How to avoid paying the ransom with a robust four-step recovery plan

Imagine you’re in an arcade surrounded by enthusiastic gamers.

Every player has their ‘tried and tested’ winning approach convinced they’re the only person who knows how to play the game the right way. While the flashing lights of an arcade offer a slightly different atmosphere, this ‘winning mentality’ will be oddly familiar to cybersecurity specialists.

Security teams are often torn over how to best respond to and recover from the latest ransomware threat to their organisation. Oftentimes individuals will lean on their experience asserting their know how to tackle the threat the right way. However, while in an arcade competitive energy contributes to the fun, in the cybersecurity realm, competitivity only serves to undermine an organisation when its cybersecurity professionals are misaligned on best practices.

News of high-risk breaches continue to make regular headlines. Industry thought leaders often jump in with their two cents on the cause and predicted fallout, but many of these incidents are forgotten with time, others become a permanent stain on a company’s reputation. Take the WannaCry attack on the NHS in 2017 for instance, or the SolarWinds hack in 2020.

With this article, I shed light on the critical components of a strong ransomware recovery approach as a guide for teams looking to improve their resilience.

Stage One: Mapping out the worst-case scenario  

Overwhelmed by the sense of urgency, teams handling an incident response can be tempted to sacrifice planning time. Considering the weight of pressure for cybersecurity teams to facilitate business continuity as quickly and securely as possible, this is a natural inclination. Unfortunately, it is short sighted.

Without a considered plan, incident recovery will struggle to implement clear procedures and restore functions that are truly business critical. Ransomware deployment occurs every eleven seconds. Organisations that have failed to planned ahead are the most vulnerable to these incessant attacks. Those that anticipate the aftershock of a breach and build their response approach with a worst case “everything down” scenario in mind, will typically recover at a greater success rate.

The planning process must also include clear and agreed upon roles and responsibilities. Individuals who do not know the part they play in detection and response, can risk slowing down the efforts of the wider team, resulting in mistakes that could be detrimental. Teams should operate efficiently, both online and offline.

Stage Two: Integrating automated recovery technology   

To protect the affected stakeholders, paying the ransom may seem like a viable option. However, payment never guarantees that hackers will release the data they hold hostage. In fact, in 2022, 92% of companies that paid the ransom did not regain full access to their compromised data.  Businesses that have a history of surrendering also become attractive targets for future attacks.

To avoid falling trap to the demands of a ransom hacker, organisations should look to invest in automated recovery technologies that, through the brilliance of machine learning, are designed to take control of response. Acting much like a drawbridge, these systems use step-by-step workflows isolate networks preventing lateral movement and reinfection.

Automated recovery also offers teams who would otherwise be solely reliant on manual expertise, some peace of mind as they highlight a clear path forward. Automated recovery is a company’s best asset as it removes the potential of human error when trying to prevent an attack that could have lasting reputational damage.

Stage Three: Evaluating data integrity and seizing control 

When ransomware hijacks data, it prevents access to it, usually by encrypting all files. Access is then denied to everyone but the hacker.  In some cases, ransomware has been planted by malicious actors and hiding in plain sight for weeks or even months, spreading to data backups that ultimately become useless. This type of attack aims to sabotage the integrity of entire systems including data backups that once compromised are unable to fulfil their purpose.

Most ransomware attacks today involve fileless techniques. Organisations must bear this in mind, ensuring that during the detection process, infected backups are combed through in detail to prevent re-infection and avoid any uncompromised files from falling behind enemy lines. Integrating traditional approaches with modern automated detection brings a robust and holistic approach to ransomware recovery.

Stage Four: Knowledge sharing and reflecting on previous attacks

In most respects, successful teams are those always ready to learn and adapt based on their experiences. Ego has no place in cybersecurity given the pace of the attack landscape and security technology development. Discussing new ways of working should be accepted on principle.

Once a breach has been contained, it’s essential for teams to regroup and share feedback on what worked well and what could work better for next time – because there will probably be a next time. The reflections of all affected departments should be considered during any revisions to the recovery plan to ensure each department’s needs are met. Sessions in lab and test environments should also be on the agenda so teams can replicate recovery and further prepare. If personal information is compromised, it is essential that – under the GDPR – organisations report to the Information Commissioners Office and inform any targeted individuals and within 72 hours of the breach.

Building back stronger

Businesses both big and small can be destabilised by a ransomware attack. It’s easy for businesses to be disoriented by the launch of an attack as business destabilisation impacts stakeholders throughout the organisation. However, if recovery planning forms part of the core business operations, then the damage inflicted can be minimal. Investment in the latest detection and response technology and security best practice is a steadfast way to ensure organisations can re-stabilise with as few bumps in the road as possible.

About the Author

Scott McKinnon is Field CISO at VMware. VMware is a leading provider of multi-cloud services for all apps, enabling digital innovation with enterprise control. At the heart of everything we do lies the responsibility and the opportunity to build a sustainable, equitable and more secure future for all.​ Since our founding in 1998, our employees and partners have been behind the tech innovations transforming entire industries. Today, we continue to cultivate a culture of innovation where curiosity meets execution.

Featured image: ©Adobe Stock