Ransomware: recovering from the inevitable

For business leaders, the threat of ransomware is by no means new.

The warning to beware of phishing emails and avoid following suspicious links, for example, is a familiar one. But with tools such as ChatGPT now able to accurately replicate human conversation, distinguishing fake emails from real ones is becoming more challenging. Can organisations really risk the security of their systems by depending on their employees to spot the signs of content written by AI that even industry experts fail to notice?

As the cybercrime landscape advances, moving out of the enterprise realm into areas like critical infrastructure and healthcare, many find that their existing cybersecurity measures aren’t sufficient to keep bad actors at bay. So how can businesses ensure that they are adequately prepared to respond to ever-evolving, ever-advancing cyber threats?

The inevitability of an attack

The first step to adequate preparation is the acknowledgement that an attack is unavoidable. With 71% of organisations globally falling victim to some form of ransomware attack in 2022, we are now in the world of not if, or when, but how often will a business experience a ransomware incursion. Businesses that deny the inevitability of an attack will not only be more exposed, but slower to recover when one does strike. Speed of recovery is crucial as the longer systems are down, the more severe the financial and reputational damage will be.

The cyber defence process should therefore be focused on threat prevention, remediation and regaining operability as quickly as possible. Only when businesses can execute their response and recovery strategies as soon as it becomes clear an attack has struck will they be able to minimise damage.

Designing for recovery

There’s no doubt that businesses’ cybersecurity teams are under an immense amount of pressure in the battle against ransomware but they can only go so far alone. There must be an awareness that it simply can’t be stopped at the source, and that defending against ransomware takes a combination of people, processes and technology.

The digital world can appear complex – especially in the case of large enterprise structures – so it can be helpful to stress that the digital world and the real world are not that different. Digital protections such as patching systems, multi-factor authentication, data protection and the risk of the insider threats all have real world counterparts: open windows that need to be locked at night, double locking your front door, locking away vital items in a safe, and opportunistic break ins through unlocked windows or doors. However, whilst using a combination of people, processes and technology to minimise attacks is key, some will inevitably slip through the cracks, which is where recovery comes into play.

Whilst solid and secure data backups are a critical part of any ransomware recovery strategy, they are not the only tool. Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) are foundational metrics for building disaster recovery strategies. They add a quantifiable metric to the disruption that shows how much a business can tolerate. RTO represents the maximum time a business can tolerate being offline, and RPO represents the maximum amount of data that can be lost before it causes detrimental harm. These calculations of risk can help businesses create their disaster recovery plan, and put a number to how often data needs to be backed up, or how quickly they need to be able to bring systems back online.

In some instances, data recovery can take monthshere are businesses that will simply not survive this level of impact and for those that can this loss in operational time can lead to a devastating financial impact. Furthermore, lengthy outages don’t just cause financial issues, but also impact operations, and employee, customer and stakeholder confidence. This is why planning for recovery needs to be a foundational process within a business’ data protection strategy.

The role of backup

Fast recovery after a ransomware attack is the ultimate goal, and having iron-clad backup is paramount to achieving this. This might seem simple, but an incomplete or over-populated back-up will only hinder the recovery process, and copying either unnecessarily large or only partial datasets can also leave gaps, which can be problematic in the event of an attack. To recover rapidly, organisations need to spend time determining which data is critical to business operations and then be selective about what is backed-up, and how.

This is where the 3-2-1-1-0 backup rule is required. Each dataset should be copied three times, saved across at least two different media, with one copy stored off-site. In addition, one copy of the data must be hosted offline and be air-gapped or immutable – making it unreachable and unchangeable – and, finally, there can be zero errors. Backups themselves are often targeted by cybercriminals, leaving vital data in the hands of criminals and making it impossible for businesses to recover their data and resume operations. An immutable back-up prevents data being altered, whilst having multiple backups means that data can be restored more quickly, accelerating the recovery process.

Hidden impacts

While recovery is the priority after being hit by a ransomware attack, there are also other impacts that must be accounted for. Firstly, it might sound like an obvious observation, but treating a ransomware attack as a crime can often be overlooked. A police investigation will take place soon after an attack is reported, and during this process businesses will be unable to access any infected system. This is why having backups that allow access to data without having to enter a compromised server is vital to continuing ‘business as usual’ while the recovery process takes place. To minimise reputational and financial damage, it’s important that a seamless façade is maintained, even when businesses are working on recovery.

There is sadly no rest in the world of data protection and security, so during these investigations a business must also decide on its internal and external communications strategies. During this stage of the process, employees, customers and other stakeholders become involved, and must be informed of the systems they can and can’t access, the data that was compromised and how the incident might impact both long and short-term business operations. The most successful strategies involve timely, clear and honest communication that provides the most information possible, especially in the event of a sensitive data breach. Having a clear overview of what data is sensitive or fundamental to business operations and where it is located, will ensure these communications are comprehensive, and that the attack’s impact on operations can be quickly uncovered.

Another hidden cost of a damaging ransomware attack is the associated burden faced by those responsible for protecting the reputation and future of the business. Having a thoroughly fleshed out response process in advance of an attack can minimise the risk of making critical decisions under pressure and might well preserve jobs, business data, and the overall wellbeing of the team.

Data security should be top of the corporate agenda, and definitely keeps business leaders awake at night, let alone those staff members that are in the weeds. Ransomware is inevitable, so designing a tailored recovery strategy that keeps a business’ specific objectives and pressures in mind will ensure that the impact of ransomware is as minimal as possible. Having this framework will grant the business and its stakeholders the confidence that it will be in a strong position to take fast and decisive action when malicious actors do strike.

About the Author

Edwin Weijdema is Field CTO EMEA at Veeam. Veeam provides a single platform for modernizing backup, accelerating hybrid cloud and securing data. Veeam has 400,000+ customers worldwide, including 82% of the Fortune 500 and 69% of the Global 2,000. Veeam’s 100% channel ecosystem includes global partners, as well as HPE, NetApp, Cisco and Lenovo as exclusive resellers, and boasts more than 35K transacting partners worldwide.

Featured image: ©darkfoxelixir