CCE 3070 Network Management: Ransomware Disaster Recovery Plan Report

Verified

Added on 2023/04/11

AI Summary

This document presents a disaster recovery plan focused on ransomware attacks, addressing the increasing prevalence and impact of such threats. It categorizes ransomware types (crypto and locker), explains propagation methods, and outlines steps to defend against attacks, including data backup, regular scanning, and staff training. The recovery strategy details immediate actions like isolating infected devices, assessing the compromise, calculating the potential loss, and deciding whether to pay the ransom. It further emphasizes checking shared resources, prioritizing data restoration, and evaluating the entire recovery process. The document concludes by highlighting vulnerable targets and underscoring the importance of proactive measures and a well-defined recovery plan to mitigate the significant harm ransomware can inflict on businesses. Desklib provides access to this and many other solved assignments and past papers.

Middlesex University, London
Group Presentation
CCE 3070 NETWORK MANAGEMENT
Disaster Recovery Plan - Ransomware

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Abstract1
The Ransomware attach is becoming prevalent now a days. One of the major reasons of this boost in
the ransomware attacks is it has proven effective in most of the previous experiences. It can be easily
evident from the ransomware attack of 2016 in Los Angeles in the Hollywood Presbyterian Medical
Center. As ransomware is proving to be a amazing successful strategy to extract money from
corporates, it is expected to hike in the coming future years. Keeping in mind, the severity of the
damage caused by this attack, the businesses must be capable to defend against these kinds of
malicious attacks. Some important key points which needs to be followed during this situation are
discussed in this paper.
Introduction
Ransomware
Ransomware refers to a malicious computer disaster in which a cyber hacker may infect any computer
network or any device with harmful software. Generally, the malicious code scripts are attached with
some e-mails or some legitimate software that are being downloaded from any website. Once being
downloaded, the code propagates in our system and then encrypt our precious data and then contact
the owner with an offer for paying some ransom to retrieve his data back.
Types of ransomwares2
Ransomware attacks can be broadly classified into two categories:
1. Crypto Ransomware
2. Locker Ransomware
Crypto Ransomware:
It is the most sophisticated type of computer attack. The attackers often encrypt our critical
information and after that put a demand for ransom from the owner, usually with a countdown threat.
Out of total ransomware attacks, 64% attacks are crypto attacks. It generally targets the system files
and the data available on the device. As a result, the system is functional, but is not able to access the
files that have been encrypted by the code.
Locker Ransomware:
As compared to the crypto ransomware attack, it is a simpler one. The malicious code disables few or
complete data of the system’s functionality. The files are not typically encrypted, but the access is
denied. Till date, 36% ransomware attacks belong to this category. The victim is being prevented from
accessing the system by putting lock on some components or the entire device.
How does ransomware propagate in the system?[5]
1. The spammed message with a malicious attachment is received by the user.
2. Attachment acts as the downloader for malware which connects to URLs responsible for
hosting the crypto files attached.
3. Downloading of the crypto files of the ransomware in the system takes place automatically.
4. The encryption of system and data files in the device takes place.
1 Keep-it-safe ransomware recovery report
2 Johansson, K.H., H. Amin and Sandberg, 2015. “Cyber-physical security in networked control systems: An
introduction to the issue”. IEEE Control Systems Magazine, 35(1), pp.20-23

5. Finally, a threat message is displayed, in which the amount and the deadline to make the
payment is stated.
6. Generally, bitcoins are used by the tor browsers by the victims.
Steps to defend against ransomware3
1. A comprehensive plan for data backup and recovery and the backup of the data id to be
implemented.
2. The attached networked devices need to be regularly scanned and being tested periodically.
3. All the software and the installed operating system onto the device must be kept updated.
4. Isolate infected devices quickly
5. Filter for .exe attachments in e-mail
6. Disable files running from App-data folders
7. Disable remote desktop protocol
8. The staff must be properly trained and tested for readiness to any attack.
Recovery Strategy4
All the business plans shut down, once your crucial data is being hacked or stolen. It is mandatory
after the ransomware attack to identify what files are missing, how to decide whether you need to
pay the ransom amount or not or to determine how to get back your lost files. The step-wise
recovery strategy is discussed as follows:
1. Shut down your users and prevent the intruder immediately.
The first step after being attacked with a ransomware is to secure the affected servers and
immediately shut down the users from that server.
2. Check the cross-contamination
It is important to ensure that the attack does not propagate to another copies of the data affected.
For this, the snapshot schedules must be turned off. Also a two-step verification should be followed
that the snapshots of the attack are not being deleted automatically.
3. Identify the compromise
After ensuring that the propagation of the attack is halted, identify the data which is being impacted.
Maintain the inventory of all the audit logs and snapshots taken previously.
4. Calculate the loss
The next step is to perform a mathematical cost analysis of the impacted data as compared to the
ransom amount. This will help you to decide whether to pay or not to pay the ransom amount to the
intruder. Along with the financial consequences, make a report of the other legal costs such as
reputational damage of the organization, employee time and other affected IT operations.
5. Decide whether to pay or not the ransom amount
After complete analysis of the situation, the time comes to decide whether the organization needs
to pay the ransom amount or not. If the victim decides to pay the ransom amount, he/she should
note that there is no promise or guarantee to get the data back in the same form as earlier. It is just
a risk taken by the organization.
3 Fisch, White, G.B., Pooch and E.A. 2017. “Computer system and network security”. CRC press.
4 Chris Preimesberger.2017.“Ransomware Recovery Report 101”.e-week.com

6. Check all the shared resources
If the organization denies to pay the ransom amount, the data recovery process has to begin. The
first step involves to check all the network logs and the shared devices. It will help you to identify
which resources are being impacted and the organization would be able to identify what files have
been accessed by the intruder.
7. List the key data to be restored
Use the tools which might help you to get the list of the data you want to restore. This will save a lot
of time as you do not need to restore less important files and only good and useful data will be
included in your list.
8. Check the back-ups
It is probable that along with the actual data files, your back-ups are also being infected. Hence
cleaning-up the back-ups will be an extra add-ons to your to-do list.
9. Recovery process to be evaluated
Finally, the organization needs to evaluate the entire recovery process and get prepared for such
attacks in the future.
Discussion and Conclusion
Ransomware is a very dangerous threat that can cause a lot of harm to the businesses. The most
favourite targets of the ransom attackers are healthcare business, the organizations with precious
data and mobile devices. To prevent and recover this attack some key measures are to be adopted by
all the corporations to keep their data safe. If the attack has already taken place, the steps discussed
in this paper should be followed.
References
[1] Keep-it-safe ransomware recovery report
[2] Johansson, K.H., H. Amin and Sandberg, 2015. “Cyber-physical security in networked control
systems: An introduction to the issue”. IEEE Control Systems Magazine, 35(1), pp.20-23.
[3] Fisch, White, G.B., Pooch and E.A. 2017. “Computer system and network security”. CRC press.
[4] Chris Preimesberger.2017.“Ransomware Recovery Report 101”.e-week.com
[5] Aghababaei-Barzegar, R., Cheriet, M. and A. Shameli-Sendi.2016. “Taxonomy of information
security risk assessment (ISRA)”. Computers & security, 57, pp.14-30.