I just hope more organisations and companies start taking this approach
A Brit public sector-owned office supplies company shrugged off a ransomware demand for 102 Bitcoins after a staffer opened a phishing email. Kent-based Commercial Services Group (CSG) was struck by ransomware deployed by a "foreign criminal organisation" in early April. A local blogger, publishing the Vox Medway site, claimed …
There very well may be backups. Unfortunately, there are at least a few problems:
1) How far has the malware infiltrated the company's systems? If they can't answer that, then undertaking the recovery process may be a vain effort, since the malware may just spread again to the recovered systems.
2) How long was the malware in the network before it triggered? If the company does know that, recovery from backup may also restore the malware.
3) How much control do the malware writers have over the infected machines? What access do the technical staff currently have?
4) Depending on how deeply the malware has spread, the company may actually need to wipe and bare-metal recover a number of systems, possibly including the backup servers themselves. BMR is not usually a trivial process, unfortunately.
If it's a really bad incursion, the company may still be diagnosing the problem, and backups are only a part of the recovery strategy.
Then there is the 5th point, it all takes time to do the analysis, get replacement kit and drives in, if needed, and then actually provision those devices and recover from backups.
At one site I worked, we had a single ransomed PC, we removed the hard drive and put in a new one and played out a standard image, the user was back up and working in a couple of hours (company policy forbade the storage of documents locally, so any lost documents were the user's problem). Multiply that up by a few hundred PCs and it will be days before everybody is back online, assuming you don't have to recover any personal data on those PCs.
Then you have the server infrastructure, where the data is. That will usually take several hours overnight to perform an automated backup. Recovering each machine from a last-known-good backup will take more time, multiplied by all the servers you have, possibly all on different backup tapes (some machines don't change often, so are backed up weekly or monthly, others change rapidly and will be backed up multiple times a day (E.g. email and ERP servers).
Once you have the right backup media, you will probably spend a couple of days recovering the servers (and keeping them powered off or network isolated). Then you need to check the servers aren't infected, once you are sure they are clean, they can come back online and the users must perform integrity checks, to ensure the data is complete / to assess how much data has been lost since the last backup. That lost data will then need to be reconstructed from the paper trails, worst case or the data is lost completely (catastrophic case).
So, even if you have a lot of IT staff and your latest backups are good and can be used, you will still need days or weeks to get the whole infrastructure back up and running.
Once case I am aware of, the cyber security arm of the Federal Office for the Protection of the Constitution contacted a company and informed them, that their servers' IP address had turned up on a Chinese darknet forum. Given the known vulnerabilities and patch status of the server's firmware, their advice was to "shred" the servers and install new ones and recover from known-good backups.
That is an extreme case, but where are you going to get a replacement server farm on short notice?
We're always talking about backups, but this raises an interesting thought for me. Wouldn't it be sensible to set up an entirely unrelated emergency domain (or Gmail account, yes) which you specify in your contracts as an authoritative secondary, from a business perspective...?
I'm sure its not simple to recover a business without usable backups for all systems, but if you can continue to communicate and trade its got to be easier.
Yeah having a plan to get communication up quickly is always recommended, every company tends to have some spare domains so why not keep them handy for some email accounts.
We don't host our own site so if we ever have issues we have the option of simply creating some shared email accounts with our hosting provider. Once back these can easily get these redirected.
There are dozens of online email archiving/continuity services that give you access to a cached version of your mailbox and store copies of your outgoing mail until you have got your recovery organised.
Currently their mx records point to mxtls.expurgate.net, a visit to www.expurgate.net redirects to cyren.com/en which has this apochryphal text:
91% Of All Cyberattacks Start With A Phishing Email.
If they are still down (and a visit to kcs.co.uk suggests that they might be) then it really is too little, too late.
I'm a bit old school in that I think of email as primarily a text medium so I tend to preview and open mails in plain text, only switching to HTML if there's something of interest. There should never be anything executable in an email. No ifs, ands or buts. Nothing executable. Ever. Or to quote my late mother -- "Don't touch it -- you don't know where its been".
My mail reader is configured to display html as plain text, and show anything else that isn't plain text as a closed attachment. It runs absolutely nothing, but I can save things like embedded images without once actually viewing them.
Pedant alert: Actually, the line is "never mind the quality, feel the width" and was a sarcastic rejoinder about some fabric stores trying to get you to ignore the fact that the roll of fabric was a ridiculously small width by hyping up the quality of the cloth ("never mind the width, feel the quality").
My wife is a sewing addict.