At Veeam, our approach to remediating ransomware is this:
Don’t pay the ransom. Restore the data — this is the only option. In spite of all of the education and implementation techniques that you may employ to stay resilient against ransomware, you should be prepared to defend against a ransomware incident if a threat is introduced. But what you may not have thought about is specifically what to do when a threat is discovered. Here are a few recommendations for remediation to have at your disposal should a ransomware incident happen:
There’s a special group within the Veeam Support organization that has specific operations to guide customers through restoring data in ransomware incidents. Since you don’t want to put your backups at risk, having this support is critical for your ability to recover.
In disasters of any type, communication becomes one of your first challenges. Have a plan for how to communicate out-of-band with the right individuals. This plan can include group text lists, phone numbers or other mechanisms that are commonly used for on-call but expanded for an entire IT operations group.
Have a list of security, incident response, identity management, etc. teams ready to contact if needed. They can be within the organization or external experts. If a Veeam service provider is used, there are additional value add-ons to their base offering that can be considered (such as Veeam Cloud Connect Insider Protection).
CHAIN OF DECISION
In recovering from any disaster, who makes the call to restore, to fail over and so on? Have discussions about this decision authority beforehand, so your chain of decision is ready to deploy should an incident arise.
READY TO RESTORE
When it’s appropriate to restore, implement additional safety checks before putting systems on the network again. Additional steps can include restoring with network access disabled for a final check.
Veeam Secure Restore will trigger an antivirus scan of the image before the restoration completes. Veeam Secure Restore uses the latest antivirus and malware definitions, with the option of an additional tool, to ensure a threat is not reintroduced.
FORCE PASSWORD RESETS
While it’s not always popular with users, implementing a sweeping forced change of passwords reduces the threat propagation surface area.