3 Reasons Ransomware Mitigation is Harder Than You Think

High-profile ransomware attacks made headlines again last month as Garmin and Canon both suffered significant outages. Garmin’s in particular appeared to take down the majority of their public-facing systems, from the Garmin Connect app to critical aeronautical navigation services.

The media claims Garmin ended up paying a hefty multimillion-dollar ransom to unlock their infrastructure. A fine prize for the alleged perpetrators, “Evil Corp,” who supposedly used a variant known as WastedLocker to lockdown Garmin’s apps and services.

How could an organization with the resources and talent of Garmin face a multiday outage under intense scrutiny? While dodging ransomware may seem as simple as restoring a backup, in practice a large-scale attack is a major mitigation undertaking. Here are three reasons why it can take days or even weeks to recover even if you give in and pay the ransom.

You Have to Involve Internal Stakeholders and External Specialists

For enterprise organizations, there are many legal ramifications and insurance hoops to jump through. At a scale like the Garmin attack, a specialized consultant is often hired – sometimes even a ransomware specialist in addition to a third-party infosec firm. Lawyers and insurance agents must be notified. Executives and the board of directors must be briefed and the initial decision to either attempt a recovery or pay the ransom is made.

The security teams will have to spend some time on forensics, gathering as much information as possible to discover how the attack succeeded, the breadth and depth of the attack on various systems, and to begin installing new antivirus, antimalware, and monitoring tools. These steps must be taken before any other action to ensure the attackers are no longer within the network perimeter and any further mitigation can proceed without interference.

Paying the Ransom Isn’t a Silver Bullet

Paying the ransom doesn’t mean you are instantaneously restored to normal operations.

Every single password has to be reset and domain controls preferably rebuilt from scratch, as every account must be considered compromised and your AD servers themselves are likely locked down. You can’t use any compromised or locked-out admin workstations or servers to accomplish this, so those servers must be reimaged or redeployed from scratch.

It can take quite some time to decrypt each system. You can’t count on the decryption program to work correctly or to automatically remove the ransomware from every machine.

These steps seem relatively straightforward to accomplish when you’re dealing with small datasets or a handful of infected servers. Once you reach scales in the terabytes and thousands of VMs, things get dicier. Every infected file and infrastructure component should be inventoried, probably using a custom script.

Once you have a catalog with the full scope of the infection, you can use the provided decryption keys to go through one-by-one, disinfecting, testing, cleaning up, and securing the system.

Your Backups Must Be Pristine

Of course there are many who don’t wish to bow down to ransom demands and will attempt to restore systems from offline backups. It should be an offline backup or at least an air-gapped recovery environment, as anything actively networked to your primary systems is likely now infected.

This type of backup is probably a bit older and will require significant effort to reinstall and reconfigure. Datasets may be incomplete, requiring a manual inventory process. If you don’t have VM-based image backups, a file-level agent restore can take many days to work through. Even with images, you will need to test and potentially reinstall software. On older backups, that software might need to be updated and patched as well, which opens another can of worms in terms of service agreements, installers, and account access to obtain the software itself.

‍

Now we can see why a sprawling organization such as Garmin was forced to deal with a days-long outage of public-facing infrastructure. It can be an expensive proposition, but mission-critical services should be backed up via VM snapshots on a regular basis and kept on a highly-secure storage system with very limited access. Be certain to keep up with patching and monitoring on this storage system as well. While you won’t be ransomware proofed, your recovery in case of an attack will at least be relatively smooth.