June 27, 2017
Latest Ransomware Outbreak Locks Your Entire Computer
The latest worldwide outbreak of ransomware works just like the WannaCry epidemic from early May. Unpatched versions of Windows are open to the ETERNALBLUE exploit, which then delivers a payload like the Petya malware from last year. This latest variant is called...NotPetya, interestingly. Petya and its variants lock up the Master File Table (MFT) of your computer, making it unable to boot unless you pay a ransom. The instructions are posted as a BIOS-like screen and shows you how to pay. Don’t do it. If you do, you will paint a red bullseye on your back to cyber criminals, just like the South Korean firms that shelled out roughly $1 million in Bitcoin. Don’t become a statistic.
Many times, I have talked about the need for a business continuity solution to recover from ransomware attacks—this is no different. If you don’t have a way to quickly restore data, you are dead in the water.
Datto Continuity devices have the ability to detect if ransomware is likely seen after a production machine has backed up. If you have a Datto Continuity device, follow the steps below to get operations back up and running.
First quarantine all the infected machines. Then, virtualize a recent point that is not tagged with ransomware and make sure it is accessible on the local network. If the affected machine is a guest virtualization on Hyper-V or ESX, then virtualize via those hypervisors.
Then, it is time to plan on restoring back to production. With Datto, you have options. We’ll look at two scenarios below—the first is restoring back to physical hardware and the second is restoring a virtual guest.
Physical Hardware: DattoCon17 saw the release of the new Fast Failback feature added to the Bare Metal Restore (BMR) environment, and this is where it can shine. You simply start the BMR process on the infected machine, copy all the data from the last recovery point, and leave the BMR in the mirror wizard. Then, changes captured in a snapshot on the virtualization are incrementally copied over to the server in the BMR environment. When you are ready to go back to production, in the BMR environment, you just click complete, and a final backup is taken and copied from the virtual machine to the physical hardware. At that point, the physical hardware will reboot with the latest information, a brand new MFT, and can return to production.
Virtual Guest: This one is easy, do a live storage migration. Since you have already virtualized via the hypervisor of your choice, you are already using the compute of your hypervisor environment. Simply move the virtual disks from one datastore, in this case, the Datto, to your production datastore with Microsoft Hyper-V or VMware ESX.
Getting business up and running is obviously the number one goal. Once that is done, you are free to figure out the best way to get back to a healthy production environment. There are many ways of recovering and restoring in the event ransomware starts infecting environments. However, you are not out of the woods just yet.
There have been reports that the payload that is being used in the most recent attacks also includes a Trojan called Loki Bot. Loki Bot is used to gather passwords from numerous different sources like FTP and SSH clients as well as web browsers. As such, following an infection, it would be wise to enforce a password change across users.
I cannot stress enough the need for a continuity solution and recent news reports bear fruit to that claim.