Ransomware Recovery: Know Your Options

Ransomware is a growth industry

A governmental fact sheet from the HHS reports a dramatic 300% increase in ransomware attacks on U.S. governmental systems from 2015 to 2016. There are now an average of 4,000 attacks per day on those government computers alone. This alarming trend extends to attacks (some successful) on mission critical healthcare facility systems, whose requirement for uninterrupted service can quite literally be a matter of life or death. Ransomware, it is clear, is a highly profitable business. Tips for avoiding infection are everywhere.

But what do you do if the worst happens? What do you do if you ARE infected?

A computer infected with RansomwareThe first thing to know is that once infected, your data is locked. Your computers appear unusable. In common parlance, they are bricked. But, and this is important, they ARE recoverable. After all, if ransomware was not reversible, the attackers would soon go out of business. Your computers, therefore, can be returned to a working state. The attackers would have you believe that the only way to get your data back is to pay the ransom and have them unlock your files. That is not always the case.

Cloud Services to the rescue

I want to note here that that ransomware could actually be a non-issue for you. I work with a group of medical companies that offer electronic health record (EHR) systems to hospitals and healthcare facilities. The implementation model for this is the same for most industries. There are two options: Self-hosted and cloud based. Sigmund Software offers both options. Our cloud solution is hosted in a dedicated HIPAA compliant data centre. All your mission critical patient data resides there. Your computers connect to it over the Internet in real time. So, if your own computers are successfully attacked… in some ways it doesn’t matter.

Your data is not locked inside those bricked computers, it is safe in our data centre, protected by multiple layers of security and firewalls, backup copies going back several months, and automatic interim backups every two hours around the clock. Moreover, while you work on restoring your computer systems, you can keep working. The cloud nature of the Sigmund EHR means that you can connect from a borrowed laptop, your iPad, or even your cell phone. Not ideal, perhaps, but you are still in the game. The business of health care goes on. In short, we have your back.

Locally Installed Software

The other type of EHR is the one where you host the software yourself. Exactly the same functionality, just on your own computer network. So, if you are successfully attacked…yes. That’s a problem. But. Depending on your backup procedures, you may still have an avenue for escape. I say may. I’ll come to that next. In a perfect world, your bricked computers and all their locked data can both be rolled back to a pre-ransomware state: Business as usual. You will lose all data recorded since your last backup, but will at least be operational, and without having to pay a literally extortionate ransomware fee.

I mentioned that simply having a backup of your data may not be sufficient protection. Here’s the kicker: The latest iterations of ransomware are designed to sit quietly on your computers for a month or more after infection before activating themselves. That may mean that all your backups contain the dormant ransomware infection, and it will of course return. If the programmers set a specific date for activation, it will return instantly. Nasty.

They’re pretty smart, these technology criminals. Once they realized that people were successfully circumventing infections by simply reinstalling from backups, this next step was as logical as it was inevitable. All is still not lost. Depending on the particular variant of ransomware, it may be possible to restore from a backup, and then remove the dormant ransomware before it reactivates itself. For that, you will need the services of either your own I.T. team, or a specialist service provider.

In the above scenario, depending upon the amount of data that will be lost, a determination will need to be made on whether payment of the ransomware fee is warranted. Can you afford to lose that data? Some organizations have elected to make payment. That is also an option. If you pay the ransom, you get back all your data right up to the point of ransomware activation. You lose nothing. However, you are trusting to the honor system. Ransomware criminals are, for the most part, business people. They will restore your data if you pay their fee.

But… your system was compromised. Who knows what other things the ransomware did while it was in there? Would you want to trust the criminals not to extract your data for resale? Or automatically re-infect your system in three months for another bite at the apple? If all else fails, you can go that route, but I would not recommend it if you have alternate options.

Be Prepared

At the very least, I hope this information will allow you to make preparatory arrangements, and that should the worst happen it may provide you with the luxury of choice. To recap, if your data is held externally, infection of your own computers is not the end of the story. If you host your own, as long as your backup procedures are well structured, and followed properly, you may (may) still come out unscathed. What this all boils down to is an adequate risk analysis, effective implementation, and diligent following of your organizationally mandated security procedures to avoid infection in the first place.

The consequences of a successful ransomware infection of your computer systems are difficult to exaggerate, and hard to even contemplate. The best protection from ransomware is to not get hit by it. As we see, though, even in the worst case scenarios, there are ways to mitigate the consequences.

As the old saying goes, hope for the best, plan for the worst. That is key. Plan for the worst. Stay one step ahead, and you’ll be fine.

Leave a Reply

Your email address will not be published. Required fields are marked *