Q
Problem solve Get help with specific problems with your technologies, process and projects.

Ransomware recovery methods: What does the NIST suggest?

Knowing what ransomware recovery methods are available is important as the threat continues to grow. Expert Judith Myerson outlines what the NIST recommends for enterprises.

Since the WannaCry outbreak, ransomware has attracted a great deal of attention. In response, the National Institute...

of Standards and Technology, or NIST, published a draft version of ransomware recovery methods. What methods has the NIST recommended?

Ransomware maliciously encrypts all of a victim's documents and files so that they can't decrypt them. To help enterprises with ransomware recovery, the NIST recommends corruption testing, logging analysis and data backups.

The corruption testing component of Tripwire Enterprise can be used to detect changes in file systems on servers and desktops, as well as when and which files were maliciously modified or overwritten.

Another tool that can be used for ransomware recovery is HPE ArcSight Security Enterprise Manager. The logging component of this tool collects security logs for analysis and reporting. This component is used to filter, search and manage the logs generated by the corruption testing component.

The corruption testing and logging components of this tool work together to provide information about the files that were encrypted by the ransomware. That information includes what programs were used and which users ran them.

Another helpful tool for ransomware recovery is the backup capability provided by IBM Spectrum Protect, which can be used to restore files hosted in physical, virtual or cloud environments. If a system fails due to ransomware, the operating system and the IBM Spectrum Protect client need to be physically reinstalled so that all files -- including system files -- can be restored to their previous state.

However, frequent backups require more resources. They also require more space on the server. An active file that has been frequently backed up may lose more data during the recovery process. Likewise, the restoration only covers up to a certain point in time and will not reflect recent changes to the file. Also, if a backup is done after a ransomware attack, the backups will include encrypted data. It is very important to properly label backups to ensure that the versions from prior to the attack are used.

The issue with these ransomware recovery recommendations is that they fail to mention the possibility of a server vulnerability that has enabled, for instance, a breach of Apache Struts servers that leads to the installation of a threat like the Cerber ransomware on locally networked computers.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn how to plan a ransomware recovery strategy with cloud disaster recovery

Discover why enterprises need backups for ransomware recovery instead of the ransom

Find out why you should be cautious with data protection products

This was last published in November 2017

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Beyond corruption testing, what methods would you suggest to recover from ransomware?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...

Close