"Mind the Gap"
As the war unfolds and these "Hacktivist" Guerillas take their shots at both sides of the fight, the details of Russia's brutal cyberwarfare campaign continue to come to light. It appears Russia's cyber warriors are using something called "Hermetic Wiper" in their attacks.
As I understand it, Russia's goal is total destruction vs. ransomware. There are reports that they put up "fake" ransomware screens to freeze their victims in place while they simply delete the data, the servers, the virtual infrastructure - everything.
They don't want money. They want chaos.
Two weeks ago, I attended a daylong seminar on cyber security. There was discussion about what should you do if you are hit a ransomware attack.
The choices were disconnecting the effected servers from the network or pulling the power plug and crashing the servers. Both Huntress and CSEDR's SentinelOne have the network isolation option to quarantine the server until help arrives to "figure it out" which is very nice.
However, in the case of Hermetic Wiper the goal is destruction and deletion. Leaving the server up will just allow the destruction to go on. The generally accepted answer in a switch or a server is that turning the device off loses all the current forensic data about what is going on. I am not sure that the fact that they are trying to kill you and delete you completely requires any more forensic data. The final consensus was it is a case-by-case decision depending upon what you knew was going on at the time.
However, if these weapons are turned on us, the reality is that if they are corrupting and deleting your servers. At that point it is all about your recoverability. That of course means your backups.
This week I would like you to think about the following:
- Check the status of your backups. If you find out you are not checking this daily, find out why and fix it.
- Do a test file restore for a couple of critical servers and prove they work. Keep routinely doing that at least every month.
- Plan on doing a test server restore next week. Increasingly Cyber Insurance renewals are requiring that the policy holder demonstrably prove that they can fully restore a server from backup to working order - monthly - in order to get a renewal. (This actually happened to us a year ago). Much like MFA this may be in your future as a pre-requisite for a policy renewal. If you don't have an automated way to do test server restores monthly, CSI has a solution that greatly automate this process so that it is not a resource sucking event that never gets done. Once you get this going, repeat it monthly.
- And finally, I want you to have a legitimate "air-gapped" backup in place that is current. If you are subscribing to a BOCES or RIC backup CoSer, you most likely already have this back in their NOC. If you are a Veeam shop, CSI has air-gapped repositories that can upload Veeam backups. Regardless of what your big picture backup strategy is, going old school and copying your most critical data onto removal storage that you can store in the safe for a "break glass" emergency event is always a good idea. In the previous Ukrainian NotPetya attack the thing that radically improved one organization's time to recovery was they had a separate air-gapped sandbox with a copy of a reasonably current DC to re-build the network around. Some sites do old school Microsoft Windows Backups of a DC with System State stored to off-line and/or air-gapped storage as the backup of last resort as well. That is easy and free.
I realize it could take a long time to accomplish all of these tasks. But it is absolutely necessary.
If you need help air gapping your backups, automating your test restores, or setting up your servers to self-isolate upon infection, give us a call.