Understand, Plan and Rehearse Ransomware Resilience series - Day 1
Take Action On Day 1 To Recover
Oh, we got hacked. The following process is a general guide describing what to do during this devastating time.
Isolate the Infection
Most of the ransomwares will scan the target network and delete or encrypt files stored on network shares and propagate to other systems. Isolation of the infection is the top priority to contain and prevent the ransomware from spreading. The infected systems must be removed from the network as soon as possible.
Backups is your defense to ransomware, but they are not immune to ransomware. Many ransomware strains specifically target your backups and encrypt, override, or delete them. You must secure the backups by disconnecting backup storage from the network or locking-down access to backup systems until the infection is resolved.
Identify the Source of Ransomware and access the damage
Identifying the source and timeline of the infection is crucial for understanding how attackers gained access to the system, what other actions they took while they were on the network and the extent of the infection. Detecting the source of the infection is useful for not only resolving the current incident but to help organizations address vulnerabilities and reduce the risk of future compromise.
With Veritas Appliances, you can view the events at WebUI or forward syslog and audit logs including elevated shell commands to a syslog server or SIEM - Security information and event management. The log has consistent timestamp formats across all event logs which are necessary for accurate and efficient event correlations and log analysis. Veritas Appliances have integrated data collection including application instance logs, OS logs, and shell commands. Veritas appliance platform auditing logs can help you establish the timeline of the attack. Below is an example of a sophisticated tailored attack on MSDP volume. A ransom note on each MSDP Volume can be found.
Veritas Data Insight does that by creating a baseline of user activity over a period of time and looks for any statistical standard deviation in the user account behavior resembling a malware attack on 0th-day. Once detected, it alerts the administrator directly or via a SIEM event and provides bunch of report templates to analyze the list of impacted files (based on activity monitoring), highlights the compromised account, help find instances of malicious executables and stop further damage by automatically locking the account down through automation and integration with enterprises' remediation processes.
Post attack, Data Insight can help review the extensions of each of the files that were renamed or modified as part of attack and compares with the 880+ ransomware known file extensions that are available within Data Insight to further support the assessment and ensuring the downstream recovery processes accommodate that knowledge to restore un-infected data.
On top of that, as part of the automatic content classification capability, Data Insight can detect and alert if ransom notes are found in the unstructured environment that can even help prevent schedule-based malware attacks when ransom-notes are detected prior to the attack.
Notify Stakeholders and report to authority
If you suspect that your organization has been infected with ransomware, it is important to act quickly and notify the relevant stakeholders as soon as possible. Here are some steps you can take:
- Inform your IT team immediately about the ransomware infection. They will be able to assess the situation, contain the infection, and initiate the necessary response.
- Alert management about the ransomware infection and provide them with the details of the situation. They will need to be informed of the potential impact on business operations and any risks to sensitive data.
- Notify law enforcement: For legislation and compliance standards, it is a requirement to report incidents to the relative authorities. In many countries ransomware attacks may be considered a crime and should be reported to law enforcement authorities. You can report a ransomware incident to the FBI or CISA's reporting tool. The FBI Internet Crime Complaint Centerprovides a reliable and convenient reporting mechanism to submit information to the FBI concerning suspected Internet-facilitated criminal activity. And CISA is US cyber defense center to respond to cyber incidents.
- Notify affected stakeholders: If the ransomware has impacted any external parties, such as customers or partners, it may be necessary to notify them as well. This will depend on the severity of the attack and the potential impact on their data.
Remember that time is of the essence when it comes to ransomware infections. The sooner you can contain the infection and notify the appropriate stakeholders, the better your chances of minimizing the damage and recovering your data.
NetBackup Ransomware Restore Best Practice
- Rebuild the Primary Server: If the NetBackup Primary server has been infected with ransomware and/or the catalog has been corrupted, it is recommended to rebuild the primary server.
- Full Catalog Recovery: Full catalog recovery is the simplest option to recover the complete catalog when the DR site has the same layout as the production site - the same number and name of media servers. In this case, all device records are removed because the device configuration at the DR site can be different from the production site. It is also recommended to deactivate media servers that do not exist in the DR environment to avoid unnecessary pooling. Device discovery should be run to update the EMM database.
- Partial Catalog Recovery: Partial catalog recovery is recommended for multi-domain configurations and DR sites where the server layout is different from the production site - for example, different numbers of media servers or different library types.
- MSDP Catalog Shadow Copy: By default, MSDP Catalog Shadow Copy is in the same partition as the original, which can prevent recovery from deletion of the filesystem. To avoid this, it is recommended to have the shadow copy on an alternate filesystem.
Following these best practices can help organizations effectively restore their NetBackup environment in the event of a ransomware attack.
A ransomware attack can halt an organizations operation, disrupt business, and negatively affect your confidence.
Veritas purpose-built data protection appliances offer tamper-proof cyber resiliency, beyond zero trust architecture, scalability and a simple way to perform mass recovery. With the NetBackup & Flex enabled Isolated Recovery Environment solution, you not only get an isolated, air gapped solution –you also gain the confidence in your recovery capability knowing that your data will be safe and protected with advanced malware scanning., This means you can recover instantly & anywhere, whether it’s in the same environment, different data center or in the cloud.