In today’s world of online use for almost everything it is no wonder that ransomware attacks have increased 7 times in the second half of 2020. With ransomware attacks happening on all types of organizations it is not a matter of if it will happen, it is a matter of when it may hit you and or your customers. The fact is ransomware has become much more involved with the average organization being impacted by 21 days of downtime according to Emsisoft.
We meet up with Ken and Michael who discuss why it almost always takes longer than you expect to recover your data, and what you can do to prepare in case you get hit.
Video Transcription
Harry Brelsford 0:27
So Ken you brought a topic to the table? Why don't you lead and Michael follow. But getting rid of malware takes longer than you think basically, I think you'll see it better.
Ken Dwight 0:37
Well, and this is actually based on a blog that was posted by MC soft last month, called the ransomware recovery process takes longer than you think. And it's just one more example of the fact that the ransomware is so much more involved than the people give it credit for, generally speaking, and it still amazes me there are parts of the population at large that don't even know what the word ransomware means. Obviously, any of us that are in the industry, the MSPs. And the IT support, people are very familiar with ransomware. But there's still a lot of attacks and MSPs that have not dealt with it firsthand. And so there's still a lot of misunderstanding or underestimation of how much is involved in recovering from a ransomware incident. And that's pretty much the thrust of this, this blog posts. And Emsisoft is a great source of information overall. And they also do it in a very readable, understandable fashion. So basically, just to hit the highlights, I have the article or blog post in front of me. And he lists I think there's six different reasons that it takes longer than you think. Number one is lack of documentation, to inadequate testing, three forensic investigation process for poor decrypter performance, five communication, and six rebuilding and strengthening the system. And, of course, each one of these, it goes into more details of why that's such an issue. But, again, there's so many things that people don't consider, starting with the fact that, you know, a lot of times when a ransomware incident occurs, they've made no preparation whatsoever, in terms of documenting what's important, the the contacts, the people that need to be involved, and that sort of thing. And so it's just preparation, one on one, you know, being aware of what needs to happen. And what is potentially involved here for when there is a ransomware incident.
Harry Brelsford 2:42
Yeah, Michael, over to you.
Michael Jenkin 2:44
Yeah, look absolutely true. And who do you call when you've got this incident? Now you're the business owner, you've logged in, in the morning, you've come up with encrypted files, do you call your IT guy? Do you call your lawyer? Do you call the insurance company? Do you know where their phone numbers are? Did those phone numbers document they got encrypted? If you do ring, the insurance company? Are they going to ask you a bunch of questions? Can you answer those questions? Do you have any documentation? Of what backup? How regular where it is? Do you have a copy that hasn't been encrypted? Do you have someone who's going to help you get that back on your systems? There's many things you need to document you need to know you need to practice you do it the artist you might be doing a backup, can it be recovered? Have you actually tried to recover it? And if you've got a backup, is it yesterday's and you've lost a little bit of data? Or was yesterday's encrypted, and you got to go back a month or who knows what you got to go back to. And then there's the workstations, you might have back the servers out there. Let's just say that somebody got married, they put their wedding photos on their personal computer at work. And it's part of your network, the network just got encrypted, you're going to get the server back. But this person sitting on this workstation wants their photos back as well. Do you backup the workstations, there's so much to think about so much to plan, and you'll recover from these things so much faster. If you have that plan, and you've done the testing, it is a major part of what slows down these processes, people just not knowing what they're supposed to do.
Ken Dwight 4:12
Well, I'll just make a slight modification to what you suggested there, Michael, that is that the business owner, I think in every case, needs to first contact the MSP who in turn has this information and was hopefully responsible for gathering it putting it together and making it available in the first place. But the icy people obviously need to be part of the whole recovery process. Although Having said that, if there is cyber insurance involved, then it's unlikely that the MSP will be the actual person or organization responsible for the recovery. And the legal team and the PR team and especially if it's a larger organization, they may have a lot of other issues that they do. be considered, but beyond just the technical aspect of recovery.
Michael Jenkin 5:05
Yeah, and it all depends on what the process is of plays out as well. I've got two recent examples of people I've worked with. One had cyber insurance, the second one did not have cyber insurance. The first one had several servers and about 40 workstations. The second one had a single server and about six workstations. The smaller one is the one that did not have cyber insurance. That's the one where the business owner said, just get back what you can. Even that process took over a week, at least a week. And even that process with all the backups that he had, there were things like local email, stores, PST files, on C drives that never came back. And unfortunately, that's where he stuck his purchase orders. So the legacy of his recovery for a business aspect is going to go on for months. And because he was a real estate agent, is what trust involved with money for clients and just different houses transferring between people. He's got a lot of stuff that he needs to get back, and he can't get it back. He didn't have the insurance. But he got it up and running roughly about a week, week and a half. The other company, were sitting at two and a half months, and we're still working on the recoveries. Part of that is to do with the insurance process, which went through a forensics team and the forensics team then one of the company not to use their servers or workstations while they investigated, and literally told this company, can you do without your equipment for a couple of months while we look into it? Now, for me that was horrific, thinking, yes, they've got insurance. But hang on, it's out of my hands, isn't it going now? Because it's going down a path where they're going to dig through everything? And what's the customer do? Do they pull out their iPads and pretend they're at work, because they just don't have their equipment. And the other issue we've discovered with this first issue and the cyber insurance, they're not going to pay the ransom. Now, in some cases, some of the ransom people out there do state that if you pay the ransom, we're going to come back twice as hard and get you harder. And in this case, we can't pay the ransom because the person who perpetrated the Act came from a country that under treaty, we can't pay, which is another little loophole that people need to be aware of. You may have cyber insurance, they may pay the MSP. If they do the recovery work, they may pay for the forensics, they may pay for anything legal, they might pay for data leaks. But if the original hacker wants some money paid in Bitcoin to a country that your country is not allowed to deal with, legally, money can't be transferred. So even if it's ransom $1,000 or $200,000, unless you've got that money in your back pocket, it doesn't get transferred. And if you don't have a backup, and you're doing all this forensics, and you're without your systems for up to three months, how do you survive? Yeah.
Ken Dwight 7:56
Yeah, that's a problem.
Harry Brelsford 8:00
Yeah, just to clarify, you said the name I think it's e m Si, soft MC soft on the web. Okay, so folks, emsisoft.com. Okay, go ahead.
Ken Dwight 8:14
Okay. Just to pick up on what Michael was talking about there that the number two item that he has this there is inadequate testing. And I think that's something that most msps would fall victim to, or, or be guilty of, they may have a plan, but until I've tested it, they're gonna be a lot of glitches and things that they weren't expecting. And so what they refer to as a tabletop exercise is something that's Yes, it is time consuming. And it is something that until you've seen what happens, the first time you go through it, you really can't appreciate how many unknowns and curveballs get thrown. So clearly, it's important to have at least one run through of a tabletop exercise, as if a breach has happened and see what all comes up. Also, Michael mentioned the forensic process. If it's just a matter of a smaller organization with a single server and a few workstations, no insurance, then probably forensics will not be an issue. It's just a matter of getting back in business as quickly as possible. But clearly, if there is cyber insurance involved, or any potential criminal charges, that forensics is going to be an important part of what has to happen. And that too, can be very time consuming, and calls for a level of expertise that the average MSP will not have in house. So that can be a big part of the overall timeframe.
Harry Brelsford 9:45
All right, Michael, final thoughts for this month. Look,
Michael Jenkin 9:49
ransomware is nasty. And obviously as msps we try to do our best to put the right tools in place firewalls, Endpoint Protection education, we try our best The reality is, at some point, some smart cookie out there is going to find a new way to redo the ransomware to make it worse. And one of us even as MSPs, and their clients are going to fall victim at some point. documentation is so important. One of the things that I've learned and most recently with one of these scares, you need to know what data you've got, you need to have even an Excel spreadsheet, saying that this particular type of file, that's payroll, this particular type of file that contains sensitive information about this guy's financial state, you need to know that stuff, because ransomware can very quickly leak into a data leak. And then you'll get questioned what private data are you holding on to particular people on your systems. So you need to not only document your systems in not only need to document how these things go together, what products you're using who to contact, but what is your data, what are you protecting, and where it is. And as an MSP, that means we can look at that and go, we didn't think of that we better back that up as well. And we can look at things to try and make this a smoother process in the future. We can't fix this quickly. But we can fix it quicker. If we prepared. If we've tested if we know it's there. We know how to answer things we get on with our job and get the customer up and running, document and test.
Ken Dwight 11:18
And if you look at the cybersecurity framework that the NIST put out, the first pillar of that is identify and identification is exactly that documenting, identifying the assets, the things as so do you budget things I care about, which is all this stuff that we really need to take a look at ahead of time, so that when that incident happens, you don't have to start from scratch.
Harry Brelsford 11:44
Alrighty, well, I'll tell you what, gents my swim my lap swim times coming up, so I gotta, I gotta I gotta bring this podcast to to an end. We'll catch you next month. Thanks for sticking with us. I appreciate it.
Ken Dwight 11:57
Thank you Harry, Michael. Good to see you guy