Ransomware recovery methods: What does the NIST suggest?

ransomware recovery

Knowing what ransomware recovery methods are available is important as the threat continues to grow. Expert Judith Myerson at TechTarget outlines what the NIST recommends for enterprises. She wrote:

"Since the WannaCry outbreak, ransomware has attracted a great deal of attention. In response, the National Institute of Standards and Technology, or NIST, published a draft version of ransomware recovery methods. What methods have they recommended?

To help enterprises with ransomware recovery, the NIST recommends corruption testing, logging analysis and data backups.

The corruption testing component of Tripwire Enterprise can be used to detect changes in file systems on servers and desktops, as well as when and which files were maliciously modified or overwritten.

Another tool that can be used for ransomware recovery is HPE ArcSight Security Enterprise Manager. The logging component of this tool collects security logs for analysis and reporting. This component is used to filter, search and manage the logs generated by the corruption testing component.

The corruption testing and logging components of this tool work together to provide information about the files that were encrypted by the ransomware. That information includes what programs were used and which users ran them.

Another helpful tool for ransomware recovery is the backup capability provided by IBM Spectrum Protect, which can be used to restore files hosted in physical, virtual or cloud environments. If a system fails due to ransomware, the operating system and the IBM Spectrum Protect client need to be physically reinstalled so that all files -- including system files -- can be restored to their previous state.

However, frequent backups require more resources. They also require more space on the server. An active file that has been frequently backed up may lose more data during the recovery process. Likewise, the restoration only covers up to a certain point in time and will not reflect recent changes to the file. Also, if a backup is done after a ransomware attack, the backups will include encrypted data. It is very important to properly label backups to ensure that the versions from prior to the attack are used.

The issue with these ransomware recovery recommendations is that they fail to mention the possibility of a server vulnerability that has enabled, for instance, a breach of Apache Struts servers that leads to the installation of a threat like the Cerber ransomware on locally networked computers." 

Obviously, end users that have been stepped through new-school security awareness training are a great way to prevent infections in the first place.

Ransomware Hostage Rescue Manual

Ransomware Hostage Rescue ManualGet the most informative and complete hostage rescue manual on Ransomware. This 20-page manual is packed with actionable info that you need to prevent infections, and what to do when you are hit with malware like this. You also get a Ransomware Attack Response Checklist and Prevention Checklist. You will learn more about:

  1. What is Ransomware?
  2. Am I Infected?
  3. I’m Infected, Now What?
  4. Protecting Yourself in the Future
  5. Resources

Don’t be taken hostage by ransomware. Download your rescue manual now! 

Download Here

Or cut&paste this link in your browser:  http://info.knowbe4.com/ransomware-hostage-rescue-manual-0


Topics: Ransomware

Subscribe To Our Blog

Weak Password Test Contest

Get the latest about social engineering

Subscribe to CyberheistNews