Mountain West Farm Bureau Insurance
office workers empowered by business technology solutions
BLOG
8
20
2020
10.1.2021

3 Reasons Ransomware Mitigation is Harder Than You Think

Last updated:
10.12.2020
10.1.2021

High-profile ransomware attacks made headlines again last month as Garmin and Canon both suffered significant outages. Garmin’s in particular appeared to take down the majority of their public-facing systems, from the Garmin Connect app to critical aeronautical navigation services.

The media claims Garmin ended up paying a hefty multimillion-dollar ransom to unlock their infrastructure. A fine prize for the alleged perpetrators, “Evil Corp,” who supposedly used a variant known as WastedLocker to lockdown Garmin’s apps and services.

How could an organization with the resources and talent of Garmin face a multiday outage under intense scrutiny? While dodging ransomware may seem as simple as restoring a backup, in practice a large-scale attack is a major mitigation undertaking. Here are three reasons why it can take days or even weeks to recover even if you give in and pay the ransom.

You Have to Involve Internal Stakeholders and External Specialists

For enterprise organizations, there are many legal ramifications and insurance hoops to jump through. At a scale like the Garmin attack, a specialized consultant is often hired – sometimes even a ransomware specialist in addition to a third-party infosec firm. Lawyers and insurance agents must be notified. Executives and the board of directors must be briefed and the initial decision to either attempt a recovery or pay the ransom is made.

The security teams will have to spend some time on forensics, gathering as much information as possible to discover how the attack succeeded, the breadth and depth of the attack on various systems, and to begin installing new antivirus, antimalware, and monitoring tools. These steps must be taken before any other action to ensure the attackers are no longer within the network perimeter and any further mitigation can proceed without interference.

Paying the Ransom Isn’t a Silver Bullet

Paying the ransom doesn’t mean you are instantaneously restored to normal operations.

Every single password has to be reset and domain controls preferably rebuilt from scratch, as every account must be considered compromised and your AD servers themselves are likely locked down. You can’t use any compromised or locked-out admin workstations or servers to accomplish this, so those servers must be reimaged or redeployed from scratch.

It can take quite some time to decrypt each system. You can’t count on the decryption program to work correctly or to automatically remove the ransomware from every machine.

These steps seem relatively straightforward to accomplish when you’re dealing with small datasets or a handful of infected servers. Once you reach scales in the terabytes and thousands of VMs, things get dicier. Every infected file and infrastructure component should be inventoried, probably using a custom script.

Once you have a catalog with the full scope of the infection, you can use the provided decryption keys to go through one-by-one, disinfecting, testing, cleaning up, and securing the system.

Your Backups Must Be Pristine

Of course there are many who don’t wish to bow down to ransom demands and will attempt to restore systems from offline backups. It should be an offline backup or at least an air-gapped recovery environment, as anything actively networked to your primary systems is likely now infected.

This type of backup is probably a bit older and will require significant effort to reinstall and reconfigure. Datasets may be incomplete, requiring a manual inventory process. If you don’t have VM-based image backups, a file-level agent restore can take many days to work through. Even with images, you will need to test and potentially reinstall software. On older backups, that software might need to be updated and patched as well, which opens another can of worms in terms of service agreements, installers, and account access to obtain the software itself.

Now we can see why a sprawling organization such as Garmin was forced to deal with a days-long outage of public-facing infrastructure. It can be an expensive proposition, but mission-critical services should be backed up via VM snapshots on a regular basis and kept on a highly-secure storage system with very limited access. Be certain to keep up with patching and monitoring on this storage system as well. While you won’t be ransomware proofed, your recovery in case of an attack will at least be relatively smooth.

Recent Blog Posts

lunavi logo alternate white and yellow
11.29.2021
11
.
05
.
2021
Improve Your Cloud Security Posture with Azure Security Center

Azure Security Center can help you strengthen your security posture by providing “at a glance” security updates via Secure Score, leveraging Azure policies behind the scenes, and keeping you compliant. In addition, Security Center recommendations can help you rapidly rectify any security concerns in your environment.

Learn more
lunavi logo alternate white and yellow
10.1.2021
07
.
19
.
2021
How Lunavi Approaches Digital Transformation: HostingAdvice Company Profile

For prospective clients and partners, the history, ethos, and capabilities of a vendor are paramount. HostingAdvice.com recently profiled Lunavi to explore our approach.

Learn more
lunavi logo alternate white and yellow
10.1.2021
04
.
26
.
2021
Test Automation Best Practices: Balancing Confidence with Efficiency

Automation can instill confidence to release software and improve the team’s ability to create high-quality applications in the fastest and most efficient way possible. Essentially, it eliminates the need to compromise or choose one set of priorities over another. Instead, it allows teams to strike a balance between confidence/coverage and speed/efficiency. But automation isn’t a one-size-fits-all solution.

Learn more