How to organize the chaos of ransomware recovery

Security padlock with binary code signifying Cybersecurity
(Image credit: Altalex)

Picture a busy arcade. You have an air hockey game to your left, basketball hoops to your right, a vigorous ping pong match ahead and you’re enthralled in a chaotic game of whack-a-mole. Each player has their prized tactics, convinced they’re the only one that knows how to play the game the right way. While it may seem worlds apart, for many cybersecurity teams this scene is all too familiar.

Enter an in-house disaster recovery room. Security professionals are divided over how to grapple with the latest ransomware threat to their organization. Each team or team member asserts they know how to tackle the intruder the right way. Unlike the energy and chaotic noise, which is welcome in an arcade, it only causes conflict in this scenario as ‘best practice’ falls to the wayside and recovery efforts fail.

It’s time to restore order to ransomware attack recovery. News of a high-profile attack spreads fast, with media and industry thought leaders quickly weighing in on what may have gone wrong. As the days go by, some breaches are quickly forgotten, while others become permanently associated with the organization. Take the WannaCry attack on the NHS in 2017 for instance, or the SolarWinds hack in 2020.

With this article, I will detail a clear and concise four-step programme to help security teams respond with speed and agility following a cyberattack.

Scott McKinnon

Scott McKinnon is Field CISO at VMware EMEA.

Step One: Never underestimate the value of planning time

Ransomware incident recovery plans often lack clear procedures, evidence of thorough forward-planning, and an assessment of which systems are truly business-critical. In the field of information security, ransomware deployment is a statistical reality with an attack occurring every eleven seconds. Organizations that assume a breach will take place, are typically the most prepared if it does. It is essential to create a robust ransomware incident recovery plan that anticipates future pain points. Designing these plans with a worst case “everything down” scenario in mind can make a real difference. This anticipates the core challenges bound to delay recovery when ransomware takes complete control. Having already assessed the risk, an organization will be able to bounce back much quicker.

Each member of the security team has a role to play, but amidst the aftermath of a breach, the responsibilities of these roles can blur leading to detrimental miscommunication. When creating a new and improved plan, the importance of clearly assigning responsibilities to teams and individuals cannot be overstated. The ability to get in formation efficiently, both online and offline, saves precious minutes during detection and response.

Step Two: Invest in automation to avoid paying the ransom

When faced with a ransom from hackers, businesses may think the easy way out is to make the payment so they can return to business as usual. However, the payment of demands may do more bad than good in the long term. Last year, 92% of companies that did pay a ransom did not regain full access to their data, showing that payment almost never equals complete business continuity and your networks may still be infected. What’s more businesses paying ransoms may open themselves up to be a target again in the future.

Instead, organisations should invest capital in automated recovery technologies to let the technology go to battle for them. Teams empowered by the latest technology won’t panic and pay the ransom. Automated recovery that uses a step-by-step workflow is at the heart of a modern approach to ransomware attack response. Once a network component is compromised, ransomware will look to spread and automated workflows will raise the drawbridge to isolate networks and prevent lateral movement and reinfection.

Automated recovery also mitigates the risk for human error and rushed decisions which have the potential to cause crisis down the line, such as lasting reputational damage. A company’s reputation is only as strong as the public’s confidence in its competency. In some cases, with a particularly damaging and high-profile case, it is important to communicate the results of an internal investigation, publicly. For company stakeholders, whether direct or indirect, transparency is key in maintaining their trust.

Step Three: Assess data integrity to re-gain control

Data is dynamite and if it detonates, the loss could be disastrous. Ransomware encrypts data in a safe that only the hacker can unlock. In some cases, ransomware has been planted by malicious actors and hiding in plain sight for weeks or even months, spreading to data backups that ultimately become useless.

The majority of ransomware attacks today involve fileless techniques. With this in mind, organizations must carefully comb through backups following an attack to secure any uncompromised files and prevent re-infection. Combining traditional approaches with modern automated detection ensures a robust strategy to cover all the bases when securing networks and keeping up with the pace of the attack landscape.

Step Four: Get together to reflect on lessons learned

Teamwork is the bedrock of ransomware disaster recovery. A key attribute of any top-performing team is their ability to analyze critically and creatively strategize to learn from previous mistakes and set themselves up for future business success.

Once a breach has been neutralized, it’s vital to get together and share learnings from the experience. This involves bringing together teams from all affected departments to ensure the recovery plan suits all and learning are taken on board. These sessions should be organized with an agreed agenda to ensure analysis is effective and cybersecurity procedures can be improved accordingly, closing any gaps. Combining this effort with lab and test environments to simulate recovery ensures teams are extra prepared for the bad guys coming their way. In the event that a compromise affects personal information, it’s essential that – under the GDPR - organizations report to the Information Commissioners Office and inform any targeted individuals and within 72 hours of the breach.

Sticks and stones don’t break bones when you plan ahead

Hackers always seem to be ahead of the curve, and ransomware deployment is a key weapon within their arsenal. It’s easy for businesses to be disoriented by the launch of an attack as business destabilization impacts stakeholders throughout the organization. However, if recovery planning is integrated into core operations from the start with investments into the latest detection and response technology and security best practice, organizations will be well placed to tackle threats that come their way. With a robust recovery program in place, teams may emerge from the fight with a scratch or two, but they are more likely to succeed in getting your organization back to business as usual.

We've featured the best encryption software.

Scott McKinnon is Field CISO at VMware EMEA. He is a Security Architect with over 20 years' experience designing and consulting on cybersecurity strategy.