We're Hiring!
Take the next step in your career and work on diverse technology projects with cross-functional teams.
Mountain West Farm Bureau Insurance
office workers empowered by business technology solutions

3 Reasons Ransomware Mitigation is Harder Than You Think

Last updated:

High-profile ransomware attacks made headlines again last month as Garmin and Canon both suffered significant outages. Garmin’s in particular appeared to take down the majority of their public-facing systems, from the Garmin Connect app to critical aeronautical navigation services.

The media claims Garmin ended up paying a hefty multimillion-dollar ransom to unlock their infrastructure. A fine prize for the alleged perpetrators, “Evil Corp,” who supposedly used a variant known as WastedLocker to lockdown Garmin’s apps and services.

How could an organization with the resources and talent of Garmin face a multiday outage under intense scrutiny? While dodging ransomware may seem as simple as restoring a backup, in practice a large-scale attack is a major mitigation undertaking. Here are three reasons why it can take days or even weeks to recover even if you give in and pay the ransom.

You Have to Involve Internal Stakeholders and External Specialists

For enterprise organizations, there are many legal ramifications and insurance hoops to jump through. At a scale like the Garmin attack, a specialized consultant is often hired – sometimes even a ransomware specialist in addition to a third-party infosec firm. Lawyers and insurance agents must be notified. Executives and the board of directors must be briefed and the initial decision to either attempt a recovery or pay the ransom is made.

The security teams will have to spend some time on forensics, gathering as much information as possible to discover how the attack succeeded, the breadth and depth of the attack on various systems, and to begin installing new antivirus, antimalware, and monitoring tools. These steps must be taken before any other action to ensure the attackers are no longer within the network perimeter and any further mitigation can proceed without interference.

Paying the Ransom Isn’t a Silver Bullet

Paying the ransom doesn’t mean you are instantaneously restored to normal operations.

Every single password has to be reset and domain controls preferably rebuilt from scratch, as every account must be considered compromised and your AD servers themselves are likely locked down. You can’t use any compromised or locked-out admin workstations or servers to accomplish this, so those servers must be reimaged or redeployed from scratch.

It can take quite some time to decrypt each system. You can’t count on the decryption program to work correctly or to automatically remove the ransomware from every machine.

These steps seem relatively straightforward to accomplish when you’re dealing with small datasets or a handful of infected servers. Once you reach scales in the terabytes and thousands of VMs, things get dicier. Every infected file and infrastructure component should be inventoried, probably using a custom script.

Once you have a catalog with the full scope of the infection, you can use the provided decryption keys to go through one-by-one, disinfecting, testing, cleaning up, and securing the system.

Your Backups Must Be Pristine

Of course there are many who don’t wish to bow down to ransom demands and will attempt to restore systems from offline backups. It should be an offline backup or at least an air-gapped recovery environment, as anything actively networked to your primary systems is likely now infected.

This type of backup is probably a bit older and will require significant effort to reinstall and reconfigure. Datasets may be incomplete, requiring a manual inventory process. If you don’t have VM-based image backups, a file-level agent restore can take many days to work through. Even with images, you will need to test and potentially reinstall software. On older backups, that software might need to be updated and patched as well, which opens another can of worms in terms of service agreements, installers, and account access to obtain the software itself.

Now we can see why a sprawling organization such as Garmin was forced to deal with a days-long outage of public-facing infrastructure. It can be an expensive proposition, but mission-critical services should be backed up via VM snapshots on a regular basis and kept on a highly-secure storage system with very limited access. Be certain to keep up with patching and monitoring on this storage system as well. While you won’t be ransomware proofed, your recovery in case of an attack will at least be relatively smooth.

Recent Blog Posts

lunavi logo alternate white and yellow
Business Intelligence: The Present and Future with Director of Data Analytics, Jeff Thomas

Join us as we dive into the world of data analytics with our very own, Jeff Thomas. With 18 years of experience in this field, Jeff shared valuable knowledge and insight on the current trends of data analytics and where he believes the field is headed. We also discussed the challenges and barriers that enterprises face when implementing data analytics practices, Jeff explains how to rise above these challenges and use data to your competitive advantage.

Learn more
lunavi logo alternate white and yellow
Service Changes Coming to Microsoft 365 & Office 365

The NCE offers new subscription terms including 12-month and 36-month plans priced lower than monthly contracts. In addition, it is easier to add seats, cancellation policies are more consistent, and there are two promotional options to lock in a better rate for your current renewal. However, the mandatory new plans do include price adjustments.

Learn more
lunavi logo alternate white and yellow
Automate Your Cloud with Azure Bicep

Azure Bicep is a great way to implement Infrastructure as a Code to automate the provisioning of Azure resources. In this post, I’ll get you started by describing how Bicep language works as well as key differences and similarities between Bicep and ARM Templates.

Learn more