It’s the call from your IT manager that you never want to get: “We’ve had a ransomware attack, and it has encrypted all of our data. We can’t access any of our information. It’s all there, but we can’t use it.”
“What are our options?”
“We can restore from our backup, or we can pay the ransom: $25,000. We wouldn’t gain any advantage in getting up and running by paying the ransom, not even time, because it would take as long to decrypt and regain access as it would to restore from our backup. Given the consequences of both options, we plan to begin restoring from last night’s backup as soon as we know that the virus that started the problem has been removed.”
“How long will that take?”
“We can’t say for sure. We know it will take more than 24 hours, because the restore process takes a long time to run, and the virus removal process is also lengthy, plus, we need to run several scans to make sure it’s all gone.”
All you can say at that point is, “Okay, get started.” You feel fortunate that you have backups.
Have you dodged a bullet? Maybe. It depends on which variant of the virus attacked you, because some of the latest variants steal data as well as encrypt your files and ask you for a ransom to release the decryption key. The sticky part is that you may not know whether your data has been compromised. If your business is subject to HIPAA regulations, you will need to be able to demonstrate that the likelihood is low that Personal Health Information has been compromised by the attack. If you aren’t able to do that, you will need to comply with the breach notification provisions under HIPAA. This is where it can get tricky — and possibly expensive. In order to understand whether or not data was exfiltrated, a forensic analysis must be performed to determine which virus strain was used and what the virus did — whether it just encrypted files, or if it gained access to servers and any data left the network.
Additionally, if you do pay the ransom and decrypt the data, you may need to prove the integrity of the decrypted data. Some ransomware viruses don’t just encrypt, they copy the file, encrypt the copy, and delete the original to prevent users from having a way around the encryption. The encrypted copy of the file will have different file properties as to creation date and time, and a possibility also exists that the virus introduced corruption during the copy-and-encryption process. It’s a virus — it was written to benefit the attacker, and they’re not going to be terribly concerned if their reputation is harmed by dirty data caused by their product.
The time to implement the benchmarking process for data traffic and to have an experiential knowledge that your backup-and-restore process is working is before you get bitten by a ransomware bug. Know what normal traffic looks like; make sure your IT team is practicing data backup and restore processes; and make sure the IT team is able to determine what traffic leaves your network. These practices will allow you to have answers to HIPAA breach investigation questions, hopefully the “right” answers.
QualityIP is the trusted choice when it comes to staying ahead of the latest information technology tips, tricks and news. Contact us at (330) 931-4141 or send us an email at [email protected] for more information.