Ransomware – The data recovery challenge


Written by: Amit Jaju, Senior Managing Director in Ankura Consulting India Private Limited

As remote working has become more common over the past year, ransomware attacks have gone up by 102% year on year globally. India is the most impacted country with 213 ransomware attacks per organisation every week, up by 17% year on year, as per industry reports. While ransomware attacks target all sectors; in India, IT / ITES remains a more vulnerable sector due to global network connectivity with overseas Clients, along with government, finance, health care companies that deal with large volumes of sensitive and personal data.

Ransomware attacks are typically carried out via phishing mails, social media posts, Malvertising etc., using malicious software to infect the target systems thereby encrypting files, databases or virtual datastores. Threat actors which may include organized cybercriminals, cyber terrorists, insiders, state-sponsored threat agents etc. often use “double extortion technique” which means data is exfiltrated prior to encryption. Threat Actors demand a ransom in exchange for decryption or deletion of the exfiltrated data or for not publishing stolen data in public domain. The demand for payments can be in thousands of dollars in cryptocurrencies. This may impact many companies which are under various regulatory obligations to ensure data protection and reporting data breaches. Paying for ransom is also not a straightforward answer due to money laundering and sanctions risks.

Other than leaving ransom messages on screens, threat actors also resort to different techniques like contacting vendors, clients, security firms or threatening media leaks to add pressure for making payments. Many companies being part of international supply chains or having contractual obligations with clients or dealing with companies in countries having strict data protection laws, have compulsions for disclosing such attacks and breaches. As many companies have significant back-office operations in countries like India, Philippines etc., any ransomware attack resulting a data breach or system compromise in the back offices or shared IT centres, may impact the other offices in countries like Europe, US, Singapore etc. having stringent IT and data privacy laws.

To identify the root cause behind any attack and ascertain potential financial, reputational damages, companies typically engage Cyber Forensic Experts to analyse and dive deep into the investigation.

As technology evolves, the technical challenges in such investigations also evolve. Availability and integrity of data, backups and logs is one of them. Earlier, forensic experts used to recover deleted files from the hard disk, volume shadow copies by taking advantages of some loopholes in the ransomware encryption techniques. However, due the advancement of the ransomware using complex techniques for encryption, it becomes difficult to restore the data. Earlier, typically, ransomware used to make a copy of the file, encrypt them, and then delete the original file, which allowed forensic experts to recover the deleted data to some extent but recently, ransomware encrypts the file in place making deleted data recovery ineffective. The volume shadow copies, which store a backup of certain files, are deleted. It encrypts both primary and backup MFT (Master File Table) which stores all the file information on NTFS (A Windows file system technology) on the hard disk which makes it difficult to recover the file system. The free or unallocated space is deleted or wiped by the ransomware which makes it difficult to recover the deleted files.

Most organisations do not store logs or store logs for a short period of time for operating system, databases or other network devices. Such logs contain valuable information for the investigator to perform root cause analysis or identify the activities that were carried out during the attack or what could have caused it. Without this information, experts are restricted to only analyse available data and face challenges in tracing timelines of events.
Companies use security devices to detect and block ransomware attacks; deploy email filtering to block phishing emails, malicious files, and suspicious links. Solutions like Data leakage prevention set rules to prevent unauthorized data sharing. Reviewing Dark web forums can help identify where the data came from and preview the data for sale. However, only having technology doesn’t solve the problem, trained people to handle these devices and matured processes are important. A 24×7 Security Operations Centre (SOC) can be costly. An outsourced SOC operation or managed detection response can help keeping pace with evolving threat landscape. The contracts with such outsourced vendors must be vetted by legal team for built-in provisions of appropriate obligations according to applicable data protection and disclosure norms such as breach notifications timelines etc.

A common best practice is to backup and store the important data on different locations including cloud so that the data can be restored if ransomware hits. But this gives rise to the need of extra storage space increasing the cost. Many cloud service providers and data centre vendors insist upon signing standard contracts which makes it challenging for legal teams to negotiate provisions like indemnity in case of such attacks on infrastructure. Often, backups are not tested for restoration in such scenarios and occasionally, backups are also encrypted leaving organizations to either accept data loss or to negotiate and pay.

A question faced by many companies is around legality around paying ransom. Paying the ransom to the attacker is risky as the decryption key may not be shared, or the data will be sold despite paying the ransom amount. Where the ransom payment is the only option, many organizations lack experience in dealing and negotiating with threat actors. Professional negotiators / consultants having such experiences can help to front-end such dialogues. If the company has availed cyber insurance, it can come handy in such situations to recover from loss, so informing insurance company in timely manner as per the agreement is vital. It is important to involve legal team while purchasing cyber security insurance to understand and negotiate terms and conditions.

Even after negotiations, companies face difficulties around payments in crypto currencies. Consultants may help companies dealing with crypto-currency brokers. After payment, cyber experts can help test decryption software / key on a small subset of back up images. It’s important to prevent any further attacks during restoration phase as the decryption software may introduce another malware. Cyber experts can help make sure that the received software is safe, and any further attacks are prevented by undertaking cyber security due diligence and risk assessment of network.

It is critical developing an incident response plan which defines the steps, a user or the incident response team can perform in case of a ransomware attack. If organization discovers that it has been hit with a ransomware attack, the incident response, or the IT team along with the legal team should be immediately notified. Once the infected systems are isolated, a few tools developed by forensic experts by reverse engineering the ransomware may be used for recovering the data. They can decrypt files to the original state, however, even after decrypting the files there can be traces of the ransomware on the system which can get triggered again, thereby encrypting the files or system. The other solution is to format the system but there are chances of the infection already spread in the organisation’s network if the system was connected to it. The IT / Security team should scan IT environment for any potential infections. Any data loss or any signs of exfiltration needs to be identified. As per applicable laws and regulations, the breach may need to be disclosed to relevant authorities.

Regular patch management helps to mitigate the known vulnerabilities and flaws in the systems. Department or sector wise network segregation helps to avoid spreading the ransomware. Restrictions on privileged access, having zero-trust policy and having a least amount of access points through which the ransomware can penetrate the organisation help minimize such attacks. Implementing software asset management practises with whitelisting and blacklisting applications help ensure unauthorised software products are blocked. Conducting security/penetration tests quarterly or periodically will help to ensure that the network/systems are not prone to any weaknesses. Regular trainings and user awareness campaigns like mock phishing tests should be conducted to make the users up to date on how to avoid or react to ransomware attacks

In today’s digital and connected world, threat landscape evolves frequently hence it is better to proactively invest and implement techniques, tools and recovery plans which will prevent ransomware attacks or will help in properly responding to a ransomware attack thereby avoiding any reputation or monetary loss.


Please enter your comment!
Please enter your name here