Organizations are very aware of ransomware and the dangers of infection. Yet many of those same organizations don’t really have a good idea of how to recover quickly and efficiently if they’ve encountered a ransomware attack. Unfortunately, not all organizations that pay the ransom end up getting their precious data back; it might remain encrypted and unrecoverable. Having a solid recovery plan is a must, so that you can avoid paying the ransom. But after a ransomware attack, things aren’t as simple as restoring from backup and returning to business as usual. A holistic recovery plan can help your organization avoid reinfection and suffering from extended downtime (the real cost of ransomware).
This blog post is the fifth in a six-part series that discusses how you can detect and prevent ransomware by using native NetApp® ONTAP® features, recover quickly from an attack, and avoid paying the ransom. It’s best to read them in chronological order:
- The first entry covered the objectives of cybercriminals and the largest portion of the cost of a ransomware attack, which is not the ransom.
- The second entry focused on ONTAP native tools that you can use for early detection of a ransomware outbreak.
- The third entry took a deep dive into NetApp FPolicy® native mode, which helps prevent most older types of ransomware that are still prevalent today.
- The fourth entry focused on how to prevent the most modern variants of ransomware, including “zero-day” exploits, by using FPolicy external mode.
- The fifth entry highlights the three key steps to successfully recover from a ransomware attack.
- The sixth entry focused on ONTAP Snapshot technology and how it provides very rapid restores (terabytes in seconds, not hours), protects your backups from ransomware encryption, and prevents deletion of valuable backup data.
In this fifth entry, we are shifting our attention to the worst-case scenario: An attack has already occurred, and your precious data has been encrypted.
Three Key Steps to Ransomware Remediation
Your first instinct after a ransomware attack might be to instantly recover your data. You can certainly do this, but if you don’t take other steps to make sure the ransomware does not come back, you’re likely to end up being reinfected, and the effort will waste valuable time.
There are three key steps to properly and holistically remediate your environment from ransomware infection. They are depicted in the following graphic and preferably completed in the order listed (although that’s not required).
This approach is the most effective way to ensure that when you restore your data it’s going to be safe from reinfection. Let’s take a closer look at each step.
Step 1: Contain/Isolate
Ransomware infections typically start at the client. A user might mistakenly click a malicious link that seems valid but causes the ransomware to be installed. The ransomware will encrypt the local file system and continue to spread to any file share it can find throughout the network. To contain the outbreak, you must identify and isolate the infected clients by disconnecting them from the network.
Identification can be accomplished by whatever means you typically use to monitor file share access. With ONTAP for SMB shares, the Microsoft Management Console (MMC) plug-in can be used to look at which clients are accessing which shares and files. There are also two CLI options: using vserver cifs session show and vserver locks show. In addition, vserver locks show can be used for monitoring access to an NFS share on an ONTAP system.
Note: I referred to the client machine, but that is in the context of the ONTAP system being the “server” and everything else being the “client.” For example, a system running a version of Windows Server would still be considered a “client” in this context.
When you’ve identified the infected clients, it’s highly recommended that you use local antivirus and anti-malware software to clean them. After a machine has been isolated and cleaned of the infection, then it’s time to move on to the next step.
Step 2: Prepare/Patch
How did the ransomware get installed and start causing issues in the first place? Many times, ransomware is using a known vulnerability that already has a patch available, but the software patch has not been applied to the client machine. Patching is critical; however, many systems remain unpatched. According to the Rapid7 2020 threat report, as recently as December 2019 there were still nearly 200,000 systems vulnerable to the EternalBlue exploit that was behind the WannaCry ransomware attack of 2017.
If you were to disconnect and clean up the infected clients, but not patch them, it’s more than likely that the client systems would quickly get reinfected with the same ransomware. That’s why it’s key to remove and clean the infection and patch the client as soon as the exploit has been identified and a patch is available.
It goes perhaps without saying, but you can certainly run steps 1 and 2 in parallel. As client machines are cleaned and patched, go ahead and put them back on the network while other clients are still in the isolation/clean-up phase.
When complete, step 2 essentially brings you back to where you were before infection, but with one key element missing: your data.
Step 3: Recover/Restore
By ensuring that your client machines are cleaned and prepared, you can feel confident that you will need to restore the data only once and not multiple times.
Identifying good backups that are not infected with ransomware is a crucial part of this step. If you are using NetApp ONTAP Snapshot™ copies, they are read-only and immutable from ransomware (but they can be deleted without proper precautions). If you are using backups other than NetApp Snapshot copies, make sure that they have not been infected with the ransomware before the restore.
Depending on how quickly your organization needs to get the data back online, you can choose to perform this step much earlier. For example, if you can quickly isolate all the clients that are infected from the network, and if the encrypted data is critical to running your business operations, it might make sense to restore the data as soon as possible, before cleaning those clients and patching. It’s a bit of a risk/reward scenario.
Note: If you need to immediately bypass all prior steps and jump straight into the restore step, you should do it in an isolated network. This approach enables the data to be accessed by the people in your organization who need it, while also eliminating the risk of reinfecting the rest of the network.
The larger the amount of data that has been encrypted by the ransomware attack, the longer the restore process will take before you can regain access to all your data. As readers of this blog series know by now, it’s the downtime that you want to avoid most of all.
How to Make the Restore Process Faster with ONTAP
Now that you’re aware of the three smart steps to safely recovering your data, your focus can shift to restoring your data quickly and effectively. Although many other vendors use snapshots that are copy-on-write, ONTAP Snapshot copies are different. They use file pointers, so you can restore terabytes of data in seconds. This approach makes them perfect for rapid restores in the NetApp file system, providing you with significant value compared to other vendors’ backup and restore solutions.
In the next blog in this series, we’ll turn our attention to how ONTAP Snapshot copies work and how you can use them in a practical way to quickly recover your data from a ransomware attack. If you would like to get a jumpstart or learn more about the NetApp solution to ransomware, check out our technical report TR-4572: The NetApp Solution for Ransomware.
Plus, do you want to learn how you can further protect your organization with NetApp’s leading security portfolio? Check out our ONTAP Security webpage for information on using a data-centric, zero-trust approach to security, evaluating your security readiness, encrypting your data at rest or in flight, and more.