How to Select the Right Backup Version and Search for Indicators of Compromise (IoCs) During a Ransomware Recovery
By Greg Vedders
Ransomware attacks are a nightmare for any organization, encrypting critical files and rendering them inaccessible. The most reliable way to recover from such attacks is often through backups—provided that the backups themselves are not compromised. However, selecting the correct backup version to restore and ensuring it’s free of ransomware-related Indicators of Compromise (IoCs) is critical to a clean and safe recovery.
In this article, we’ll discuss how to choose the best backup version for recovery and how to search your backups for IoCs before restoring them to avoid reintroducing malware into your systems.
1. Assess the Timeline of the Attack
The first step in selecting the correct backup is determining when the ransomware attack occurred. This is important to ensure you don’t restore a compromised backup.
- Identify when the attack began: Check system logs, security alerts, or anomalous file behavior (e.g., encrypted files with strange extensions). Ransomware attacks typically don’t happen immediately; malware often lies dormant for days or weeks before launching.
- Review security logs: Use SIEM tools like Splunk or Wazuh to review logs from before and during the attack to pinpoint when malicious activity started. This will help you avoid backups that might have been infected.
2. Identify Clean Backup Points
Once you know when the attack began, search for backups from before that date. These “clean” backups are more likely to be uninfected.
- Go back far enough: Avoid choosing a backup that is too close to the attack timeline. Consider restoring from a backup that predates the attack by several days or more to ensure no traces of the ransomware are present.
- Full vs. incremental backups: If you rely on incremental backups, verify that the incremental chain is untainted. If you’re uncertain, restoring from a full backup before the attack is the safer option.
3. Search for Indicators of Compromise (IoCs) in Backups
Before restoring your backup, you must search for IoCs to ensure that you’re not restoring malware back into your environment. This involves identifying signs of ransomware within the backup files themselves.
Common IoCs include:
- File hashes: Specific MD5, SHA-1, or SHA-256 hashes for known ransomware-related files.
- Suspicious IP addresses or domain names: The malware might attempt to connect to external servers during an attack.
- Unusual file extensions: Look for encrypted files with extensions like
.locked
,.crypt
, or others commonly associated with ransomware. - Abnormal processes or services: Some malware adds malicious processes or services to infected systems.
How to Search for IoCs:
- Use antivirus/anti-malware tools: Run a full security scan of your backups using trusted antivirus software with up-to-date ransomware signatures.
- YARA rules: Use YARA rules if available, which can help identify malware families based on defined patterns. Many security tools allow YARA rule-based scanning for more precise detection.
- Hash comparisons: If you have known file hashes of the ransomware, run a hash comparison between the files in your backup and the IoCs to identify any malicious files.
You can also use threat intelligence platforms like VirusTotal or Hybrid Analysis, which allow you to upload files or input hashes for malware detection. If the backup files match known malware hashes, avoid using that backup for recovery.
4. Verify Backup Integrity with Manual Inspection
Automated scanning tools can miss certain sophisticated ransomware attacks. Manual inspection is sometimes necessary, especially in a targeted recovery process.
- Check for suspicious file names and extensions: Ransomware frequently renames files with unique extensions. Look for unusual file modifications, especially ones made around the time of the attack.
- Review hidden or system files: Some ransomware may hide malicious files in directories or modify system files. Reviewing file metadata or hidden directories can reveal possible malware.
- Inspect scripts or executables: Examine any batch scripts or executables within the backup, as ransomware often disguises itself as legitimate software.
5. Consider Your Recovery Point Objective (RPO)
Your Recovery Point Objective (RPO)—the acceptable amount of data loss in time—plays a critical role in deciding which backup version to restore.
- Balance data loss with safety: Restoring the most recent backup might reduce data loss but could also risk reinfection. If necessary, consider using a slightly older backup to avoid ransomware traces, even if it results in some data loss.
- Test backups regularly: Regularly restoring and testing backups ensures they are functional and malware-free. Testing also helps you identify which backups are reliable for restoration.
6. Ensure a Clean Recovery Environment
Before restoring your backup, ensure that the environment you’re restoring into is free from ransomware. Restoring in a compromised environment could lead to immediate re-encryption of files.
- Isolate infected systems: Completely disconnect the infected systems from the network before restoring the backup to avoid spreading the ransomware further.
- Use a sandbox environment: Restore your backup in a virtual or isolated test environment first. This allows you to verify the integrity of the backup without risking your entire network.
- Run a post-restoration security scan: After restoring the backup, immediately scan the system again to ensure no ransomware remains hidden.
7. Document and Review the Recovery Process
After recovery, thoroughly document the steps taken during the attack, backup selection, and restoration process. This helps strengthen your cybersecurity posture moving forward.
- Analyze the attack: Conduct a detailed post-mortem analysis to determine how the ransomware breached your defenses. This will inform future preventive measures.
- Refine your backup and security strategy: Based on lessons learned, adjust your backup frequency, encryption methods, and security protocols to better protect against future ransomware attacks.
Conclusion
Selecting the right version of your backups after a ransomware attack is a delicate process. You must balance recovering as much data as possible with the risk of reintroducing ransomware. By carefully identifying clean backups, searching for IoCs, and verifying the integrity of your backups, you can confidently restore your systems and minimize the risk of reinfection. And remember, proactive measures like regular testing, robust security protocols, and immutable backups can help you avoid the worst consequences of future ransomware attacks.