December 7, 2017
With Ransomware costing businesses hundreds of millions of dollars globally, you’d think the BDR market would have more offerings available to help organizations recover. So far, though, our onQ Ransomware Edition (onQ RE) is still leading the way, as a special version of our onQ appliance that can help you recover servers infected with Ransomware. So today we’re going to talk about using onQ to respond to a Ransomware attack – whether you’re using onQ RE or another onQ appliance.
First, a word on onQ RE. It’s currently the only standalone recovery product that can restore servers in as fast as 4 minutes. As a dedicated hardware appliance, it’s designed to stay lightweight and affordable by supporting a small number of production servers. But it still provides all the advanced features of our flagship onQ enterprise BDR platform like 1-click recovery, easy deployment and additional security features that make onQ almost impervious to infection. It also works as an add-on to your existing system – you can add onQ RE as a strong and simple insurance policy without changing anything else.
The appliance takes snapshots of protected servers at the intervals of your choosing – daily, hourly, whatever is appropriate for your data. Those snapshots are encrypted, saved to the appliance and automatically tested to be sure they’ll function when you need them. You then have an instant recoverable image for every snapshot in time, allowing you to roll back to a safe point in time if you’re infected.
As a quick summary, onQ RE offers:
Using onQ to recover from Ransomware
Let’s walk through an attack. It begins when attackers install an exploit kit with an infected file or macro. Their strategy is based on locking the files you depend on the most, so they’ll search your network and UNC paths for those files and encrypt them. Then you get the infamous screen or notice that announces you’ve been compromised and need to pay a specific sum to free yourself.
At this point, you’re the incident response team. Your choice is to pay the ransom or recover on your own.
Here’s how to use onQ RE to beat the attack.
Disconnect the compromised machine to prevent the spread of the infection. You want to take that device offline as soon as you realize it’s impacted.
Next you’ll want to check your environment, including all network UNC paths, to verify the scope. Confirm if other servers that the user normally connects to have been compromised. You can make this easy on yourself by using tools that scan your environment for suspicious files with known extension variants like .crypt or .enigma or .lock.
Now it’s time to find patient zero. Search other devices connected to the infected machine and take them offline. Then you’ll want to check locked files for the change date or SID owner and find the common “how to decrypt.htm” file. Looking at the metadata and using tools can also help you find the offender and get it off the network.
Use the metadata from patient zero to figure out the infection time. Once you know that, you’ll want to choose a clean, unimpacted snapshot from before that point in time for your recovery. Then you’ll power up the onQ recovery node by selecting that snapshot from the onQ RE management console. You’ll click on the server to launch the image of your production server. You won’t have to worry about losing any data - you’ll continue to backup as usual while running on the onQ RE appliance.
Now that you’re back online, it’s time to begin clean-up. I don’t recommend trying to scrub the offending device to eradicate the ransomware files. It’s simpler and more effective to re-image the machine and just start fresh. We call it: “Nuke and Pave.”
Once your production system is rebuilt and ready to go, it’s time to failover from your clone back to production. onQ RE retains all recent changes so you won’t lose any data. Just boot your production system with our ISO – your failback options include both incremental and full bare metal restore (BMR) – while the recovery nodes are still running.
Once you’re ready, just power off your recovery node and switch to your clean production server. You’re back with no data loss – and your Ransomware attackers haven’t gotten a single Bitcoin from you!
Quick and simple, right? And remember, the above steps work with all onQ appliances – but if you’re not a current Quorum customer, you can just use onQ RE as an add-on to your current system. You don’t have to change anything. Just a fast and simple deployment and you’re protected. And with Ransomware attacks on the rise, there’s no way your team can leave itself unprotected. As you lay the groundwork for a secure and stronger 2018, look over your existing defensive strategies and see if you’re existing BDR solution can defeat a Ransomware attack in just minutes. If not, why not check out onQ RE for yourself?