How to Avoid Paying Cyber Ransom with SEP

Protect your valuable data from cyber-attacks by implementing an industry leading backup and disaster recovery solution

• When businesses first recognize that they have been the victim of a cyber-attack, it is too late to prevent critical data loss or data held ransom by unauthorized encryption. Most often, virus protection software either failed to recognize the intrusion or recognized it after encryption was already in progress.
• The first instances of ransom cyber-attacks against hospitals in the U.S. involved compromised data being encrypted and held until the demand for payment was satisfied.
• A reliable and safe analysis of the infected data must take place before the system can be brought back online. In order to accomplish this, a robust and reliable backup and disaster recovery solution, like SEP software, must be in place prior to the attack.

Cybercrime is continually morphing into new forms of attacks. The most recent cyber-attacks launched against hospitals and other businesses, used new encryption Trojans, like CryptoLocker, Locky and TeslaCrypt, to maliciously encrypt company data and demand payment in exchange for the keys to un-encrypt the data. IT departments from around the world and across all industries, must now be prepared for this new form of cybercrime. Analysts agree that having a solid backup and disaster recovery solution, along with updated virus protection, is the best defense against a cyber-attack and unauthorized encryption.

In a recent report* released by Google’s virus warning service, VirusTotal, only three of the 54 different virus scanning software were able to recognize the initial intrusion of the spyware. In some cases, these Trojans were at work for weeks infecting unprotected data before company personnel became aware of the situation. Unfortunately, this situation in the U.S. has led to the first recorded instances of hospitals paying cybercriminals substantial sums of money to release critical patient data.

SEP Software, the developer of a platform independent backup and disaster recovery solution, is an expert in this area. SEP can advise companies on how to avoid such situations and provide expert assistance creating a thorough backup and disaster recovery strategy to eliminate the possibility of blackmail during a cyber-attack. Using SEP as your backup software, a company can confidently restore all critical data after a ransom attack. In the past year, every single SEP customer who was hacked by ransomware was able to fully restore their data without paying any ransoms.

Steps to be taken before a cyber attack

The following procedure is the only way to ensure the recovery of data that has been illegally encrypted.

• The backed up data should be written to tape or removable disk drives and, when possible, stored at a remote location.
• Due to the fact that the virus can lay dormant for a long period of time, retention periods should be extended.
• The backup software must be capable of managing the tape drives and auto loaders, if applicable.

Steps taken after the attack

• SEP is able to restore all required data from any chosen backup point-in-time to a protected system. This protected system must be clean and free of all viruses and must not be connected to the network.
• Using the Read-Only-Mode, SEP can restore data to ‘cleaned’ servers, where your anti-virus program has been used to rid the virus from infected computers. As the data is restored, it is checked by the anti-virus software to ensure that the Trojan will not be re-introduced into the new environment.
• In the event the encryption command from the cybercriminals has not yet been executed and that the data can still be read, SEP supports forensic Linux distributions, like KALI, that have been developed specifically for analysis after a cyber-attack. This provides the capability to check every backup, regardless of the source, e.g. on Linux, Windows Backup Servers or Remote Device Servers. Any file can be opened and screened for the virus.
• The malware does not have any ability to re-infect the system during the forensic analysis.
• Once the last uninfected backup data set is determined, all systems will be restored in a clean and usable state.
• All safety and anti-virus mechanisms must be updated and verified to prevent another attack.
• All systems can be restored and all processes can return to normal.

Restoration and Rehabilitation Procedures after a Cyber Attack

1. The infection has occurred.
2. Detection by the IT Administrator.
3. Determine when the virus entered the system by analyzing recent full and incremental backups. Pinpoint the last successful set of backups before the infection. Using a forensic Linux program like KALI on a protected server, find the infected files by comparing backup records, begin to analyze the virus and remove it from all servers.The backed up data will be restored from removable devices, like removable disk or tape, to the cleaned and verified system disk drives and mounted using Read-Only-Mode.
4. Compare data sets from various points-in-time.
5. Restore data sets that are confirmed clean of the virus.
6. Check that all systems safety and anti-virus mechanisms are updated and verified to prevent another attack.
7. Restart the systems and resume regular operations.
8. Continue regular backups and test restores to maintain the integrity of your data!

*VirusTotal Report: https://www.virustotal.com/en/file/5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35ce bbcff184d8/analysis/1455638481/