Ransomware recovery methods: What does the NIST suggest?
Knowing what ransomware recovery methods are available is important as the threat continues to grow. Expert Judith Myerson outlines what the NIST recommends for enterprises.
Since the WannaCry outbreak, ransomware has attracted a great deal of attention. In response, the National Institute of Standards and Technology, or NIST, published a draft version of ransomware recovery methods. What methods has the NIST recommended?
Ransomware maliciously encrypts all of a victim's documents and files so that they can't decrypt them. To help enterprises with ransomware recovery, the NIST recommends corruption testing, logging analysis and data backups.
The corruption testing component of Tripwire Enterprise can be used to detect changes in file systems on servers and desktops, as well as when and which files were maliciously modified or overwritten.
Another tool that can be used for ransomware recovery is HPE ArcSight Security Enterprise Manager. The logging component of this tool collects security logs for analysis and reporting. This component is used to filter, search and manage the logs generated by the corruption testing component.
The corruption testing and logging components of this tool work together to provide information about the files that were encrypted by the ransomware. That information includes what programs were used and which users ran them.
Another helpful tool for ransomware recovery is the backup capability provided by IBM Spectrum Protect, which can be used to restore files hosted in physical, virtual or cloud environments. If a system fails due to ransomware, the operating system and the IBM Spectrum Protect client need to be physically reinstalled so that all files -- including system files -- can be restored to their previous state.
However, frequent backups require more resources. They also require more space on the server. An active file that has been frequently backed up may lose more data during the recovery process. Likewise, the restoration only covers up to a certain point in time and will not reflect recent changes to the file. Also, if a backup is done after a ransomware attack, the backups will include encrypted data. It is very important to properly label backups to ensure that the versions from prior to the attack are used.
The issue with these ransomware recovery recommendations is that they fail to mention the possibility of a server vulnerability that has enabled, for instance, a breach of Apache Struts servers that leads to the installation of a threat like the Cerber ransomware on locally networked computers.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)