In more than 40 years of career computer experience, network manager Brett Hulin has had to recover a data center just twice -- once after Hurricane Katrina, and again after a ransomware attack last year.
Thankfully, Hulin had a plan and proper backups to fend off the attack -- two key pieces of ransomware resilience discussed in a breakout session at the virtual VeeamON user conference last week.
"If ransomware gets in, the only option is to restore [from backups]," said Rick Vanover, senior director of product strategy at Veeam.
Organizations need to be especially wary as coronavirus-themed ransomware attacks have become prevalent. For example, VMware Carbon Black reported a 148% increase in ransomware attacks in March over baseline levels in February.
Don't wait for ransomware to hit
Vanover listed education for users and administrators, backup and recovery implementation and remediation planning as three major guidelines for ransomware resilience.
Organizations should establish a disaster recovery site before an attack hits, said Hulin, the senior network and systems manager at Canal Barge, a marine transportation company based in New Orleans.
"Having something after a disaster, well, that's a disaster by itself," Hulin said.
Hulin urged administrators to have a tested and documented disaster recovery plan based on the type of outage. Ransomware resilience will look different from natural disaster recovery.
He also recommended having multiple people involved in DR and establishing a priority of when items need to come back online.
When a ransomware attack hits, Hulin advised shutting down all computers.
"In the event that you believe you have any type of ransomware incident, one of the single most important things you can do to save yourself is shut down everything," said Dave Kawula, managing principal consultant at TriCon Elite Consulting and another speaker in the VeeamON session.
Dave KawulaManaging principal consultant, TriCon Elite Consulting
Then ransomware resilience is about prioritizing. For Canal Barge, the initial focus was Active Directory and Azure Active Directory.
While focusing on critical production systems, Hulin recommended having a secondary team -- if available -- bringing up other production systems in order of priority. Organizations should then bring back other systems as needed.
"This may actually help you identify which servers haven't been used in months or longer," Hulin said.
Canal Barge used Veeam Availability Suite to recover from its ransomware attack. Once the company declared a disaster, the main system was up within four hours and lower priority systems were back within one or two days, Hulin said. After Katrina, he said it took weeks before some systems were back up.
Assess your risks, train your team and take action
Hulin implored administrators not to waste a crisis. Following the ransomware attack, Canal Barge reconfigured networking equipment and sped up new firewall implementation. Immediately after an attack is also a good time to seek an increase in the company's cybersecurity budget.
Having supportive upper management is important, as is advance training and tabletop exercises.
"It gets the right people in the right place," Hulin said.
Organizations can send simulated phishing emails to their staff as a means of training.
"Assessing the risk of phish attacks is a really good exercise," Veeam's Vanover said.
According to a Coveware survey, 57% said remote desktop protocol compromise was the most common ransomware attack vector in the fourth quarter of 2019. Twenty-six percent said phishing attacks and 13% reported software vulnerabilities.
"Threats almost always begin with your people," said Gil Vega, Veeam's chief information security officer, in an interview during the conference.
Vega listed cyber hygiene, risk-based vulnerability management, and awareness and education of employees as keys for ransomware resilience. Organizations should take the mental leap of "you will be breached" and build plans from there, Vega said.
Finally, organizations should have offline, immutable and air-gapped backups. For example, AWS S3 and some S3-compatible storage can keep backup data immutable.
And don't count out the use of tape for backups.
"It's the ultimate air gap," Hulin said.