When ransomware strikes, there are multiple phases to recovery: the first is detecting that an issue is happening and stopping it, the second is figuring out what happened, and the third is creating a recovery plan. As it goes with any crime scene, you will initially want to tread lightly as you sort out what happened and how to fix it. First order of business is to figure out the scope of damage. Did this ransomware incident just affect a single desktop? Was your shared storage impacted? Is your virtual environment now toast? Has your cloud data been hit?? Understanding who caused the crime, what was impacted, when it occurred and how it happened will be required to put things right again.

It’s unlikely any single product will cover all the areas that could be impacted. The bulk of data is likely living on a SAN, probably encapsulated within a number of VMs. By installing sensors within VMs, you can detect abnormal behavior, set up automatic snapshots of affected VMs and use them to sift through what happened and execute your recovery plan.

As with any crisis management situation, you’ll need to figure out the priority of getting things back up and running. The example below prioritizes recovering the data in your VMware environment.

Step No. 1 – Secure the crime scene (data).

  1. Take a read-only immutable snapshot of the VMs, either via a VMware snapshot or a storage-based snapshot.
  2. Optionally, automatically shut down the suspect users (perhaps alongside a Phantom Cyber playbook), or at least get an alert that the user could be affected.
  3. If you’re using DataGravity,  find out who the likely culprit(s) are. From the DataGravity management console, go to the activity view for a VM and scan for users. One will likely stand out.  
  4. To verify this is the right user, go to the search option under Discovery and search for that user. You’ll see a lot of files changed in a short period of time, likely all of them locked. This confirms you have the right user.  
  5. Once you have the user, take related devices offline. It might be a good idea to suspend their account, as well.  This can be done using a Phantom Cyber app in conjunction with a Phantom Cyber playbook.

Step No. 2 – Assess what happened.

If you watched Apollo 13, you’ll remember the line: “Let’s look at this thing from a… um, from a standpoint of status…. What’s good?” Basically, before jumping into action, which is everyone’s first impulse, assess that happened and build a plan optimized to repairing what happened. Drill into the who, what, where and when surrounding the attack. In some cases, find out how the damage was inflicted:

    1. Was the damage confined/contained to a single user folder, home directory or area?
    2. Was it more widespread – if so, how extensive?
    3. Were changes made in the same time period that weren’t impacted?
    4. Were a bunch of files renamed, deleted and new ones created? If so, start working toward cleanup and piecing things back together.

There may be other things to think about, such as site-specific needs and use cases. However, with the above steps and assessments, you’re well on your way to recovery. As for Step No. 3 –  Repair – stay tuned.

Subscribe to the DataGravity newsletter for more updates on ransomware recovery.