How to Recover from Ransomware Attack Incidents: What You Need to Know

No business wants to fall victim to a ransomware attack. But in the event that last lines of defense do fail, it’s vital that companies have the right processes and technologies on hand to recover from any downtime, secure their systems from infection and restore any compromised data. So what must businesses be aware of in order to do this?

The first step is to ensure that everyone understands the nature of the threat. Many firms, especially less-sizeable enterprises, may be under the impression they will not be a target for ransomware gangs, either because they do not hold any sensitive data or because they are too small to be worth the effort. However, this is incorrect.

Every business is at risk of ransomware attack – and in fact, smaller firms may be more tempting targets. This is because cybercriminals will know they are likely to have less advanced defenses and may feel more compelled to give into any ransom demands in order to restore operations, as they have neither the skills nor financial resources to attempt recovery on their own.

Ransomware is a form of malware that encrypts, destroys or exfiltrates data from a business, then looks to extort money from the firm. Traditionally, this would involve paying for a decryption key to recover any affected data. However, in today’s environment, the majority of attacks look to steal data from businesses rather than simply make it inaccessible.

In these cases, enterprises will often be asked to pay in order to prevent the public release of confidential data – especially personal details, financial information or proprietary business data such as trade secrets or R&D plans. Such disclosures would not only have financial implications, but could also cause reputational damage and lead to regulatory action, which can often persuade businesses to pay up.

There are a wide range of issues that can result from a ransomware attack, but in monetary terms, the costs can be significant. The sums demanded have grown significantly over recent years, with one study finding the average payment to restore access to data has risen by 500 percent over the last year alone, up from $400,000 to $2 million.

Almost two-thirds (63 percent) of demands were for $1 million or more, and 46 percent of firms that received such an ultimatum had revenues of $50 million or less, therefore making a ransomware attack an existential threat to these businesses.

Even if firms do pay, this is only the start of the issues. Expenses related to investigation and remediation, improving systems, customer compensation, regulatory fines and lost business – both direct due to downtime and in the longer term as a result of reputational damage – quickly add up, meaning even a small firm could end up facing total costs of several million dollars.

The best way for firms to mitigate these expenses is to ensure they have the right tools in place to recover quickly from any incidents, minimize downtime and ensure the most sensitive information is protected from threats such as data exfiltration. With this in mind, here are five key steps that should be part of any firm’s post-ransomware plan.

Step one upon discovering an infection must be to shut down the ransomware before it can spread throughout the business, which means isolating any affected systems. However, this involves more than just pulling the plug. As well as disconnecting devices from the rest of the network – including switching off Ethernet, Wi-Fi and Bluetooth – companies must disable any automated tasks such as deleting temporary files or writing to backup. 

This is essential as many ransomware groups today specifically aim to infect backup systems to make restoration harder. Therefore, an essential part of any ransomware recovery is ensuring these contingencies are protected.

A critical decision for firms will be whether to give in to a ransom demand, to try and negotiate or to refuse altogether. Law enforcement agencies, including the FBI and the UK’s National Cyber Security Centre, strongly recommend the latter approach, as engaging with hackers or giving into demands only encourages future attacks – plus there is no guarantee data will be returned or stolen information will be deleted.

For many firms, though, this is not a simple decision, as they have to balance these risks against the threat of lengthy downtime and higher overall recovery costs. It can be very tempting to pay in order to speed up the process and minimize financial losses, but in the long run it can often end up costing more.

Being able to restore files and systems from backups as quickly as possible is a critical part of any ransomware recovery process. To ensure this works as intended, it’s vital to have a clear plan that sets out what will happen and what everyone’s responsibilities are, and ensure this is documented and tested regularly. It pays to have multiple backups to increase resiliency and ensure critical data is backed up at frequent intervals to minimize any lost progress.

If data has been encrypted, it may be possible to turn to special decryption tools to recover it, especially if the type of ransomware used has been identified. However, there’s no guarantee this will work, so it shouldn’t be relied on as a solution.

An essential but often overlooked part of the recovery process is ensuring all affected parties are fully informed of what’s happening. For instance, if customer personal or financial data has been stolen, it’s essential they are alerted immediately. Transparency is essential in keeping any reputational damage to a minimum and providing necessary support to those compromised.

There are also compliance issues to consider here. Rules such as GDPR have mandated reporting for data breaches that require firms to notify their local data protection regulator within a specified time limit – typically within 72 hours of discovery. Failing to meet these requirements can lead to costly penalties.

Once a ransomware incident has been contained and backups implemented, it’s vital that firms undertake a thorough investigation and identify what weaknesses allowed the malware to enter their network. 

Companies that have fallen victim once are likely to come under attack again, especially if they paid a ransom, as they will be identified as easy targets. Therefore, firms must invest in improved anti ransomware tools, from improved monitoring and access controls through to dedicated anti data exfiltration (ADX) tools, in order to safeguard their systems for the future.

Ultimately, a ransomware recovery plan should be viewed as a last resort. If hackers have been able to access systems and exfiltrate data, the damage has already been done and even the best recovery tools can only provide partial mitigation. Therefore, the best ransomware protection should be preventative to ensure you can block any attacks before they have a chance to encrypt or exfiltrate data.

There are a number of things every business must do in order to prevent a ransomware attack, but some of the key priorities to remember include:

• Protect your perimeter – Tools such as email security are essential for shutting down attacks before they enter the network.
• Train employees – Human error is a major cause of data breaches, so make sure everyone knows the telltale signs to look out for.
• Control access – Use tools such as multifactor authentication and monitoring to ensure other approved individuals can view and process data.
• Keep up-to-date – Outdated software can allow hackers to take advantage of vulnerabilities, so make sure everything is patched regularly.
• Use defense in depth – There’s no single solution to protect against ransomware, so take a holistic approach with tools for every element of your network.

A key component of protecting against these threats is specialized ADX tools that prevent cybercriminals from stealing data. BlackFog’s solutions are lightweight enough to be deployed on every endpoint, including mobile devices, and monitor and analyze outgoing traffic to look for any suspicious or unauthorized activity. 

Automatically blocking traffic that carries the key signs of data exfiltration ensures that, even if hackers have been able to breach a network, they will be unable to steal the data that will be vital if they are to make a ransom demand.