Cleaning Up After Ransomware Attacks Isn’t Easy
Two Recent Attacks Illustrate the Challenges Involved
… Keith Fricke, principal consultant at tw-Security, says that ransomware recovery can take an extended period of time. “Large amounts of data requiring restoration from backups can take days to restore, based on the method and age of technology used to do the backups,” he adds.
But resorting to paying a ransom is no guarantee of quick recovery, either. Attackers who are paid may fail to provide a decryption key. And the process of paying a ransom can be difficult and time-consuming. “If the ransom has to be paid, it takes time to set up a digital currency account to pay the ransom,” Fricke notes. “Forensic investigations take time to get to the root cause of the ransomware infection and the scope of data impacted,” he adds.
After a ransomware attack, organizations can struggle to restore access to all systems, including electronic medical records, Fricke says.
“An EMR generally does not consist of one database, but rather many databases that are linked together,” he says. “These databases may exist on a number of servers. Therefore, it is possible that if only certain servers are infected with ransomware, that only the databases on those systems are impacted.”
If an organization discovers an active ransomware infection, it may choose to shut the system down to contain the scope of data encrypted, Fricke notes. “Consequently, some of the data may be encrypted and not all of it.”
… “Patching systems that have vulnerabilities and ensuring backups are frequently performed and tested continue to be the top two ways to prevent and recover from ransomware,” Fricke says.