We're Hiring!
Take the next step in your career and work on diverse technology projects with cross-functional teams.
LEARN MORE
Mountain West Farm Bureau Insurance
office workers empowered by business technology solutions
BLOG
8
20
2020
3.1.2023

3 Reasons Ransomware Mitigation is Harder Than You Think

Last updated:
10.12.2020
3.1.2023

High-profile ransomware attacks made headlines again last month as Garmin and Canon both suffered significant outages. Garmin’s in particular appeared to take down the majority of their public-facing systems, from the Garmin Connect app to critical aeronautical navigation services.

The media claims Garmin ended up paying a hefty multimillion-dollar ransom to unlock their infrastructure. A fine prize for the alleged perpetrators, “Evil Corp,” who supposedly used a variant known as WastedLocker to lockdown Garmin’s apps and services.

How could an organization with the resources and talent of Garmin face a multiday outage under intense scrutiny? While dodging ransomware may seem as simple as restoring a backup, in practice a large-scale attack is a major mitigation undertaking. Here are three reasons why it can take days or even weeks to recover even if you give in and pay the ransom.

You Have to Involve Internal Stakeholders and External Specialists

For enterprise organizations, there are many legal ramifications and insurance hoops to jump through. At a scale like the Garmin attack, a specialized consultant is often hired – sometimes even a ransomware specialist in addition to a third-party infosec firm. Lawyers and insurance agents must be notified. Executives and the board of directors must be briefed and the initial decision to either attempt a recovery or pay the ransom is made.

The security teams will have to spend some time on forensics, gathering as much information as possible to discover how the attack succeeded, the breadth and depth of the attack on various systems, and to begin installing new antivirus, antimalware, and monitoring tools. These steps must be taken before any other action to ensure the attackers are no longer within the network perimeter and any further mitigation can proceed without interference.

Paying the Ransom Isn’t a Silver Bullet

Paying the ransom doesn’t mean you are instantaneously restored to normal operations.

Every single password has to be reset and domain controls preferably rebuilt from scratch, as every account must be considered compromised and your AD servers themselves are likely locked down. You can’t use any compromised or locked-out admin workstations or servers to accomplish this, so those servers must be reimaged or redeployed from scratch.

It can take quite some time to decrypt each system. You can’t count on the decryption program to work correctly or to automatically remove the ransomware from every machine.

These steps seem relatively straightforward to accomplish when you’re dealing with small datasets or a handful of infected servers. Once you reach scales in the terabytes and thousands of VMs, things get dicier. Every infected file and infrastructure component should be inventoried, probably using a custom script.

Once you have a catalog with the full scope of the infection, you can use the provided decryption keys to go through one-by-one, disinfecting, testing, cleaning up, and securing the system.

Your Backups Must Be Pristine

Of course there are many who don’t wish to bow down to ransom demands and will attempt to restore systems from offline backups. It should be an offline backup or at least an air-gapped recovery environment, as anything actively networked to your primary systems is likely now infected.

This type of backup is probably a bit older and will require significant effort to reinstall and reconfigure. Datasets may be incomplete, requiring a manual inventory process. If you don’t have VM-based image backups, a file-level agent restore can take many days to work through. Even with images, you will need to test and potentially reinstall software. On older backups, that software might need to be updated and patched as well, which opens another can of worms in terms of service agreements, installers, and account access to obtain the software itself.

Now we can see why a sprawling organization such as Garmin was forced to deal with a days-long outage of public-facing infrastructure. It can be an expensive proposition, but mission-critical services should be backed up via VM snapshots on a regular basis and kept on a highly-secure storage system with very limited access. Be certain to keep up with patching and monitoring on this storage system as well. While you won’t be ransomware proofed, your recovery in case of an attack will at least be relatively smooth.

Recent Blog Posts

lunavi logo alternate white and yellow
9.8.2023
June
.
29
.
2023
FinOps: The Secret Key to Cloud Cost Control?

The term 'FinOps' is being heard more frequently as organizations seek to optimize their cloud endeavors. As controlling cloud spend is typically at the top of the list for refinement, let's explore how FinOps isn't just a new buzzword in the tech community.

Learn more
lunavi logo alternate white and yellow
9.8.2023
06
.
20
.
2023
Navigating What’s Next with Top Announcements from Microsoft Build

Microsoft announced major developments at its premiere event of the year, Microsoft Build. Author and Lunavi Solution Consultant, Alec Harrison was there in-person to gain first-hand insight on these announcements and what they could mean for not only the future of Lunavi, but for you and your organization!

Learn more
lunavi logo alternate white and yellow
5.23.2023
04
.
26
.
2023
Using Azure AI and Logic Apps to Reverse Engineer SMS Search Engines

There used to be entire companies providing SMS answering services. In 2006, one such company was valued at $6 million. Come along as we build the same system in Azure, almost for free, in 2 hours or less!

Learn more