The document outlines key strategies for recovering from ransomware attacks, emphasizing the importance of having robust backup systems and incident response plans. It outlines the mechanisms of ransomware, the incident management process, and offers a step-by-step guide to effective recovery. Additionally, it provides resources for further information and recommendations for improving backup and recovery practices.

1. How to recover from
ransomware
2:00pm
29th September 2016

2. www.databarracks.com | 2www.databarracks.com | 2
INTRO &
AGENDA
Duration: 30 mins
(including Q&A)
Type questions on
the right
Q
• What it is and how it works
– How ransomware works and why it is breaching
organisational defences.
• Prevention & mitigation
– Methods
– The Incident and crisis management &
escalation process
• Recovery
– A step-by-step guide to recovery
*Slides will be made available and sent out following this session

3. www.databarracks.com | 3www.databarracks.com | 3
THE BCPCAST
http://www.thebcpcast.com/

4. www.databarracks.com | 4www.databarracks.com | 4
WHAT IS RANSOMWARE AND HOW DOES
IT WORK?

5. www.databarracks.com | 5www.databarracks.com | 5
FACTS TO
NOTE
• The encryption is to all intents unbreakable so
backup data copies are the only guarantee to
limit data loss
• There is a deadline for payment – which forces
action –recovery or payment

6. www.databarracks.com | 6
WHO IS BEING TARGETED AND WHY IS IT SO
SUCCESSFUL?
Who? Why?

7. www.databarracks.com | 7www.databarracks.com | 7
HOW DOES RANSOMWARE WORK -
BACKGROUND

8. www.databarracks.com | 8www.databarracks.com | 8
HOW DOES RANSOMWARE WORK -
BACKGROUND
Installation Contact with
command and
control
Search Encryption Ransom

9. www.databarracks.com | 9www.databarracks.com | 9
INCIDENT RESPONSE AND CRISIS
MANAGEMENT ESCALATION
Preparation Identification Containment Eradication Recovery
Lessons
learned
Creating a written
policy and defining
severity
Identifying whether
something is, or is
not an incident
The steps to limit
the spread of
ransomware
Restoration of clean
data from before the
incident
Bringing the
recovered systems
back online
How do we improve?

10. www.databarracks.com | 10www.databarracks.com | 10
HOW TO RECOVER
vs
Backup Disaster recovery

11. www.databarracks.com | 11www.databarracks.com | 11
HOW TO RECOVER
• Increase the frequency of backups
• Review (and extend) retention
policies
• Optimise connection speed
between target and recovery
environment (general)
• Improve speed of finding most
recent clean backup
Improving the Recovery Point
Objective
Improving the Recovery Time
Objective

12. www.databarracks.com | 12www.databarracks.com | 12
THE INCIDENT RESPONSE PLAN:
STEP-BY-STEP RECOVERY
Preparation Identification Containment Eradication Recovery
Lessons
learned
IT is notified and
confirm ransomware
infection
Isolate the infected
share / drive /server
Find the time of
infection and test
the first backup
Bring share / drive /
server online. Test
again, be vigilant
Review how
infection occurred,
data loss and time
to recover

13. www.databarracks.com | 13www.databarracks.com | 13
CYBER-
DRaaS
1. Replication
2. Automated recovery
3. Detection
4. Reporting
5. Recursive scanning

14. www.databarracks.com | 14www.databarracks.com | 14
HOW IT WORKS
STEP 1
Replication of servers to
the disaster recovery
service provider

15. www.databarracks.com | 15www.databarracks.com | 15
HOW IT WORKS
STEP 2
Automated failover

16. www.databarracks.com | 16www.databarracks.com | 16
HOW IT WORKS
STEP 3
Automated malware
scan

17. www.databarracks.com | 17www.databarracks.com | 17
HOW IT WORKS
STEP 4
Report status

18. www.databarracks.com | 18www.databarracks.com | 18
RECURSIVE
SCANNING –
FASTEST TIME
TO FIND
MALWARE
INSERTION

19. www.databarracks.com | 19www.databarracks.com | 19
HOW TO
TEST?
Tutorial SAN Failure Cyber-Attack
http://www.databarracks.com/resources/tools/

20. www.databarracks.com | 20www.databarracks.com | 20
IF YOU REMEMBER NOTHING ELSE!
1. Have a specific incident response plan for
ransomware
2. Review backup schedules and retention policies
3.The only way to guarantee that you don’t lose your
data is with historic copies of your data in backup or DR

21. www.databarracks.com | 21
RESOURCES
• The Business Continuity Podcast
– http://www.thebcpcast.com/
• Tabletop testing simulator
https://tools.databarracks.com/dr-
tabletop-simulation/index.html
• History of ransomware
– https://heimdalsecurity.com/blog/what-is-
ransomware-protection/
• Ransomware definitions
– http://www.trendmicro.com/vinfo/us/security/defini
tion/ransomware
• SANS Institute, Incident Handler's Handbook
– https://www.sans.org/reading-
room/whitepapers/incident/incident-handlers-
handbook-33901
• CryptoLocker DGA
– https://blog.fortinet.com/2014/01/16/a-closer-
look-at-cryptolocker-s-dga

22. QUESTIONS?