Today, let's delve into the critical phase of the recovery effort following a cyber ransomware incident. Once the investigation has provided actionable insights into the necessary actions and safety precautions, the hard work of recovery begins. There are three primary paths to business-as-usual, each with its own unique set of challenges.
First, if you're fortunate enough to have viable backups, the restoration process can commence. Even this seemingly straightforward approach takes more time than victims expect, especially when dealing with a vast number of servers and limited bandwidth. The painstaking task of validating and re-establishing communication between numerous services can significantly prolong the recovery timeline, which can be amplified if documentation is missing or if asset ownership is not well understood. But despite the turbulence, restoring from backups is far and away the fastest and most complete recovery path for most ransomware victims.
Another option involves leveraging the decryption tool provided by the attacker, assuming it functions as intended. As mentioned in our last post, there’s no guarantee that a decryptor will work well – they commonly have poor performance, bugs, and lack any formal support or documentation you can turn to in a pinch. We typically only recommend this route if there is no other way to restore or reconstruct critical operational data.
Lastly, if backups are unavailable and acquiring a decryptor is not an option, organizations may need to embark on the challenging journey of rebuilding their environment from scratch. This arduous process can involve various tactics, such as data reconstruction efforts, where individuals extract information from sources like email inboxes, hoping to approximate the original data. These endeavors are far from foolproof and rarely achieve a perfect recovery state. However, rebuild efforts can be an opportunity to simplify an IT footprint and can reduce technical debt.
It's crucial to acknowledge that some degree of data loss is inevitable in most cases, regardless of the chosen restoration method. The key consideration is whether the lost data holds critical importance to the organization's operations and stakeholders. MOXFIVE recommends utilizing the 3–2–1 rule - three copies of the data, on two distinct forms of media, and one offline or offsite backup.
We also recommend having a defined recovery plan in place with clear roles and responsibilities for team members and a prioritized list of servers and applications to work from as your one source of truth. Having an incident response and recovery plan that your team is familiar with can not only keep everyone focused on the right priorities and reduce stress but can reduce recovery and business interruption costs as well.
In the next phase of our discussion, we'll explore the multifaceted aspects of managing third-party relationships and regulatory obligations during the recovery process.
MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our platform approach enables victims of attacks to work with a Technical Advisor who provides the expertise and guidance needed in a time of crisis, and facilitates the delivery of all technical needs required, consistently and efficiently.Learn More
With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.