Ransomware is a (sad) fact of corporate life. 61% of businesses were impacted by cyber criminals in 2020, peaking at more than 900 attacks per organisation in 2021. Remote working is only making organisations more vulnerable. A recent study also found that the average attack costing its victims $5.3m.

It’s no wonder ransomware is near the top of every CIO’s worry-list. 

In our last blog, we looked at how best to plan for tomorrow. This blog explains what to do if you’re presented with a ransom demand today. We’ll look at how to get ahead of the criminals and respond in a way that quickly gets your organisation back on its feet. 

Let’s start with two very different scenarios. In the first, an IT security manager – let’s call him Tom – has a basic ransomware response plan gathering dust somewhere on the server. The first he learns of his network being under attack is when a message pops up on his laptop. It informs him that all corporate data and apps have been encrypted and he’ll need to pay a hefty ransom to get them back. 

Tom works frantically to restore a backup but realises that the backup has also been encrypted. So the company has no choice but to engage with the criminals directly and pay the ransom. . But that doesn't necessarily mean the data will be retrieved. Research shows 33% of organisations worldwide that suffered an attack in 2020 didn’t get their data back.

When Tom’s organisation decides to pay the attackers, he tells himself that the insurer may be able to pay out the amount they lost. But, in the meantime, the business grinds to a halt: teams don’t have the tools they need to collaborate, leading to lost revenue. And execs start fielding angry calls about the potential data breach – the reputational and regulation damage extends far beyond the day of panic in the office.      

In the second scenario, another IT security manager – let’s call her Tanya – had planned well and tested often. Her organisation has an assume-breach mindset and they regularly test that all backups are 100% tamperproof. 

When ransomware strikes, Tanya is alerted to the attack not by the criminals but by an early warning system she’d implemented with their specialist partner. Together, they recover all affected apps and data within 24 hours and with minimal disruption to the business. Customers are notified and reassured in good time. Oh, and they didn’t pay a penny of the ransom. 

Let’s see how Tanya managed it. 

4 simple steps to a complete and clean recovery

Assess the ‘blast radius’

Successful recovery is all about speed. Every hour of lost productivity costs money, every moment of silence impacts stakeholder relationships. That’s why it’s crucial to understand the extent of the damage. Do you need to recover an entire virtual machine or is the encryption limited to a handful of folders? 

Restoring a backup of every file and application wastes valuable work cycles. It’s inefficient and costly: like using a sledgehammer to crack a nut. Far better to analyse all backups for anomalous events and identify precisely which need to be restored from a previous, unaffected version. 

Highlight and communicate data breaches

The short-term impact of ransomware is measured in lost sales and low productivity. The long-term effects might be even worse. If there’s a chance that personal data or financial information has found its way into criminal hands, customers might never do business with you again. 

And, depending on your industry, regulators might land the organisation with a hefty fine. If data taken from a ransomware attack is leaked, organisations may find themselves subject to fines up to 4% of annual turnover or €20 million per event, whichever is higher.

The important thing is to be on the front foot. Writing up a comprehensive ransomware recovery plan is vital – and so is including it in a communications checklist. So employees and stakeholders can stay calm when an attacker strikes. First, find out what data has been compromised. Second, be the first to make it public that you’ve been attacked. The company must immediately contact those affected (along with relevant auditors and regulators) and explain what has happened and what you’re doing to rectify it. The more sensitive the data, the more urgent the response must be.

 

 

Recover the affected data, apps and services

While senior managers are talking to customers and stakeholders, the security team’s first priority is to get essential apps and data back online. Let’s assume you’ve planned well and have the right tools in place. You know what’s compromised and where to focus attention. 

The next step is to orchestrate the recovery, either to the data’s original location or to a secondary site. A SaaS-based management platform means there is a built-in security boundary between the affected environment and the orchestration tools. This significantly reduces the risk of recovery tools being ransomed.      

A good backup solution will examine encrypted files and identify a point in history that’s safe to roll back to. A ‘wizard’ process will help you make the right decisions as you go. Should you recover a subset of files or the whole virtual machine? Will recovering to source (i.e. overwriting bad data with good) or replacing files on another server be quicker?

Make a clean getaway

The final part of a successful ransomware response is to ensure peace of mind. You need to identify where the malware originated and how it spread so that it won’t come back to haunt you. It’s crucial to go through backups with a fine-toothed comb to make sure that you don’t get trapped in a loop of restoring bad data. 

When your organisation is hit by a ransomware attack, be less Tom – more Tanya. That means having a robust, well-tested plan and a clear view of the right way to respond. 

Remember the three Rs. Respond fast by knowing what and who has been affected. Reach out to stakeholders to keep them onside. Only then can you recover data the smart way to get the business back up and running. 

Prepare for ransomware NOW

Now that you have some actionable steps you can take to prepare for ransomware, continue your journey of improving your cybersecurity posture by learning how to build a rock-solid ransomware recovery plan with our guide on The Best Defence Against Cyber Threats.