When CryptoWall locks down an organisation, it can take days to recover. It takes just one employee to click on the wrong link, and inadvertently download the CryptoWall Trojan. Once set free, the malware proceeds to encrypt, and hold hostage all of the company’s data.
One not-for-profit organisation found itself at the mercy of CryptoWall and unable to access 75GB of data critical to its operations. Because a self-prescribed disaster recovery routine would require days before returning to business as usual, companies can find themselves in a terrible dilemma: give into hefty ransom demands, or shut down operations until they can complete a lengthy system restore. The sad truth is that scenarios such as this are becoming more common.
The good news is that there are ways of mitigating unplanned interruptions such as this. If organisations take advantage of available instant recovery technology, business operations can resume in mere minutes – and without caving in to ransom demands.
Having said that, let’s take a closer look at how this particular organisation’s CryptoWall intrusion played out.
>See also: How to minimise the impact of ransomware
Responsible for the health and availability of seven servers supporting the not-for-profit’s operations, the IT team quickly sprang into action after an admin clicked on a phishing link embedded within an email – unknowingly setting the CryptoWall wheels in motion.
Because all of the organisation’s servers were mapped from the admin’s station, all were vulnerable to the encryption malware. Less than an hour later, all files had been encrypted. Commence downtime.
While the organisation did have backups, it would have taken days to complete the process – assuming restoration from those backups would actually work, since they hadn’t been tested. So, rather than risk the possibility of an even greater period of downtime, the CryptoWall ransom was forked over via Bitcoins, just as instructed.
Following payment, an entire evening was spent decrypting the data. Eighteen hours later, when all was said and done, workers celebrated the successful recovery and return to business as usual.
Perhaps another small victory worth mentioning is the fact that since the organisation had recently attended a security seminar, they were able to access the Bitcoins through that security organisation. This saved valuable recovery time, as it normally takes days to access Bitcoins if an account hasn’t already been established.
Armchair quarterbacking
This series of unfortunate events demonstrate the importance of a having a well-defined and well-tested disaster recovery plan in place – one that will meet both RPO and RTO requirements of the organisation. Hindsight is always 20/20, right?
Well, had the aforementioned nonprofit had suitable DR technology in place, not only could they have given the ol’ middle finger salute to the CryptoWall creators, and laughed at the suggestion of a ransom payment, but they could have been fully operational within minutes – as opposed to sweating bullets during 18 hours of downtime.
So, how can such a nightmare be avoided? First of all, backups shouldn’t take more than a few minutes to restore. Recovery nodes should be ready and waiting, so they can be up and fully accessible within minutes following the service interruption. A good DR solution can spin up recovery nodes at the intervals you set, with an RPO as small as 15 minutes.
In addition, recovery files should be tested regularly, so you know with some level of confidence that you can make use of them when you need them. Recovery systems with included sandbox testing features make it easy to test backups in just minutes – and without impacting business operations.
One more silver lining: it just so happens that the security company that hosted the anti-phishing training attended by members of the not-for-profit organisation offered a rather generous guarantee. Because the employee had successfully completed the training, yet was still duped by a phishing link, the security organisation paid the ransom.
All organisations are susceptible to malware attacks – no level of training and preparation can protect organisations from every attack. The key is to have a DR plan in place to enable fast recovery that minimises the impact on the business.
Sourced from David Fisk, Quorum