Learning Ransomware Response Recovery Stopping Ransomware One Restore at a Time (Preston W. Curtis, Saylor Michael) (z-library.sk, 1lib.sk, z-lib.sk)

📄 File Format: PDF

💾 File Size: 10.7 MB

📖 Read Online ⬇️ Download

Registered users can read the full content for free

Register as a Gaohf Library member to read the complete e-book online for free and enjoy a better reading experience.

📄 Page 1

W. Curtis Preston & Michael Saylor Learning Ransomware Response & Recovery Stopping Ransomware One Restore at a Time

📄 Page 2

ISBN: 978-1-098-16958-9 US $59.99 CAN $74.99 C YBER SECURIT Y Ransomware attacks are no longer a question of if—they’re a matter of when. With hackers increasingly targeting backup and disaster recovery (DR) systems, organizations need more than prevention strategies; they need a battle-tested plan for minimizing damage, forensically determining what’s happened, and restoring their environment without paying the ransom. Renowned experts W. Curtis Preston and Dr. Mike Saylor offer a comprehensive guide to protecting critical systems and responding effectively when the worst happens. Whether you’re a security professional who’s unaware of how exposed your backup systems are or a backup admin in need of stronger security expertise, this book is your essential road map. With actionable advice, clear frameworks, and step-by-step guidance, it bridges the gap between data protection and cybersecurity—empowering teams to deliver decisive, effective responses when faced with ransomware. • Prevent 90% of ransomware attacks with practical, simple steps • Shield your backup systems from also being a victim of the attack • Minimize the blast radius of attacks on your infrastructure • Identify, isolate, and restore compromised systems with confidence • Develop and test a detailed incident response plan W. Curtis Preston, also known as Mr. Backup, is a data protection expert with over 30 years of experience. He has designed large-scale backup systems, authored five O’Reilly books, including Modern Data Protection, and hosts the Backup Wrap-up podcast, where thousands of listeners tune in each month to learn about data backup, disaster recovery, and protecting against ransomware. Michael Saylor is a cybersecurity expert, educator, and author with more than 30 years of experience. He specializes in cybercrime, forensics, and incident response. He’s CEO of Blackswan Cybersecurity, department chair of Business and Computer Science at Weatherford College, and a longtime leader of the FBI’s InfraGard program. He holds a doctorate in computer and information systems security and information assurance. Learning Ransomware Response & Recovery “This book provides a comprehensive, step-by-step look at what really happens during a ransomware attack. What sets it apart are the numerous real-world case studies that bring the content to life and keep it grounded in reality. If you want to understand ransomware and how to defend against it, this book has everything you need.” Priyanka Neelakrishnan Product management, Palo Alto Networks

📄 Page 3

W. Curtis Preston and Michael Saylor Learning Ransomware Response & Recovery Stopping Ransomware One Restore at a Time

📄 Page 4

978-1-098-16958-9 [LSI] Learning Ransomware Response & Recovery by W. Curtis Preston and Michael Saylor Copyright © 2026 W. Curtis Preston and Michael Saylor. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 141 Stony Circle, Suite 195, Santa Rosa, CA 95401. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://oreilly.com). For more information, contact our corporate/institutional sales department: 800-998-9938 or corporate@oreilly.com. Acquisitions Editor: Simina Calin Development Editor: Sara Hunter Production Editor: Jonathon Owen Copyeditor: Charles Roumeliotis Proofreader: Laura K. Miller Indexer: Judith McConville Cover Designer: Susan Brown Cover Illustrator: José Marzan Jr. Interior Designer: David Futato Interior Illustrator: Kate Dullea January 2026: First Edition Revision History for the First Edition 2026-01-21: First Release See http://oreilly.com/catalog/errata.csp?isbn=9781098169589 for release details. The O’Reilly logo is a registered trademark of O’Reilly Media, Inc. Learning Ransomware Response & Recovery, the cover image, and related trade dress are trademarks of O’Reilly Media, Inc. The views expressed in this work are those of the authors and do not represent the publisher’s views. While the publisher and the authors have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the authors disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights.

📄 Page 5

Table of Contents Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv Part I. Identify 1. What Is Ransomware?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 What Is Ransomware? 4 How Do You Get Ransomware? 6 After the Initial Infection 8 How Ransomware Avoids Detection 11 Encryption and Obfuscation 12 Polymorphism 12 Fileless Malware Techniques 13 Exploiting Legitimate Tools 13 Stealthy Command-and-Control Channels 14 Delaying Execution 14 Behavioral Evasion 15 Bypassing Endpoint Security 15 Anti-Analysis Techniques 16 Self-Destruction and Anti-Forensic Techniques 16 A Brief History of Ransomware 17 The Evolution of Ransomware 19 Double Extortion 20 Understanding the Attackers: Initial Access Brokers 24 Understanding the Typical Attack Sequence 25 Reconnaissance 25 Initial Access 26 Execution and Installation 28 iii

📄 Page 6

Expanding Scope and Data Gathering 30 Ransom Demand 33 Negotiation and Payment 36 Decryption and Recovery 36 Summary 36 2. Your Backup System Is Under Attack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Why Is the Backup System Under Attack? 39 Quick Chat About RTO and RPO 40 Threat Actors Love/Hate Backups 42 How Threat Actors Disable the Backup/DR System 42 The Backup System as an Attack Surface 44 How Did We Get Here? 47 Disk Backups Made It Worse 48 Sounds Pretty Bleak 49 Summary 49 Part II. Protect 3. Backup and Recovery Basics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Backup or Disaster Recovery? 53 The Same System 53 A Different Process 54 Defining Backup System Requirements 55 What Does Your Organization Do? 55 IT Does Not Determine Requirements 56 Requirements and Service Levels 56 Design, Implement, and Document Your System 58 Backup and Recovery Basics 58 Recovery Testing 59 Deduplication 60 Backup Levels 61 Metrics 62 Item Versus Image-Level Backups 67 Backup Selection Methods 67 Backup Methods 68 Is Everything Backup? 68 Two Ways to Restore 70 The Bottom Line 74 Deciding on a Backup Method 74 Do You Need to Change? 74 iv | Table of Contents

📄 Page 7

Tips for Considering a New Backup System 74 Cloud Considerations 75 Backup and Archive Myths 76 Summary 77 4. Stop Most Ransomware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Table Stakes 80 Continuously Update Your Patches 80 Enforce MFA or Passkeys 80 Enforce Solid Password Management 82 People, Process, and Technology 86 Know Your Environment 87 What to Document 89 Making Your Inventory Actionable 91 Process: Policies and Procedures 92 Configuration Policies and Implementation 92 Authentication and Encryption Policies 94 Patch and Vulnerability Management 96 Technology: Technical Controls and Monitoring 98 System Hardening 99 Email Filtering 102 Detect and Monitor 103 People: Building Your Human Defense 106 Employee Training 106 Testing and Reinforcement 108 Summary 109 5. Minimize the Blast Radius. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Know Thyself 112 Preparing for a Ransomware Incident 112 Endpoint Security: The First Line of Defense 114 Deploying Endpoint Detection and Response Tools 114 Using Next-Gen Anti-Malware Solutions 116 Importance of Endpoint Hardening 120 Network Security: Limiting Lateral Movement 126 Network Segmentation: Containing the Blast Radius 127 Firewalls and Traffic Control 129 Network Monitoring and Behavioral Analytics 130 DNS Filtering 131 Network Vulnerability Assessments 132 Access Control and Privilege Management 133 Implementing the Principle of Least Privilege 133 Table of Contents | v

📄 Page 8

Enforcing Multifactor Authentication 134 Data Protection Strategies 135 Data Classification and Segmentation 136 Data Encryption 137 Backup and Recovery Strategies 138 Data Loss Prevention 140 Database-Level Protections 141 Shadow Copies and Volume Snapshots 141 File Access Controls and Monitoring 142 Virtualization 144 Summary 145 6. Get Ready for Battle. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Table Stakes: Do These Five Things First 148 Engage with Cyber Professionals 148 Find a Blue Team Now 149 Get a Red Team Too 149 Find a Cyber Insurance Carrier 150 Identify Forensic Tools 151 Forensic Imaging Tools 152 Log Analysis Platforms 154 Learn Your Tools 157 Secure the Backup System 158 Taking Backups Out of the Equation 160 Role-Based Administration 163 Secure Your Logins 164 Update Your Backup Software 168 Segregate All Backup Infrastructure 169 Shut Off Remote Desktop Protocol 169 Lock Down SMB 170 Secure Backup Storage 171 Use Direct Storage Connections (Like Veeam’s Direct SAN Access) 171 Store Backups in Dedicated Backup Appliances 171 Use Object Storage Instead of File Shares 172 Use Immutable Storage 172 Encrypt All Backups 176 At-Rest Encryption 176 In-Flight Encryption 176 Key Management 177 Watch Everything: Monitoring Your Backup Environment 177 Create a Disaster Recovery Plan 178 Full Hot Site 179 vi | Table of Contents

📄 Page 9

Cold Site Recovery 180 Cloud Recovery 180 Failback 182 Summary 184 7. Make Your Incident Response Plan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Table Stakes: Before Writing Your IRP 188 1. Get Executive Sponsorship 188 2. Name Names, Not Job Titles 188 3. Write the Templates Now—Not During the Crisis 189 4. Contract the Help Before You Need It 189 5. Know What Tools You’ve Got (and Where to Find Them) 189 Cybersecurity Resources Around the World 190 Who’s Got Your Back? 190 Free Frameworks and Tools 191 Early Warning Systems 192 What They Do When You’re Actually Under Attack 192 How to Actually Use This Stuff 192 The Bottom Line 193 Setting Objectives and Scope 193 Defining the Goals of the Incident Response Plan 193 What Does the Incident Response Plan Cover? 194 Metrics of Effectiveness 196 Matching the Plan to Business Priorities? 197 Assembling Your Incident Response Team 198 Sorting Out Who Does What 198 Who’s Calling the Shots? 201 Making Sure You’re Covered 24/7 203 Cross-Training and Alternate Plans 203 Teaming Up with Outside Help 204 Detection and Initial Response Procedures 205 Initial Detection and Assessment 205 First Moves 206 Containment and Evidence Preservation Procedures 206 Forensic Evidence Preservation 208 Communication and Coordination Procedures 210 Notification, Communication, and Escalation Protocols 210 Engaging External Response and Support 211 Recovery and Investigation Procedures 212 Data Recovery and Remediation: Assessing the Damage and Recovery Scope 212 Restoring Data from Backups 213 Table of Contents | vii

📄 Page 10

Rebuilding and Restoring Systems 214 Deciding on Ransom Payment 214 Evaluating Decryption Options (and Possibly Life Choices) 215 Forensic Investigation and Root Cause Analysis 216 Post-Incident Review and Continuous Improvement 216 Conducting a Post-Incident Review 217 Updating the Incident Response Plan 218 Conducting a Root Cause Analysis 218 Training and Awareness Updates 219 Testing and Refining the Plan 219 Planning an Annual Ransomware Tabletop Exercise 220 Defining Exercise Goals and Objectives 220 Selecting Participants 221 Scenario Development 221 Facilitating the Exercise 222 Conducting a Ransomware War Game 223 Setting Up the War Game Environment 224 Playing in a Sandbox 225 Evaluating Team Performance 227 Updating the Incident Response Plan 229 Tracking Progress and Maturity 230 Summary 230 Part III. Detect 8. Detection Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Introduction to Detection Systems 236 An Undetected Attack 237 The Numbers Are Scary 240 Extended Detection and Response 240 Security Information and Event Management 242 Core Functions 243 Typical SIEM Deployment 244 XDR Versus SIEM 245 Detection Tool Integration 247 Human Integration 248 Elements of Integration 248 Detecting Ransomware with Backups 249 Backup System Events and Anomalies 250 Steps to Leverage Your Backup System 251 Log Everything and Secure Your Logs 252 viii | Table of Contents

📄 Page 11

Logs for Your Primary Environment 252 Logs for Your Backup Environment 253 Where to Store Your Logs 254 Managed Service Providers 255 Expertise Without the Hiring Headache 255 Faster Deployment 256 24/7 Monitoring 256 Tuning and Maintenance 256 Multi-Client Intelligence 256 Flexible Scaling 257 Compliance Support 257 Making the MSP Relationship Work 257 The Future of Detection 258 Summary 260 Part IV. Respond 9. The First 12 Hours. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 The Initial Shock: First Hours of the Attack 266 Discovery and Panic 268 Scrambling to Assess 270 Decision-Making Under Pressure 273 Containment Dilemmas 273 The Ransom Dilemma: Legal Landmines and Empty Promises 275 Stakeholder Conflicts 279 You Survived 281 Practical Exercises Summary 281 Case Study Review 282 Summary 283 10. The Marathon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285 Keeping the Business Running During Crisis 286 The Business Continuity Blind Spot 286 ZapMart’s Holiday Sales Crisis 287 Change Healthcare’s Patient Care Emergency 288 Maria’s Bakery’s Customer Service Challenge 288 Northforge’s Engineering Productivity Crisis 289 Business Continuity Strategies 290 Business-Driven Prioritization 290 Degraded Operations and Manual Workarounds 291 Communication: The Bridge Between Crisis and Customers 292 Table of Contents | ix

📄 Page 12

The Revenue Versus Security Trade-Off 293 Survival Tip 294 Exercise: Plan Your Degraded Operations 295 The Bottom Line on Business Continuity 296 The Human Toll: Stress, Communication, and Morale 296 Emotional Rollercoaster 296 Communication Breakdowns 298 Maintaining Morale 299 Unexpected Curveballs: What Plans Don’t Prepare You For 301 Technical Surprises 301 External Pressures 302 Resource Constraints 303 Lessons from the Trenches: Making It Through 304 What Works 304 What Breaks 304 Building Resilience 305 Exercise: Reflect and Improve 305 Practical Exercises Summary 305 Summary 306 Lessons Learned Template 307 11. Analyzing the Breach. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 Beginning the Investigation 313 Why Analysis Matters 314 Guidance for Small and Medium-Sized Businesses 315 Resource Constraints 315 Limited Tooling and Visibility 316 Knowledge Gaps 316 Tool Complexity 317 Budget Limitations 317 Lack of Preparation 317 Sandboxing for Behavior Analysis 318 Real-World Applications of Sandboxing 318 Practical Sandboxing Tools and Techniques 319 Advanced Sandboxing Considerations 320 Best Practices for Effective Sandboxing 320 Identifying the Ransomware Variant 321 Step 1: Examine the Ransom Note 322 Step 2: Check File Extensions and System Artifacts 325 Step 3: Analyze Logs and Network Traffic 326 Step 4: Leverage Threat Intelligence Feeds 331 Assessing the Attack’s Scope 332 x | Table of Contents

📄 Page 13

Step 1: Inventory Infected Systems 332 Step 2: Detect Lateral Movement 333 Step 3: Confirm Data Exfiltration 338 Exploring Decryption and Remediation Options 340 Step 1: Check for Public Decryptors 341 Step 2: Use Forensic Tools for Remediation 342 Step 3: Evaluate Payment Risks (Last Resort) 343 Summary 344 12. Advanced Analysis and Forensics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347 Advanced Analysis Techniques 348 Step 5: Craft YARA Rules (Advanced) 350 Step 6: Monitor Dark Web Leak Sites 351 Expanding Identification: Reverse-Engineering Ransomware Samples 352 Why Reverse Engineering Matters 353 How to Reverse-Engineer Safely 353 Expanding Scope Assessment: Cloud-Specific Analysis 356 Why Cloud Scoping Matters 356 How to Scope Cloud Infections 356 Survival Tip 358 Expanding Decryption: Negotiating with Attackers 358 Why Negotiation Is Risky 358 How to Negotiate (If You Must) 359 Risks of Negotiation 360 Best Practices for Negotiation 361 Exercise: Plan a Negotiation 362 Expanding Advanced Analysis: Volatility Tutorial 362 Volatility Tutorial 362 Best Practices for Volatility Analysis 362 Volatility Workflow 362 Post-Analysis Reporting 365 Building a Report 365 Sample Report 365 Executive Summary 366 Incident Overview 366 Response Actions 367 Lessons Learned 368 Next Steps and Recommendations 368 Regulatory and Stakeholder Considerations 369 Summary 369 Table of Contents | xi

📄 Page 14

13. Contain the Attack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371 What Is Containment and Eradication? 372 The Importance of Containment 373 The Containment Versus Forensics Dilemma 374 Three Approaches 374 Make the Decision 378 Where to Start Containment 379 Snapshot, Suspend, or Pause All Infected VMs 382 Step 1: Suspend VMs Immediately 382 Step 2: Copy VM Files to Isolated Forensic Storage 383 Step 3: Document Everything 384 Create a Panic Button Script 384 The Suspend Versus Shutdown Distinction 384 Testing Your Suspension Process 385 Identify Critical Systems 385 Rapid Forensic Imaging 387 Immediate Containment Actions 388 Step 1: Isolate Infected Devices 389 Step 2: Disable Attack Vectors 391 Step 3: Block External Communication 393 Step 4: Automate Containment 395 Verification and Monitoring 398 Forensic Disk Preservation 399 The Final Shutdown Decision 401 Pull the Plug 401 Summary 403 14. Eradicate the Threat. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405 Clean, Wipe, or Replace 406 Cleaning 406 Wiping 411 Replacing 415 Making the Decision 415 Reinstall the Operating System 416 Clean Data Disks 417 Summary 417 Part V. Recover 15. Restore and Recover. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421 The Goals of Recovery 421 xii | Table of Contents

📄 Page 15

Prioritize Your Restores 422 Choose a Restore Method for OS and Apps 425 Full System Restore 425 Reinstall and Reconfigure 426 Reimage 427 Choose a Restore Method for Databases 427 Choose a Restore Method for SaaS Applications 428 The SaaS Recovery Challenge 429 The Delete-and-Restore Approach 429 SaaS Recovery Timeline Expectations 430 Application-Specific Considerations 431 Choose a Restore Method for Filesystems 432 Restore Before Infection, Followed by Many Individual Restores 432 Curated Restore 433 Use a Sandbox Area for All Restores 434 Scan for Malware 435 Scanning During the Restore 435 Scanning After Restore 436 Restore Your OS and Data 436 Pick Your Restore Point 436 Test Functionality 437 Monitor for Any Network Activity 437 Recover to the Cloud 438 Why Recover to the Cloud? 438 Planning Your Cloud Recovery 438 Setting Up Temporary Cloud Infrastructure 439 Networking Considerations 440 Data Transfer Challenges 441 Failover and Failback Concepts 441 Understanding Failover 441 Managing the Transition Period 442 Planning Your Return 442 Testing Failback Procedures 443 Long-Term Considerations 443 Summary 444 16. Post-Mortem Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445 The Importance of Post-Mortem Analysis 446 Psychological and Organizational Impact 447 Human Factors 447 Communicating Post-Mortem Results to Employees 448 Documenting What Happened 448 Table of Contents | xiii

📄 Page 16

Key Elements to Document 457 Tools for Documentation 459 Best Practices for Documentation 459 Conducting the Post-Mortem Meeting 460 Step 1: Planning the Post-Mortem Meeting 460 Step 2: Structuring the Post-Mortem Meeting 461 Step 3: Facilitating Open Discussion 464 Step 4: Documenting the Meeting 464 Regulatory and Legal Considerations 465 Learning from Your Mistakes 465 Common Mistakes 466 Prioritizing Improvements with Limited Resources 467 Turning Mistakes into Opportunities 468 Adapting Your Incident Response Plan 469 Key Components to Update 469 Key Monitoring Areas 471 Implementing Monitoring Tools 472 Regular Audits and Testing 472 Sharing Threat Intelligence 473 Recommendations for Long-Term Resilience 473 Post-Mortem Analysis Case Studies 475 The Lorenz Attack 476 Healthcare Breach (2023) 478 Summary 478 Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481 xiv | Table of Contents

📄 Page 17

Preface On the very day I (Curtis) finished my final edit of this book to hand over to my amazing editor, Sara, the tech world fell apart, and I thought it would make a great story to open this book. While it doesn’t appear to be ransomware related, it does show just how much we have all come to count on technology and how businesses don’t know what to do when the tech they count on simply doesn’t work. The first thing my daughter, Marissa, noticed on October 20, 2025, was that Netflix wasn’t working. Marissa, her husband Hunter, and my granddaughter Lily sat down to watch something together, and it just wouldn’t play. “That’s odd,” they thought. She went to work at a clinic, and some of her patients that she tells me are “tech people” told her there was a big outage. She thought, “Well, that has nothing to do with me.” But later she noticed that she couldn’t access some of her patient records. She had to resort to paper and pen for records. “That’s super annoying,” she thought. Then she noticed that her patients couldn’t use some of their streaming services. Weird. When she got home, she found out that Lily couldn’t do her online classwork. What is happening? The final straw, she told me, was when she couldn’t turn on her bedroom lights. Apparently, she solved a problem by hooking them up to—you guessed it—Alexa. And Alexa was down. On the same day, a friend of mine was in a hospital that was completely offline, and a restaurant that I’m a regular at (Hello, Beach Break Cafe in Oceanside!) had issues as well. Their POS system worked, but they couldn’t enter tips. All of this because DNS wasn’t working on DynamoDB in the US-East-1 region of AWS. Imagine the pressure those folks were under that day and resolve to at least have a plan for when this happens to you because of ransomware. xv

📄 Page 18

Why This Book I sent the initial idea for this book to O’Reilly almost three years ago, when I saw what was happening where I worked at the time. I was working for Druva, a SaaS-based backup and disaster recovery provider, and every Monday morning, we’d review the previous week’s restore activity. It’s the kind of meeting that should be routine and boring. Except it wasn’t. Week after week, I watched the ransomware restore numbers climb. Not the nor‐ mal “Oops, I deleted a file” restores. These customers had been fully encrypted by ransomware and had to restore everything. Thankfully, they were always able to recover their data, but the numbers went from one or two a month to two or three ransomware restores a week! These were our customers. They were the lucky ones because Druva by default secures your backups the way I recommend in Chapter 6 (e.g., separate credentials, air-gapped copy, immutable storage). But even then, we started seeing something that made my blood run cold: threat actors were getting smarter. They were clearly targeting the backup data. What used to be an afterthought for attackers had become target number one. I’ll never forget one customer whose attackers attempted to delete their backups. There was plenty of evidence of the attempts, and thankfully they had all been stopped. But I just couldn’t help wondering, what if they had succeeded? That’s when I started making protecting our customers’ backups against ransomware my number one priority. I didn’t care about new platforms or additional features. I just wanted to make our customers’ backups as secure as possible. (The good news is I wasn’t alone; it’s just that I had the luxury of being singularly focused on this.) And the stories outside Druva kept coming as well. I’d read about attack after attack where the common thread was always the same: “Backups were encrypted or deleted prior to the attack.” I can’t tell you how much it hurts my heart to read that. But here’s what really got me: about 90% of these attacks could have been stopped at the very beginning. Not with some million-dollar security platform. Not with an army of SOC analysts. Just by following basic cyber hygiene practices that every IT person already knows they should be doing. So I wanted to write a book that cut through all the noise and said this: • Get decent unique passwords for everything • Put multifactor authentication (MFA) on anything that matters • Regularly patch your systems and monitor for critical patches • Put one copy of your backups offsite (most likely in the cloud) xvi | Preface

📄 Page 19

• Put one copy of your backups on truly immutable storage (so even you can’t delete it) That’s it. If everyone just did these five things, we would see a drastic reduction in successful ransomware attacks. And for the attacks that still got through? You’d at least have a copy of your data that wasn’t deleted or encrypted. Your restore process might take a while, but at least it would be possible. As I’m now finishing this book, all of that is still true. And I believe it will always be true. And seriously—if you’re not doing anything on the preceding list, put this book down and go fix that now. There’s not much point in everything else we discuss if you’re not going to do the basics. A Different Tack Most ransomware books focus on prevention—trying to prevent you from getting it in the first place. A few also cover how to respond to an attack. But I didn’t find any books that were dedicated to preparing you to be able to respond to and recover from an attack. So I set out to write one. Odds are you’re going to get ransomware. So let’s acknowledge that fact and learn how to: • Minimize the damage a single attack can cause • Detect it sooner than later • Fortify your backup system so it won’t also get taken out • Build an incident response plan (IRP) and an incident response team (IRT) • Build up muscle memory on how to respond when the worst happens • Know when to call in the pros Bringing in the Cavalry I initially thought I could write this one on my own, as I have for all my other books. But along the way, I realized that the readers would be much better served by someone with deep domain knowledge in the cybersecurity space. Which is why I decided to bring in a co-author for the first time—and I found the perfect co-author. Besides being a great communicator and writer, Dr. Mike Saylor is a boots-on-the- ground warrior in this battle. He runs a managed security services provider (MSSP) called Blackswan Cybersecurity, and they are the folks you call on your worst day. Preface | xvii

📄 Page 20

They are the blue team—the guys you want in your corner before and during an attack. We had him on The Backup Wrap-Up podcast, and he clearly knew what he was talking about. I asked him if he was interested, and he jumped at the chance. He is as dedicated to cyber as I am to backup and recovery. He would write the cyber-heavy content, and I would write the backup-heavy con‐ tent, and then we each reviewed the other person’s work. The result is a very solid book that neither of us could have written by ourselves and that stands alone as the only book of its type. I’m going to write my acknowledgments now, so I’ll stop talking about Mike. Mike’s Story I have been in IT and cyber for about 30 years, in roles ranging from PC build technician and help desk to IT auditor, cybersecurity director, and CISO, while also teaching cybersecurity and computer science at colleges and universities since 1999. For the last 15 years, I’ve led IRTs and digital forensic investigations for clients on their worst day. I’ve worked with just about every law enforcement agency in the pursuit of cyber criminals and have contributed to three editions of a book on cybercrime and cyber terrorism with Bob Taylor. The perspectives learned and experienced through these different roles and incidents have no doubt provided the content I share in this book. From the things that you must consider today in preparation for the inevitable, to descriptions and war stories of what to expect when it does happen—these are not theoretical/conceptual; they are facts that must be adapted for your organization ASAP. How This Book Is Organized This book follows the National Institute of Standards and Technology (NIST) Cyber‐ security Framework 2.0, which organizes cybersecurity into five practical functions that form a complete defense lifecycle: xviii | Preface