Ransomware Recovery Steps for Businesses

Introduction

As more organizations conduct business online, ransomware attacks — malware attacks where attackers encrypt or transfer your data and demand a payment to unlock the data — have become increasingly commonplace. According to Sophos, ransomware attacks affected 37% of organizations in 2021.

There are several types of ransomware attacks, with the most common one being data encryption. Data encryption is when an attacker encrypts data for the purpose of extortion. Other types of ransomware are double and triple extortion attacks. A double extortion or exfiltration attack is when an attacker encrypts your data and steals it. Threat actors take this a step further in triple extortion attacks, where they encrypt your systems, steal data, and look for data about your suppliers and customers to target them.

What’s more, ransomware affects almost every industry, with most ransomware victims in the government, education, healthcare, services, and technology sectors. The average cost of recovery from a ransomware attack is also staggering. According to Sophos’ global survey, “The State of Ransomware 2021,” the average ransom paid is a whopping $174,404. Only 8% of organizations managed to regain all their data after paying a ransom, and 29% received about half of their stolen data.

Clearly, ransomware attacks are a threat to all businesses. Read on to learn why ransomware attacks are so effective and how you should approach ransomware recovery.

Why ransomware attacks are so effective

Ransomware attacks are effective for a variety of reasons, including:

• Lack of effective cybersecurity infrastructure

They target organizations’ existing issues, such as the failure to address and update basic cybersecurity requirements, including employee best practice training and information technology (IT) infrastructure. Hackers target these vulnerabilities because they know companies don’t have enough time or energy to address these issues, which are often deep-rooted and require months of planning to remedy. These companies would rather pay the ransom and gain back their information so that they can continue operations.

• Businesses often don’t know how to approach an attack when it happens.

  Most companies don’t have an incident response plan in place to secure their network, eliminate threats, and recover lost data.

   

• Lack of time to respond.

  Since most companies aren’t prepared for a ransomware attack, they often act with haste and make the wrong decision, such as paying the ransom to get their data back.

How to approach ransomware recovery

Fortunately, you can mitigate the effects of ransomware attacks by changing the way you approach ransomware recovery. Here’s how.

Assess the situation of the attack

Don’t act with haste. Take stock of the attack and ask yourself the following questions:

• What exactly was compromised?

  Was it your entire network system or only a few devices? Was it only a single user account?

   

• How was your system potentially compromised?

  Talk to team leads or deploy your internal investigation protocol to see what happened before the system got compromised. Did someone open a suspicious email or download a malicious file?

   

• What are the cybercriminals demanding?

  How much payment are they demanding and what currency do they want?

   

• Is this a credible threat?

  Some “ransomware” attacks are not actually ransomware. In such cases, the attacker didn’t actually encrypt your files. They just created a fake ransomware pop-up and locked the screen. Luckily, you can exit the screen using key commands such as Alt-F4 on Windows and Command-W on Mac. You can also try restarting your computer to see if the message goes away. If it goes away, it’s likely not a real ransomware attack.

Activate your incident response plan or hire a team

Unveil your incident response plan of action to begin addressing the issue at hand.

Your incident response plan should enable you to act quickly and effectively in case of an attack. Be as detailed as possible when writing it. It should cover:

• How to prepare for threats
• How to detect, contain, and eradicate threats
• How to reestablish operations after mitigating and stopping threats
• How to grow your incident response plan after attacks

If you do not have an incident response plan, contact an expert cybersecurity provider immediately. This provider will handle the containment and eradication of the attack.

Ensure backups are available and keep them isolated

A critical part of recovery is creating data backups. Backups allow you to continue working on your files even if ransomware hits. If you don’t have backups, you won’t be able to do anything if ransomware hits your systems suddenly. Even if you pay the ransom, there’s no guarantee that all your data will be returned.

Keep your backups away from the current network environment. Otherwise, the attack vector may also invade them.

Address security breakdowns

The next step is to fix the potential issues that led to the attack. You need to address these security breakdowns whether they were caused by human or technical errors. Do this as soon as possible to prevent another attack from happening. If you see a vulnerability or gap that needs to be closed, patch it immediately. 

Ask yourself the following cybersecurity assessment questions to ensure that all gaps are closed:

• How many assets does your organization own?
  

  You need to make a list of all of the machines, programs, and data that your organization needs to secure. You can start by focusing on one type of asset, such as computers, phones, and tablets, rather than all at once. After selecting an asset type, list out all other devices, assets, and information it’s involved with. This will give you a comprehensive view of all of the assets you need to assess.

• What are the cybersecurity risks associated with each asset?
  

  Look at each asset’s security gaps and consider the likelihood of exploitation and the impact that exploitation could have on your organization. For example, if your server’s administrative accounts use a simple username and password combination like “admin” and “1234,” you need to start upgrading them as soon as possible. Otherwise, all of your admin accounts, which contain key documents and software, will likely be compromised.

   

• How can I establish and continuously monitor cybersecurity measures?

  Once you have identified and listed out your organization’s critical assets and vulnerabilities, you need to implement security measures that will monitor your network environment continuously. Consider hiring experienced emergency response consultants for advice. 

Restore and relaunch data & operations

After you’ve addressed all your security breakdowns, it’s time to activate the network environment with your backup data. Consider using automation and hot disaster recovery sites to speed up the recovery process. Unlike traditional backup methods — like recovering hard copies of files, which can take up to a month depending on your location — hot sites are cloud-based solutions that are available at the switch of a key. 

With a hot site solution, all you have to do is activate a script that copies your IT infrastructure and puts it on another provider. Once you’re hit by ransomware, turn on the restore function. The hot site solution will then automatically restore your infrastructure. This can take anywhere from 10 to 15 minutes or a full day if you go through testing.

After restoring your data and operations, your cybersecurity team needs to implement the cybersecurity monitoring measures you drafted in the previous step. This will limit ransomware attacks from happening again.

Ransomware recovery next steps

Ransomware recovery can be difficult, particularly when you have limited resources and time to spend on cybersecurity. That’s where an emergency response team comes in. This team can provide expert guidance to help you understand the extent of the breach and how you can move forward. They can also:

• Perform a full-suite response from identification to recovery
• Help you reduce legal liability
• Provide certainty for future operations

‌Ready to invest in cybersecurity?

If you’re looking for more guidance on how to move your cybersecurity program forward, CDG can help. Founded in 2016 by cybersecurity expert Lou Rabon, Cyber Defense Group was designed to address the growing demand for experienced cybersecurity consulting for innovative cloud-native and cloud-reliant organizations. 

Our unique combination of Fortune 500 leadership experience, deep knowledge of cloud security and incident response, and commitment to Outcomes-Based Security enable CDG to fully protect our clients’ security posture while delivering desired business outcomes in an agile environment. Get in touch, and see what results are possible for your organization.

If you’re looking for more guidance on how to move your cybersecurity program forward, CDG can help. We are shifting the cybersecurity consulting paradigm to address the needs of mid-market, cloud-native or cloud-reliant companies who are experiencing rapid growth.

Founded in 2016 by global security expert Lou Rabon, our nimble team draws on decades of experience and diverse technical expertise to deliver a full spectrum of information security advisory and implementation services on a fixed-cost basis. Our right-sized, results-driven approach will help you meet your immediate needs, but also ready you to navigate what’s ahead. Get in touch, and see what results are possible for your organization.