Ransomware is the biggest cyber and continuity risk in 2017.
It’s not just the NHS and small businesses – everyone is vulnerable. We’re even seeing global enterprises with big security investments and dedicated security teams get infected.
Importantly, you have more options than to either pay the ransom or lose your data. It’s possible to recover without any significant data loss, zero downtime and in some circumstances – without your users even knowing there was a problem.
How ransomware works and why it is breaching organisational defences
The best methods for prevention
The Incident and crisis management and escalation process
A step-by-step guide to recovery
2. www.databarracks.com | 2www.databarracks.com | 2
INTRO &
AGENDA
Duration: 30 mins
(including Q&A)
Type questions on
the right
Q
• What it is and how it works
– How ransomware works and why it is breaching
organisational defences.
• Prevention & mitigation
– Methods
– The Incident and crisis management &
escalation process
• Recovery
– A step-by-step guide to recovery
*Slides will be made available and sent out following this session
4. www.databarracks.com | 4www.databarracks.com | 4
KEY FACTS
• The encryption is to all intents unbreakable so
backup data copies are the only guarantee to
limit data loss
• There is a deadline for payment – which forces
action –recovery or payment
5. www.databarracks.com | 5www.databarracks.com | 5
WANNACRY
• How it spreads
– Installed by a worm
– Uses Eternalblueexploit for
Server Message Block (SMB)
• US$300 ransom in bitcoins
• Ransom doubled after 3 days
• Files deleted after 7 days
What’s different?What’s the same?
10. www.databarracks.com | 10www.databarracks.com | 10
INCIDENT RESPONSE AND CRISIS
MANAGEMENT ESCALATION
Preparation Identification Containment Eradication Recovery
Lessons
learned
Creatinga written
policy and defining
severity
Identifyingwhether
somethingis, or is
notan incident
The steps to limit
the spread of
ransomware
Restorationof clean
data from before the
incident
Bringingthe
recoveredsystems
back online
How do we improve?
12. www.databarracks.com | 12www.databarracks.com | 12
HOW TO RECOVER
• Increase the frequency of
backups
• Review (and extend) retention
policies
• Optimise connection speed
between target and recovery
environment (general)
• Improvespeed of finding most
recent clean backup
Improving the Recovery Point
Objective
Improving the Recovery Time
Objective
18. www.databarracks.com | 18www.databarracks.com | 18
IF YOU REMEMBER NOTHING ELSE!
1. Have a specific incident response plan for
ransomware
2. Review backup schedules and retention policies
3.The only way to guarantee that you don’t lose your
data is with historic copies of your data in backup or DR
19. www.databarracks.com | 19
RESOURCES
• The Business Continuity Podcast
– http://www.thebcpcast.com/
• Tabletop testing simulator
https://tools.databarracks.com/dr-
tabletop-simulation/index.html
• History of ransomware
– https://heimdalsecurity.com/blog/what-is-
ransomware-protection/
• Ransomware definitions
– http://www.trendmicro.com/vinfo/us/security/defini
tion/ransomware
• SANS Institute, IncidentHandler's Handbook
– https://www.sans.org/reading-
room/whitepapers/incident/incident-handlers-
handbook-33901
• CryptoLocker DGA
– https://blog.fortinet.com/2014/01/16/a-closer-
look-at-cryptolocker-s-dga