When CryptoWall locks down an organisation, it can take days to recover. It takes just one employee to click on the wrong link and inadvertently download the CryptoWall Trojan. Once set free, the malware proceeds to encrypt and hold hostage all of the company’s data. In fact, I know of one not-for-profit organisation that has suffered through this nightmare, finding itself at the mercy of CryptoWall and unable to access 75 GB of data critical to its operations. Because a self-prescribed disaster recovery routine would require days before returning to “business as usual,” campanies can find themselves in a terrible dilemma – give into hefty ransom demands or shut down operations until they can complete a lengthy system restore. The sad truth is that scenarios such as this are becoming more common.
However, the good news is that there are ways of mitigating unplanned interruptions such as this. If organisations take advantage of available instant recovery technology, business operations can resume in mere minutes and without caving in to ransom demands. Having said that, let’s take a closer look at how this particular organisation’s CryptoWall intrusion played out, as well as how the situation would have been different had instant recovery technology been at the heart of the organisation’s disaster recovery (DR) plan.
One unfortunate click and ‘Yikes!’
Responsible for the health and availability of seven servers supporting the not-for-profit’s operations, the organisation’s IT team quickly sprang into action after an admin clicked on a phishing link embedded within an email, unknowingly setting the CryptoWall wheels in motion. Because all of the organisation’s servers were mapped from the admin’s station, all were vulnerable to the encryption malware. Less than an hour later, all files had been encrypted. Commence downtime.
Didn’t the organisation have backups from which to restore? Certainly. However, it would have taken days to complete the process, assuming restoration from those backups would actually work since they hadn’t been tested. So, rather than risk the possibility of an even greater period of downtime, the CryptoWall ransom was forked over via Bitcoins, just as instructed by the bully.
Following payment, an entire evening was spent decrypting the data. Eighteen hours later, when all was said and done, workers celebrated the successful recovery and return to business as usual. Perhaps another small victory worth mentioning is the fact that since the organisation had recently attended a security seminar, they were able to access the Bitcoins through that security organisation. This saved valuable recovery time, as it normally takes days to access Bitcoins if an account hasn’t already been established.
Armchair quarterbacking… An 18-hour outage that could have been resolved in minutes
The series of unfortunate events detailed above help to demonstrate the importance of a having a well-defined and well-tested disaster recovery plan in place – one that will meet both RPO and RTO requirements of the organisation. Hindsight is always 20/20, right? Well, had the aforementioned nonprofit implemented suitable DR technology beforehand, not only could they have given the ol’ middle finger salute to the CryptoWall creators and laughed at the suggestion of a ransom payment, but they could have also been fully operational within minutes – as opposed to sweating bullets during 18 hours of downtime.
So, how can you avoid the nightmare?
First of all, backups shouldn’t take more than a few minutes to restore. Recovery nodes should be ready and waiting, so they can be up and fully accessible within minutes following the service interruption. A good DR solution can spin up recovery nodes at the intervals you set, with an RPO as small as 15 minutes.
In addition, recovery files should be tested regularly, so you know with some level of confidence that you can make use of them when you need them. Recovery systems with included sandbox testing features make it easy to test backups as often as you like in just minutes – and without affecting business operations.
One more silver lining
It just so happens that the security company that hosted the anti-phishing training attended by members of the not-for-profit organisation offered a rather generous guarantee. Because the employee had successfully completed the training, yet was still duped by a phishing link, the security organisation paid the ransom!
Use a simple, effective solution
All organisations are susceptible to malware attacks and related downtime and/or other negative consequences. The fact is that no level of training and preparation can protect organisations from every attack. So, the key is to have a DR plan (with sufficient supporting technology) in place to enable fast recovery to a point in time that minimises the impact on the business.
By David Fisk, EMEA Sales Director, Quorum
About Quorum
Quorum provides mid-size businesses with fool-proof disaster recovery plans, all without the complexity or high cost of data center replication. With the Quorum Hybrid Cloud Service, clients’ recovery solutions are tested daily! And if disaster strikes, up-to-date VM clones of their protected servers take over. With just one click.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.