Mattel disclosed a ransomware attack this week. The incident occurred in July. The company says that it was able to respond quickly and restore systems, and believes that no data was exfiltrated, but hybrid identity expert Sean Deuby of Semperis, host of the HIP Podcast, believes other organizations need to take heed as yet another large organization comes under threat:
“While organizations understand the importance of being prepared for a ransomware attack, our recent survey of identity-centric security leaders found that that over 50% of responders never actually tested their Active Directory cyber disaster recovery process or do not have a plan in place at all. Given the rise of fast-moving ransomware attacks and the widespread impact of an AD outage, the fact that Mattel reports it was able to enact response protocols quickly, contain the attack and restore critical functions -- and even believes it avoided any data exfiltration -- is a testament to the power of having recovery plans in place.”
Particularly now, as businesses work to support an expanding ecosystem of mobile workers, cloud services and devices, organizations need to adjust their response plans to include preparations for ransomware attacks. In the event of a cyber disaster, taking regular backups and storing copies both on a non-domain joined server and offline will be the difference between a brief outage and extended downtime if AD is compromised. Otherwise, network-accessible backups can easily be destroyed and increase the chances of payout from the victim. Organizations should always have sufficient backups to perform a full forest recovery. Finally, it’s critical to avoid bare-metal and system state restores when recovering from a cyberattack, as these approaches carry severe underlying issues, including the likely possibility of malware re-infection."