomware negotiation firm Coveware. It seems that most of the victims and MSPs affected that had backups will be able to restore their networks without paying.
While there is still a cost associated with the downtime that comes from investigating the attack and waiting for a patch, it took 10 days for Kaseya to release the VSA On-premise patch, this shows that having backups can be an effective way to save having to make a ransomware payment. If you have been breached, here are 5 steps that you can take to avoid a payout:
- Isolate and shutdown critical systems
Your first priority should be to stop the ransomware infection from spreading throughout your network. Turn off all mission-critical systems and isolate the infected ones from the "healthy" ones to contain the spread. The better you contain the infection, the easier it will be to recover.
- Enact your business continuity plan
Every business needs to have a business continuity plan. A business continuity plan and disaster recovery plan are essential to maintaining business operations. A business continuity plan outlines what each department in your organization must do to keep the business running during a disaster. In the event of a cyberattack, a continuity plan will guide how to continue operating while systems are down and are being recovered. As part of the disaster recovery plan, the method for restoring critical data and software will be outlined. Some companies also have a separate breach readiness or incident response plan. Business continuity plans are crucial for speeding up the recovery process.
- Report the cyber attack
It is common for companies to pay a ransom to hide a breach from the public eye. While you may not want the bad press associated with a ransomware attack, the breach must be reported to customers, stakeholders, and law enforcement. Not reporting a breach is against the law in some cases. Several regulations require breach disclosure, including GDPR and PIPEDA. A loss of trust can also result from failing to notify customers and stakeholders.
- Remediate, patch, and monitor
This is a very critical step. Businesses must ensure that the infection has been fully remediated and does not lurk in their systems. All systems should be patched at this time and monitored for any suspicious activity, as a threat actor may still have access to your systems. If this step is not followed, ransomware can strike again.
- Restore from backups
After removing the ransomware infection, you can begin restoring your systems from backups. Before restoring, make sure your backups have not been infected or corrupted.