The idea of recovering your data after being hacked is today a fantasy, even if nothing is impossible. Experts agree that victims must first think about restoring what can be restored, a job that must already be carried out before an attack.
After being hacked, whether you are an individual, an administration or other, the question of data recovery arises very naturally. ” Can I recover my stolen data ? we wonder in a hurry. In reality, we should rather think about how to restore data that has only been copied by hackers whose motivation is above all financial. From ideal to reality, there is unfortunately a big gap. After our files on the cyber threat in hospitals and on the ransom demanded by hackers, the cyber experts whom we were able to meet at the Assises de la sécurité, in Monaco, draw our attention to the lucidity that must be maintained at the time of hacking. . And above all, they invite you not to confuse data restoration with recovery, which are two notions that should be clearly distinguished, both technically and commercially.
The recovery of data copied or collected in the literal sense: “It’s dead”
” Is data recovery possible after being hacked? we simply asked Ivan Kwiatkowski. ” It’s dead “, he replied tit for tat. ” There is no recovery possible. What many people don’t understand is that theft doesn’t exist in the world of cybersecurity. Because theft is the taking of something from someone “, specifies the researcher at the GReAT of Kaspersky.
” For computer data, it is not a subtraction. If I log into your PC and copy your entire disk with a USB drive, all I’ve done is duplicate the data. I didn’t steal anything “, he adds.
Ah! This immediately mitigates the idea (and the possibility) of “recovering” data that is not stolen, but copied. Because in the case of a ransomware attack, that’s what happens. A hacker interferes in the system, triggers his ransomware, makes a copy of the data (or discards the backup files if he wants to prevent a restoration), encrypts the information collected and blocks access to the terminal, before informing the victim that he must pay a ransom if he does not want his files to be published and if he wants to regain possession of his system.
If a ransomware business model exists, the hacker remains unpredictable
Christophe Auberger, cyber-evangelist for Fortinet, extends the question: “ By paying, will the hacker really return the data to me and destroy it? Or will he finally sell them? We cannot be sure. »
” When dealing with a ransomware group, they are not asked to return the data, but to return an alleged copy of the data. I think to believe that one can recover data, and to believe the word of hackers about deleting a copy, is to be a bit naive », adds Ivan Kwiatkowski.
In other words, from the moment a hacker has had access to our data, nothing can guarantee that it will not go around the world. In the event of payment of a ransom, the hacker certainly has no interest in swinging the copied data to the right or to the left, because it would call into question the very economic model of the ransomware. But if the motivation is not just financial… who knows? Therefore, the slightest access to data must be considered as a real loss of data.
No solution to recover the data… really none?
Even when one glimpses a tiny hope, it is immediately showered. ” It’s a little taboo in France, but there is what is called active defense, or offensive defense: I am attacked, I retaliate and I destroy the information system opposite, so as to m ensure that it cannot recover the data “, informs us Christophe Auberger. Phew, so there is a chance that we can recover the data that the hackers were able to seize?
” A: It doesn’t always work. Two: we are not completely sure that the person we are attacking is the malicious person, since there are multiple bounces and multiple platforms in the movements of hackers “, continues the expert. And in any case, attacking an information system remains illegal, ” in the same way as in the physical world, self-defense is strict and framed “. No company therefore has the right, and few have the capacity, to attack the adversary. Only the French Armies today have capabilities in the field, without it being known officially whether they have already been put to good use (no pun intended) or not.
For Ivan Kwiatkowski, “ if we ever found out where the hackers’ servers are, we could send in the police, and that would be easy. But we don’t know where they are. Sometimes, some ransomware groups attack each other between forums, but there are no cases where they managed to steal decryption keys from each other and decrypt everything to cause economic damage “.
Data recovery in the literal sense is therefore not the direction to take. ” We cannot recover the data that was copied “, repeats the Kasperky cyber-expert. ” If there is a problem in the encryption, it can possibly be decrypted. But what they copied elsewhere, we can’t get it back. I’m not saying it’s impossible, but it’s so impractical in the real world that you might consider it out of scope. »
Data restoration, a way to restart the machine
If the data cannot be recovered, then what can be done? ” Knowing what has been exfiltrated by pirates is a no. But recovering data by restoring is quite possible, yes. Nicolas Groh, Technical Director for Europe of Rubrik, a company specializing in data recovery, tells us more about what a victim organization can expect after a ransomware attack.
” It is necessary to have an idea, before, of what must be restored. If you are hacked, the first thing to do is to warn the regulators, who will ask you what is still standing, what is no longer, and what types of data may have been collected. If these three questions can be answered, it is already a good start “, he explains.
But there are still other steps to take. ” We must try to find out what attacked us, by carrying out an investigation (a forensic analysis), to find out if the organization has been affected by this or that malware. Depending on the ransomware, the data will be restored one way or another. Then comes the time for remediation. This whole procedure can take several days. It is also important to have an idea of the machines that will have to be restored, and what the interactions between these machines will be. ” It will sometimes be necessary to reassemble the database first, the web servers, etc. », says Nicolas Groh. ” All this in an order and with a lapse of time between each step. If you ascend too quickly, things can get lost in nature… »
The reflex to ban, according to Ivan Kwiatkowski:
” A reflex that many victims have: it is the fact, after having been hacked, of using their mail server to send panicked e-mails to their contacts, of using the compromised system to continue to run the box. Here, the ransomware groups that are still in the network are witnessing all this and know exactly what is happening, and they have a good game of reminding their victims. »
It is indeed a stack of layers which today will be able to ensure safety. ” Data is the main target of hackers says Field CTO Nicolas Groh. ” Governance, the protection of its data is said to be the basis of any organization. » The establishment of a backup plan beyond the reach of any attack remains today one of the best solutions for recovering data (and, therefore, for not paying a ransom).
This thematic dossier on cybersecurity is the third in a series that you can currently discover on Clubic, following our visit to the Assises de la sécurité which was held from October 12 to 14 in Monaco. Thank you to all the specialists who agreed to answer our questions, and see you for the last two episodes, where we will talk about geopolitics and cyber insurance.
4