This week’s blog features an article from our partners at Veeam on what your business needs to know about ransomware recovery.
Ransomware attacks are on the rise and affected up to 85% of companies surveyed in 2022. While some companies chose to pay the ransom, a significant number of those companies still failed to get their data back, and several fell victim to a second attack. Ransomware can cripple a company, so it’s essential that you prepare by implementing strong cybersecurity measures, a comprehensive backup strategy and a robust incident response plan. Companies should rigorously check backup integrity and practice their incident response. They must know how to recover from a ransomware incident as quickly and effectively as possible.
What is Ransomware Recovery?
One of the biggest threats facing businesses today is ransomware. According to the 2023 Data Protection Trends report, the number of companies successfully attacked increased from 76% in 2021 to 85% in 2022. Staggeringly, only 55% of encrypted data was recoverable. On average, affected companies lost 45% of their data.
Several types of ransomware exist. Generally, cybercriminals lock users out of their machines and encrypt data to extort substantial sums of money. Scareware and doxware are other types of ransomware that threaten to leak private information unless victims pay a ransom.
Ransomware recovery is a set of deliberate actions companies take to mitigate the impact of ransomware attacks. Based on the assumption that hackers will succeed in encrypting company data, organizations implement a system of immutable data backups and configuration snapshots that allow them to rebuild their systems. Successful ransomware recovery depends on the effectiveness of an organization’s backup and data protection processes and what was affected during the ransomware attack.
What is DRaaS?
Disaster Recovery as a Service is more than just restoring corrupted data files. It is leveraging a service provider to support the DR planning, testing and execution process. This includes sending replicas of your entire production environment and replicating them in a third-party, off-site location (often the service provider’s datacenter). When one of them fails —whether from a natural disaster, hardware failure or cyber-attack — they can be turned on at the third-party location. When the primary, production datacenter is back online, you can then failback to the main production site along with any of the data changes that took place during the failover period, ensuring no data loss. It is common for the service provider to help orchestrate the failover and failback process.
Prepare for Ransomware Attacks
Ransomware preparation is part of business continuity planning and the risk of an attack is high. A successful attack could cause significant data loss and the inability for your business to continue as an ongoing concern.
Preparation for a ransomware attack requires a comprehensive recovery plan. This plan should be regularly reviewed and thoroughly tested. It should incorporate ransomware prevention best practices, including strong cybersecurity measures and a comprehensive backup strategy.
Implement Strong Cybersecurity Measures
Your first step should be to harden your network against unauthorized access and securing your systems from hackers. Key steps include:
- Endpoint protection. Secure all endpoint devices like laptops, virtual machines (VMs), servers, embedded devices and mobile devices. Implement multi-factor authentication (MFA), enforce strong password policies and encrypt your data. Install endpoint security software and adopt Zero Trust security principles.
- Network security. Protect your network from unauthorized access. Use robust firewalls to protect against hackers. Use virtual private networks (VPNs) to segment your network and minimize the extent of a security breach.
- Email security. Implement advanced threat protection solutions to protect user accounts. Train users on email security and how to recognize signs of phishing attacks.
- Patch software. Promptly install software security patches to minimize the risk of hackers exploiting vulnerabilities.
- DRaaS. As your business prepares to address risks for potential data loss, don’t forget to include Disaster Recovery as a Service (DRaaS) in your plan to ensure full availability when disasters happen.
Create a Comprehensive Backup Strategy
Hackers recognize the importance of backups and specifically target them and backup servers. Create a secure and comprehensive backup strategy and consider these points when developing your own backup plan.
- 3-2-1-1-0 Rule: This is an evolution of the original 3-2-1 backup plan. It calls for three backups in addition to the original data. You should keep your backups on at least two different types of media, with one copy offsite and another offline. The zero in this version of the rule means you should check your backups to verify there are no errors.
- Backup type: Your backup strategy can include full, incremental or differential backups. Typically, full backups are performed weekly and incremental or differential backups are done daily. An incremental backup is a separate backup that stores all changes since the last full or incremental backup. A differential backup is slightly different, since it backs up all changes since the last full backup. Its size increases with each differential backup.
- Offsite and cloud-based backups: At least one set of backups should be offsite, either on a remote hardened server or in a secure cloud facility like Amazon S3 cloud object storage.
- Immutable backups: Backups should be immutable. This means they are read-only and cannot be changed or deleted, usually for a predetermined period. Immutable backups offer better protection against ransomware.
How to Detect Ransomware Incidents
Early detection of a ransomware infection is crucial and can prevent a full-blown ransomware attack. A ransomware attack goes through several stages. This includes initial entry or infection, reconnaissance and staging and, finally, data encryption. If you can detect this activity, you can isolate the affected machines and minimize the impact of an attack. Here are three techniques to help:
- Identify ransomware symptoms and indicators. Early symptoms of an attack often include unusually high CPU activity and high read and write activity on hard drives.
- Monitor and analyze network anomalies. Signs of malicious activity include unusual network traffic, traffic spikes, reduced network bandwidth and abnormal network requests.
- Use security information and event management (SIEM) solutions. By using machine learning techniques, SIEM software analyzes event log data to identify threats and suspicious activity in real time.
What to Do When Responding to Ransomware Attacks
Respond promptly and decisively to a ransomware attack. The quicker your response, the better, especially if you can act before the bad actor encrypts your data. Here are five steps you can take to respond:
- Implement your incident response plan: Immediately activate your ransomware containment, isolation and response plan and notify senior management and all responders.
- Isolate and contain infected systems: Determine which systems are infected and isolate them from your internal network and the internet. Take snapshots and system images of all your infected devices.
- Notify relevant authorities and law enforcement: Depending on your jurisdiction, you must report the attack to regulatory authorities and law enforcement like the FBI or CISA.
- Engage with cybersecurity expert external support: Contact specialist IT support and cybersecurity companies like Veeam for ransomware emergency response support.
- Evaluate legal and ethical considerations in your ransomware incident response: Determine and inform all affected parties. Establish the legal consequences of data protection, privacy laws and your ethical responsibilities.
Ransomware Recovery Strategies
Your recovery strategy can be influenced by several factors, including:
- The time it will take to recover
- The financial impact on the business
- Threats to release confidential data unless a ransom is paid
Here we explore several options, including using backups, paying the ransom, ransomware decryption tools and ransomware service providers.
Restore Data from Backups
- Data restoration: Restoring data from Veeam backups is a relatively straightforward process. You have a choice between restoring to your original servers or restoring to a VM. This second option means that you can recover quickly from a ransomware attack while your IT team works to clean up and reinstall your servers. Veeam lets you create a replica from your backup and configure a VM that can failover in the event of a ransomware attack. Other recovery options include snapshots and flash-based repositories.
- Ensure data integrity and verification: It is crucial that you ensure your backups are not infected and are still usable. For example, Veeam’s secure restore function automatically performs a virus scan of your backup images before the restore completes.
- Recovering data from immutable backups: You cannot alter immutable backups during the immutability period, which protects you against ransomware. Immutable backups provide significantly greater immunity to ransomware attacks.
Explore Paying the Ransom
The decision to pay the ransom is always difficult and affected companies need to weigh the risks and consequences of paying it. While the FBI does not support paying a ransom, the 2023 Ransomware Trends Report from Veeam shows that 80% of victims still decided to pay it. Reasons for negotiating with ransomware operators include:
- Encrypted backups. You may not have access to clean backups. The report suggests that ransomware attacks affected 75% of backup repositories.
- Opportunity cost. You lose money and credibility every day your company is out of action. The total restoration costs could be greater than paying the ransom.
- Confidential data. The threat to release damaging and confidential data is real, and you may feel it’s safer to pay the ransom and recover that data.
There is ample evidence to suggest that paying the ransom is not the end of the story, however. Of those who paid the ransom, we found that 25% still did not recover their data. Plus, 80% of companies that paid the ransom were hit by a second ransomware attack later on.
Companies should investigate options that eliminate any possible need to pay the ransom.
Utilize Decryption Tools and Techniques
Sometimes, it’s possible to decrypt ransomware files and success largely depends on the type of ransomware and the availability of suitable tools. Kaspersky, Avast and Bitdefender have decryption tools to help with some kinds of ransomware. However, the most successful cybercriminals use strong encryption methods with 128-bit and 256-bit encryption tools. It is almost impossible to break this level of encryption. However, experts have discovered flaws in certain forms of ransomware that allow users to decrypt their files.
Work with Ransomware Recovery Services
If you want to decrypt your files, it may be better to work with a professional ransomware recovery service provider. Some companies have developed an enviable reputation for this, while others have not. So, before engaging with these services, evaluate their expertise. It’s best to deal with reputable professionals who will assess your situation and give an honest answer to whether they can recover your data. The best service providers have global operations with multiple research labs. That said, these services are expensive, and there’s still no guarantee you will get your data back.
Best Practices for Ransomware Recovery
Despite all the pitfalls, you can still recover from a ransomware attack. Here are four ransomware recovery best practices that can make the difference between success and failure.
- Test and validate backups: Backups are no good if they don’t work. Regularly run validation tests to check for corruption, viruses or malware. Mount backups on a VM and make sure they work.
- Prepare a ransomware incident response plan: Have a detailed incident response plan that defines specific responsibilities. List the steps your team must take to recover before an event actually happens.
- Simulate and practice ransomware recovery: Check your plan by simulating a ransomware incident. Prevent disrupting services by using an offline VM. Practice your recovery process until everyone knows what to do.
- Train staff on ransomware prevention tactics: Train your staff to recognize phishing attacks and other tactics used by cybercriminals.
- Invest in DRaaS from your service provider: Minimize downtime and quickly resume operations no matter the disruption or natural disaster that may take place.
What to Do After a Ransomware Attack
In the aftermath of an attack and once you have recovered, conduct a detailed postmortem examination to analyze what happened.
- Assess the impact and extent of the ransomware attack: Conduct a post-recovery evaluation. Discover the full extent of the attack and measure its impact in terms of downtime and financial losses. Identify how the hackers gained access and establish if the hackers succeeded in compromising your backups.
- Address vulnerabilities: Identify and fix all hardware and software vulnerabilities. Then, retrain your employees.
- Strengthen security: Harden your systems and review permissions. Set up extra VPNs to better isolate systems. Implement MFA practices.
- Implement long-term risk mitigation strategies: Link up with cybersecurity organizations like NIST and CISA. Learn how to reduce your risk, enhance security and protect your systems.
Ransomware recovery is feasible. It’s inadvisable to pay the ransom since most companies that pay a ransom still don’t recover all their data. The important factor behind a successful recovery is proper preparation for ransomware attacks. This includes implementing strong security measures and having a proper backup strategy. You need a coherent ransomware response strategy and a thoroughly trained team, and early ransomware detection is key. Another factor is having a strong backup strategy with multiple immutable copies. Equally significant is realizing the need for continuous improvement so you can adapt to evolving threats.
As the premier Managed Service Provider (MSP) of the Midwest, it’s our duty to keep businesses like yours protected around the clock with cutting-edge cybersecurity tools. It’s essential to protect your valuable data and invest in business continuity. We partner with trusted cybersecurity service providers like Veeam, VMware, Datto and Arcserve to provide our customers with innovative solutions.
Curious how your workplace will benefit from DRaaS and Managed Cyber Security services?