Responding to Ransomware Attacks: Critical ElementsExperts Provide Tips for Smoother Recoveries
A Canadian home healthcare provider says it was able to recover from a recent ransomware attack without paying a ransom, but had to revert to manual processes for several days during the mitigation process. The incident illustrates the value of being well prepared to deal with cyberattacks.
See Also: 2020 Cyberthreat Defense Report
VON Canada, the Victorian Order of Nurses - which claims to be Canada's largest national, not-for-profit home and community care organization - says a ransomware incident that started on Sept. 1 resulted in a systemwide outage.
"There is no evidence at this time to indicate that any employee, client or volunteer information was compromised in any way. ... No ransom has been paid in this case," the statement says.
VON says it shut down all systems immediately upon the discovery of the ransomware and engaged a third-party cybersecurity firm to oversee the response and restoration.
"VON also reverted to manual operations for scheduling of all care and exchange of all client information, in accordance with our disaster recovery protocols," the statement says. "All of our systems were scanned, cleaned and certified by these experts before being brought back online for use."
VON did not immediately respond to an Information Security Media Group request for additional information.
The Value of Preparation
To help ensure a smoother recovery, as well as help avoid mishaps along the way, all healthcare organizations should take a variety of critical steps in their disaster planning before a ransomware or other cyberattack hits, says Mark Dill, the former Cleveland Clinic director of information security who is a partner and principal consultant at tw-Security.
"In order to be effective at providing recovery confidence scores to executives and the board, recovery and data backup/restore plans should be regularly tested. Ideally, organizations should use scenario based recovery exercises that include bare-metal recovery tests - from the beginning, from scratch," he says.
"Building a resilient infrastructure alone is not good enough; an untested plan is just a document."
—Mark Dill, tw-Security
"Building a resilient infrastructure alone is not good enough; an untested plan is just a document. As it pertains to ransomware, it is vital to have at least one backup destination that is not continuous addressable by operating system calls. This can help ensure that recovery data is shielded from hacker and malware access and preventing it from being compromised."
The primary reason that a ransom is not paid is because an organization is able to recover with minimal data loss, with no evidence of data exfiltration, Dill says.
Retaining backup data for longer periods of time also helps ensure a route back to usable data, although the older the backup, the more "stale" the data can be, he notes.
"Restores from backups - especially in a wide-scoped event - can be slow," Dill warns. "High-availability solutions - like SAN snapshots - can provide a quicker recovery than traditional backup/restore solutions, but they may be more expensive."
Prepare for the Worst
Mac McMillan, president of consulting firm CynergisTek, stresses the need to prepare for the worst.
"Most challenges with resuming normal operations or operating while down stem directly from a lack of preparation and readiness," he says. "Many come directly from not preparing well enough, meaning assuming outages will only last a short while and therefore building both down time and resumption plans around that assumption."
Healthcare organizations need to have downtime plans that assume minimally a two-week total outage of computer and communications, McMillan contends, "because we have seen outages last this long and resumption longer."
Entities need to focus on having a solid incident response process. "The more detailed it is the better; the more practiced it is, the more ready the organization will be. And don't forget to train the workforce for operating in the absence of system or data availability," McMillan says.
"Organizations that have plans, know where their backups are, have redundant off-line processes and knowledgeable staff reduce the impacts of these events - and therefore the consequences - dramatically."
Paying a Ransom
Some entities decide to pay a ransom because they conclude that the recovery using a decryption key from attackers will be quicker than trying to rebuild systems from backups.
Nevertheless, "paying is never recommended as there is no guarantee that paying will actually secure the release of the data or ensure that you will not see secondary attacks," McMillan stresses.
But Ron Pelletier, co-founder and partner of security consulting firm Pondurance, offers another perspective. "Most companies rightfully want to avoid the stigma of paying the ransom, but sometimes it might be your best option, even though it's not your only option," he says.
For instance, if an organization is unsure whether it can successfully recover its data - perhaps because it hasn't tested its recovery plan - it might choose to pay the ransom to avoid a questionable restoration and possibly long downtimes, he says.
"My best advice if you're going to pay the ransom is two-fold: Don't get cute with the attackers; and bring in a professional third-party organization to help facilitate not only the transaction, but the incident as well," he says.
"If you're quick to pay, and you haven't resolved the vulnerability issues that led to led to a successful attack, then you may end up right back in the same situation a second or even a third time. It's happened."
Also keep in mind that mishaps can occur when an organization agrees to pay a ransom after an attack.
For example, HMC Healthworks apparently inadvertently turned over to attackers a file containing patient data during the process of paying to obtain a decryption key.