How to Increase Your Ransomware Recovery Capability
Improve your organization's ransomware recovery and defense with proactive strategies and effective backup solutions for less downtime and better security.
IN THIS ARTICLE
Ransomware’s Potential Damage and How to Recover
Bridging the Gap Between Security and Infrastructure
Key Outcomes from Security Solutions and an Integrated Strategy
Why Ransomware Remains a Significant Part of the Threat Landscape
Not long ago, cybersecurity experts advised organizations that ransomware attacks were a matter of “if, not when.” Today, their assessment is grimmer; the pertinent questions now are how often will an organization be attacked, and will it be able to survive?
More than ever, organizations are at a severe disadvantage. For example, while many companies may have a dozen IT security experts at most, by contrast, more than 1,000 engineers developed the malware behind the 2020 SolarWinds attack, according to a Microsoft analysis. That exemplifies the sophistication and resources that bad actors have at their disposal.
By now, most organizations recognize that ransomware prevention efforts, while worthwhile, are sharply limited. For instance, malware accounts for only 62 percent of attacks. That means organizations are still vulnerable to attackers’ preferred methods: stolen credentials, compromised accounts, open back doors and zero-day exploits.
To overcome those threats, organizations need a proactive strategy that builds their capability to recover from a ransomware attack. They must assume that attackers will gain access to their environment and may spend months inside, undetected. They must limit attackers’ ability to compromise the clean, reliable backups that will enable the organization to recover data, resume operations quickly and minimize the fiscal impact of an attack. Such tactics appear to be working: In 2022, 41 percent of organizations paid a ransom, down from 76 percent in 2019, suggesting that organizations have begun to implement more effective backup strategies.
Ransomware is a business designed to separate organizations from their data and — a crucial point — to make recovery as difficult as possible. Many organizations cannot recover because of cost or the insurmountable impact of extended downtime. Whether it’s Ransomware as a Service or complex, coordinated attacks by nation-states, organizations continue to play defense, and the best insurance is a safe, secure backup of business-critical data.
After a successful attack — and regardless of whether an organization pays a ransom — hackers may sell their proven strategies to others, leading to multiple attacks on the same organization.
Often, organizations are so focused on resuming operations, they neglect to fix the vulnerability that led to or worsened the initial attack. That can open the door to repeat attacks.
The ransomware business is flourishing, thanks to the proliferation of Ransomware as a Service offerings on one hand and expanding vulnerabilities associated with the Internet of Things on the other.
Ransomware’s Potential Damage and How to Recover
Many organizations are not prepared to recover from a ransomware attack. They may underestimate the consequences, which often go beyond the ransom itself. The aftereffects of ransomware can include layoffs, resignations, reputational damage, fines and business closures. It’s essential to understand the consequences of ransomware and how to respond effectively.
LATERAL MOVES
With an average dwell time of 277 days (about 9 months), attackers have substantial opportunity to compromise backup files and associated safeguards. Their goal is not merely to encrypt data but to render it inaccessible. They seek to determine how and when to attack to make recovery difficult, if not impossible.
ONE-MONTH SHUTDOWNS
On average, organizations need roughly one month to recover from an attack after it is discovered. Before operations can resume, forensic analysis must occur to determine how the attack happened, whether backup data is as clean as organizations think it is and whether organizations will need to rebuild essential systems.
FALSE PRIVILEGED ACCOUNTS
Active Directory is a prime target for attackers. If they compromise AD, they can create privileged accounts — potentially thousands of them — in a manner that makes recovery extremely difficult. Many organizations find it easier to rebuild from scratch than to determine which accounts are legitimate.
ACTIVE DIRECTORY MONITORING
Tools that detect anomalies in Active Directory are crucial for data security. By alerting organizations to the creation of suspicious AD accounts, anomaly detection provides earlier warning of an attack in progress. That can help limit the spread, which in turn shortens recovery time.
SENSITIVE DATA LOCATIONS
Effective data protection requires knowing where sensitive data exists so secure backups can be established. Organizations that don’t know where sensitive data lives are more vulnerable to an attack, more susceptible to paying ransoms and less likely to comply with reporting requirements, which can result in large fines.
INCIDENT RESPONSE PLANS
Organizations need incident response plans specific to ransomware recovery and should practice restoring from backups. At a minimum, plans should cover procedures to contain an attack, perform forensic analysis and notify stakeholders. Some organizations enlist services on retainer to ensure that when an attack happens, expert help is readily available.
CYBER INSURANCE TRENDS
For many organizations, cyber insurance has become costly and difficult to obtain, with coverage payouts delayed or uncertain. As a result, more companies are considering self-insurance as an alternative. In lieu of premiums, companies may set aside money in escrow accounts to cover expenses associated with a ransomware attack.
Learn how to increase your organization’s readiness to respond to and recover from a ransomware attack.
A Worsening Outlook
82%
The percentage increase in ransomware-related data leaks in 2021 compared with 2020
Source: CrowdStrike, 2022 Global Threat Report, September 2022
$660,000
The average increase in breach costs for organizations that have immature security in their cloud environments compared with organizations that have mature cloud security
Source: IBM, Cost of a Data Breach Report 2022, July 2022
4%
The percentage of organizations that received all their data back after paying ransom in 2021, down from 8 percent in 2020
Source: Sophos, The State of Ransomware 2022, April 2022
61%
The percentage of encrypted data that organizations were able to restore after paying ransom in 2021, down from 65 percent in 2020
Source: Sophos, The State of Ransomware 2022, April 2022
37%
The percentage of organizations that were forced to lay off employees in the wake of a ransomware attack
Source: Cybereason, “Ransomware: The True Cost to Business,” July 2022
68%
The percentage of organizations that paid a ransom and were hit again in less than a month for a higher ransomn
Source: Cybereason, “Ransomware: The True Cost to Business,” July 2022
Bridging the Gap Between Security and Infrastructure
The realities of ransomware are forcing organizations to rethink the traditional divide between IT infrastructure and cybersecurity. Typically, these are viewed as discrete disciplines: Backups and other elements of IT infrastructure are a cost of business, while security is a vital defense and, at times, a hurdle to overcome.
Organizational alignment often underscores this divide, inadvertently discouraging coordination between IT and security teams. It also perpetuates misconceptions about the nature of data security. For example, one survey found that some organizations cited backups and cyber insurance as reasons why they do not anticipate an attack. As we have seen, however, the mere existence of backups does not translate to a speedy or complete recovery.
Investing in IT solutions that support ransomware recovery is far more cost-effective than struggling to recover with backups that are unreliable, unsafe or inaccessible. When organizations recognize that safe, reliable backups are the best ransomware recovery strategy, they are much more inclined to view IT infrastructure as a vital partner in cybersecurity.
Enhance Existing Cybersecurity with the Support of a Trusted Partner
A fast, effective recovery may require a blend of internal resources and external expertise that can help organizations navigate unexpected challenges.
Vulnerabilities in the Gap
In many cases, ransomware attackers gain entry in ways that allow considerable latitude to move undetected throughout the organization. The space in which they operate represents the gap between security and infrastructure. In response, many organizations have made it a priority to bridge that gap, realigning departments and reporting structures to ensure that IT and security work hand in hand.
A Vital Partnership
Ransomware prevention, detection and recoverability require IT and security to work together in new ways. IT leaders need to fully understand threat scenarios, and security leaders need visibility into IT infrastructure designed to defend against them. That means, in part, that conventional backups are insufficient; backups must now be separated and secured specifically to thwart ransomware tactics and enable recovery.
Organizational Changes
Moving data protection closer to security — for instance, by placing these functions under a CISO — is not the only change organizations should consider. IT and security teams must work together to share information, developing holistic plans to govern and provide insights into the environment. In addition, data protection applications and environments should be treated as business-critical endeavors and funded accordingly.
The Value of Virtual CISOs
Skills gaps and cybersecurity staffing shortages can hamper efforts to bridge IT and security. Virtual CISOs can help address that need while providing best-practice experience and an independent perspective on data security. Whether via a short-term or ongoing contract, a virtual CISO can help an organization structure the IT-security partnership correctly, providing a meaningful jump-start to broader data protection initiatives.
Expert Readiness Assessments
Ransomware-specific assessments can be invaluable, augmenting internal expertise and validating efforts in progress. CDW’s Ransomware Vulnerability & Recoverability Assessment includes a holistic analysis of an organization’s risk and recommendations for remediation. The RVRA covers data protection methods, security programs and controls, networks, on-premises and cloud applications and data.
Tabletop Rehearsals
As organizations work toward cross-functional maturity, tabletop exercises help IT and security teams build stronger relationships while refining incident response plans. Such exercises help teams identify weaknesses and prepare for a variety of scenarios. For instance, how would the organization pivot if it learned that backups were corrupt? Expert partners can model IT-security collaboration while leading teams through tabletop planning.
Threat-Hunting Roles
Organizations often use partners to enhance internal threat-hunting capabilities after an attack. When organizations fail to correct the security deficiencies that let attackers gain entry or roam freely once inside, they may be victimized repeatedly. Contracting services on retainer for incident response can ensure that an organization has timely support when an attack occurs, which minimizes potential delays in recovery.
Managed Services Support
For some organizations, managed services are the best way to augment a thin security staff. Such services range widely, from embedded C-level executives who lead organizations through specific initiatives to boots-on-the-ground support for implementation. A partner with expertise across the IT-security continuum can develop a cohesive, holistic plan that covers all the bases for recovering from an attack.
Work with an expert partner to learn how your organization can better prepare to recover from a ransomware attack.
Keep Data Backups Secure
When a ransomware attack occurs, preventive controls related to data protection will determine the extent of the damage and the possibility and speed of recovery. A modern data protection architecture calls for solutions and best practices designed to ensure that a safe, reliable backup can survive the attack. The overarching goal is to prevent an attacker from compromising the critical resources on which recovery depends.
Immutable storage protects backup data against external attack but is vulnerable to hackers who gain entry. Indelible storage ensures that data cannot be modified internally for a specified period.
Network Time Protocol authentication verifies a server’s authenticity before local changes can be made to backups. That helps to prevent a hacker from deleting immutable and indelible data.
Active Directory anomaly detection flags changes in real time to provide timely alerts that an attack is underway. This also speeds recovery by helping to identify potential issues in Active Directory.
Least-privilege access limits the number of users who have elevated credentials. Restrict an attacker’s impact by using local accounts for privileged access and multifactor authentication for access to backups.
Key Outcomes from Security Solutions and an Integrated Strategy
Proactive measures lead to faster recovery and can significantly reduce the financial costs and other consequences of an attack.
MINIMIZE BUSINESS IMPACT
Hackers’ ability to move laterally within the IT environment while evading detection can exponentially increase the damage they do. Longer dwell times empower attackers to compromise sensitive and business-critical data, which leads to a greater business impact.
On average, organizations experience 21 days of downtime after a ransomware attack and require 287 days (more than 9 months) to fully recover. In one survey, 33 percent of organizations reported having to suspend operations temporarily while they attempted to recover. Business impacts extend to personnel: 37 percent of organizations had to lay off employees after an attack, and 35 percent had resignations of C-level executives.
In some industries, such as healthcare and critical infrastructure, attacks can have profound consequences for individuals, communities and governments.
REDUCE FINANCIAL COSTS
As the frequency and sophistication of ransomware attacks increase, so do the associated costs. The average payment amount has risen above $800,000, and the number of ransoms topping $1 million has tripled. Yet higher ransom payments have not resulted in more organizations getting their data back or being able to resume operations more quickly. In fact, 68 percent of organizations that paid a ransom were hit again in less than a month with an even higher ransom demand. The average cost to remediate an attack has risen to $1.4 million — again, with no guarantee of a full recovery.
Costs may also arise from lost revenue, reputational damage and compliance fines related to the loss of sensitive data.
INCREASE DATA SECURITY
Organizations that prepare effectively for a ransomware attack significantly increase their ability to recover quickly, fully and with minimal business impact. Proactive measures help establish safe, recoverable data in a location that is not accessible to attackers and can be verified as clean. That capability alone can dramatically reduce downtime in the wake of an attack.
Story by
Patrick Conway
Jason Cray, a data protection strategist at CDW. As a data protection strategist, Jason is responsible for constantly researching the data protection industry, threats to our clients, and being able to advise where clients need to be focusing their efforts. He is an expert in data backup, data protection, disaster recovery, and cyber recovery. He works with clients daily to educate them on how disaster recovery has evolved and how cyber recovery is vastly different. Additionally, Jason spends his time testing data protection products and developing intellectual property to present to clients and the rest of the team, educating them on solutions’ strengths and weaknesses.
Tony Roberts
