We're Hiring!
Take the next step in your career and work on diverse technology projects with cross-functional teams.
LEARN MORE
Mountain West Farm Bureau Insurance
office workers empowered by business technology solutions
BLOG
8
20
2020
3.1.2023

3 Reasons Ransomware Mitigation is Harder Than You Think

Last updated:
10.12.2020
3.1.2023

High-profile ransomware attacks made headlines again last month as Garmin and Canon both suffered significant outages. Garmin’s in particular appeared to take down the majority of their public-facing systems, from the Garmin Connect app to critical aeronautical navigation services.

The media claims Garmin ended up paying a hefty multimillion-dollar ransom to unlock their infrastructure. A fine prize for the alleged perpetrators, “Evil Corp,” who supposedly used a variant known as WastedLocker to lockdown Garmin’s apps and services.

How could an organization with the resources and talent of Garmin face a multiday outage under intense scrutiny? While dodging ransomware may seem as simple as restoring a backup, in practice a large-scale attack is a major mitigation undertaking. Here are three reasons why it can take days or even weeks to recover even if you give in and pay the ransom.

You Have to Involve Internal Stakeholders and External Specialists

For enterprise organizations, there are many legal ramifications and insurance hoops to jump through. At a scale like the Garmin attack, a specialized consultant is often hired – sometimes even a ransomware specialist in addition to a third-party infosec firm. Lawyers and insurance agents must be notified. Executives and the board of directors must be briefed and the initial decision to either attempt a recovery or pay the ransom is made.

The security teams will have to spend some time on forensics, gathering as much information as possible to discover how the attack succeeded, the breadth and depth of the attack on various systems, and to begin installing new antivirus, antimalware, and monitoring tools. These steps must be taken before any other action to ensure the attackers are no longer within the network perimeter and any further mitigation can proceed without interference.

Paying the Ransom Isn’t a Silver Bullet

Paying the ransom doesn’t mean you are instantaneously restored to normal operations.

Every single password has to be reset and domain controls preferably rebuilt from scratch, as every account must be considered compromised and your AD servers themselves are likely locked down. You can’t use any compromised or locked-out admin workstations or servers to accomplish this, so those servers must be reimaged or redeployed from scratch.

It can take quite some time to decrypt each system. You can’t count on the decryption program to work correctly or to automatically remove the ransomware from every machine.

These steps seem relatively straightforward to accomplish when you’re dealing with small datasets or a handful of infected servers. Once you reach scales in the terabytes and thousands of VMs, things get dicier. Every infected file and infrastructure component should be inventoried, probably using a custom script.

Once you have a catalog with the full scope of the infection, you can use the provided decryption keys to go through one-by-one, disinfecting, testing, cleaning up, and securing the system.

Your Backups Must Be Pristine

Of course there are many who don’t wish to bow down to ransom demands and will attempt to restore systems from offline backups. It should be an offline backup or at least an air-gapped recovery environment, as anything actively networked to your primary systems is likely now infected.

This type of backup is probably a bit older and will require significant effort to reinstall and reconfigure. Datasets may be incomplete, requiring a manual inventory process. If you don’t have VM-based image backups, a file-level agent restore can take many days to work through. Even with images, you will need to test and potentially reinstall software. On older backups, that software might need to be updated and patched as well, which opens another can of worms in terms of service agreements, installers, and account access to obtain the software itself.

Now we can see why a sprawling organization such as Garmin was forced to deal with a days-long outage of public-facing infrastructure. It can be an expensive proposition, but mission-critical services should be backed up via VM snapshots on a regular basis and kept on a highly-secure storage system with very limited access. Be certain to keep up with patching and monitoring on this storage system as well. While you won’t be ransomware proofed, your recovery in case of an attack will at least be relatively smooth.

Recent Blog Posts

lunavi logo alternate white and yellow
3.27.2024
03
.
27
.
2024
Utilizing Bicep Parameter Files with ALZ-Bicep

Ready to achieve more efficient Azure Deployments? You can use Bicep parameters instead of JSON which opens new opportunities for deployment. Let Lunavi expert, Joe Thompson, show you how.

Learn more
lunavi logo alternate white and yellow
3.26.2024
03
.
04
.
2024
Anticipating Surges in Cyber Attacks and Bolstering Your InfoSec Defenses in 2024

Learn how to navigate 2024 with the right InfoSec defenses to protect your organization against a rising number of cyber attacks.

Learn more
lunavi logo alternate white and yellow
3.26.2024
01
.
03
.
2024
Microsoft Copilot is Re-Shaping the Innovation Frontier

Microsoft 365 Copilot has been released, and it's changing the way we work. More than OpenAI or ChatGPT, read how Copilot can seamlessly integrate with your workflow.

Learn more