Ransomware Recovery: What do Firms Need to Know?

For most firms, it is a case of when, rather than if, they will come under attack from ransomware. Over the last few years, this form of cyberthreat has grown from a relatively niche activity to one of the leading risks for firms of all sizes.

Naturally, prevention is better than cure. With a strong defense in depth approach that covers everything from firewalls and email security through to anti data exfiltration (ADX) technology, organizations can minimize their risk. But even the best systems cannot guarantee 100 percent success and issues such as human error remain major causes of problems. 

Therefore, it pays to have a comprehensive disaster recovery plan in place that includes a specific strategy for dealing with a ransomware attack.

Ransomware is a hugely costly problem for businesses, both financially and in terms of the impact it can have on a company’s reputation. It affects firms of all sizes across every industry. Therefore, it’s essential organizations know what to expect should they encounter this issue and have a plan to deal with it.

In a traditional ransomware attack, once malware gains access to a network (most often injected via email) it seeks out and encrypts critical files or systems that make essential operations impossible. This could involve key database entries containing customer or operational data or vital startup files that are necessary to boot up a device. The ransom is then demanded in exchange for the decryption key needed to restore access.

However, the vast majority of modern ransomware attacks now also seek to exfiltrate data. This stolen information is then used as further collateral to incentivize victims to pay up. The added threat of having confidential business or customer information released publicly or sold on to other criminals can often be a highly effective way of extracting a ransom, whereas with more traditional attacks, a well-prepared company would often be able to ignore the demand and revert to backups.

The time taken to get back up and running again following a ransom attack will depend on a number of factors. Key elements include how comprehensive a firm’s backups are and how quickly they will be able to restore them. The size and complexity of the infected systems and the amount of IT resources available also have an impact.

According to Statista, the average duration of downtime following a ransomware attack in 2022 was 24 days. This was up from 15 days in 2020 and shows how attacks are becoming more sophisticated and harder to resolve – again illustrating the need for an effective ransomware protection and data recovery plan.

Firms that fail to prepare for ransomware attacks run the risk of permanent damage. If critical files are unable to be restored from backups, this could force businesses to pay a ransom in order to maintain operations – which can only lead to more problems in the long-term.

In some worst-case scenarios, failure to have a recovery process in place can make it impossible for an organization to keep operating, especially for those already running on limited resources. One study estimated as many as 60 percent of small companies go out of business within six months of a data breach or cyberattack. 

Examples of organizations that have failed to recover from ransomware include foreign exchange firm Travelex in 2020 and transport company KNP Logistics in 2023, which filed for bankruptcy three months after falling victim to ransomware.

BlackFog’s 2022 State of Ransomware report found that last year, the average ransom paid out by victims reached $258,000 – an increase of 13 percent in just six months. However, this only tells half the story. Even if firms do pay up in order to ensure a speedy resolution, there will be a wide variety of additional costs to take into account – and these can be even higher if firms have to enact a ransomware recovery plan without access to decryption keys.

The job is not done when systems are up and running again. An essential part of the process is investigating what went wrong and implementing new security measures to prevent a future attack. These investments are often made in haste and, if not planned and optimized carefully, can be hugely expensive with no guarantee they will be effective. 

Many ransomware attacks expose critical weaknesses in IT infrastructure, which may require firms to rebuild significant elements of their systems and ensure they are free from malicious code. For large-scale attacks, this can be hugely expensive. For example, some estimates suggest that the high-profile SolarWinds hack in 2021 cost as much as $100 billion to fully resolve, after upwards of 18,000 companies were affected.

One of the first questions any business must answer after receiving a ransomware demand is whether or not to pay. This is often not an easy decision. On the one hand, many firms may calculate the potential losses from an extended period of disruption will cost far more than a ransom itself. However, it could also open a business up to a range of long-term consequences.

For many firms, the main reason for handing over a ransom is to keep any disruption to a minimum and return to normal operations as quickly as possible. This matters as even short periods of downtime can be hugely costly in today’s digital-first world. 

If encrypted or destroyed files render a firm’s system completely inoperable, downtime could cost firms anywhere from $100,000 an hour to $5 million or more. If it will take an extended period to get backups working, a ransom can start to look like a relatively cheap option.

Another factor may be reputational. If firms fall victim to double extortion ransomware, where a hacker threatens to release damaging or private information if they aren’t paid, this can be a strong incentive to pay up in order to avoid negative publicity or regulatory scrutiny. Hackers are well aware of this, which is why the majority of today’s ransomware attacks include a data exfiltration element.

One of the main negatives of paying a ransom is that it marks your business out as a worthwhile target. Once criminal gangs know that a firm is willing to pay up, this greatly increases the chances they’ll be targeted again. Indeed, one study found 80 percent of businesses that paid a ransom were attacked a second time. Future ransomware attacks often demand more money than initial incidents as criminals know firms are willing to pay.

There is also the fact that paying up does not guarantee you’ll get all your data back. Figures from Statista show that in 2023, more than a quarter of victims did not recover all their data. This can leave you both out of pocket and still facing the costs of disruption, so it’s a gamble that is often not worth taking.

Law enforcement agencies around the world all caution against paying a ransom. For example, the Cybersecurity and Infrastructure Security Agency (CISA) states:

“Paying [a] ransom will not ensure your data is decrypted or that your systems or data will no longer be compromised. CISA, MS-ISAC, and other federal law enforcement do not recommend paying [a] ransom.”

The UK’s National Cyber Security Centre offers similar advice and also warns against funding criminal groups. Indeed, most ransomware authors are now part of highly organized gangs and may even be backed by hostile nation states. Previously, the US Department of the Treasury has warned that paying ransoms to such entities may be unlawful if they are subject to sanctions.

Sooner or later, it’s likely every business will come under ransomware attack. However, there are steps you can take to minimize your exposure and ensure that, even if hackers do bypass your first line of defense, they will be unable to do serious damage.

The first step is to have a formal, written ransomware recovery plan that spells out exactly what should be done once a ransomware attack is spotted. Early detection is often the key to defending against ransomware. If it can be identified and acted on before hackers have a chance to remove data, the damage can be minimized. 

A good recovery plan should include details about all of your digital assets and which are the highest priority for protection. This includes plans for how you control access to critical data, what monitoring measures are in place to spot unusual activity and a step-by-step guide for what to do upon discovery of a ransomware infection.

A ransomware recovery plan is about more than just data protection measures. It should also be clear on who has overall responsibility for taking charge of an incident response strategy and what the role of each member of the data security team will be.

Having this laid out clearly also helps ensure firms remain compliant with local data protection laws such as the EU’s GDPR. These regulations will set out requirements for a data controller, who should usually be the same individual managing the response and recovery strategy. They will also be the person responsible for making any required disclosures should a data breach occur. Failing to do this can have serious consequences, with authorities having the power to levy large fines, or even bring criminal charges.

When it comes to recovering encrypted files without paying a ransom, this can often prove difficult. This is why it is so important to have an effective data backup plan. Ideally, snapshots should be taken as often as possible in order to minimize data loss. However, backups must be restored carefully.

Hackers are well aware of how backup data can be used to avoid paying ransoms, so often take steps to combat this strategy, such as by targeting these solutions directly. Therefore, you need to act carefully to ensure these files aren’t also compromised, as well as fully remove any malware from your systems before you restore any backups to avoid them immediately being targeted.

If you aren’t able to rely on backups, there may be little that can be done. While law enforcement agencies do take down hacking groups and recover keys, which can then be made publicly available via decryption tools, this isn’t something you can rely on. Without the right key, firms may be forced to start from scratch, which is a major reason why a successful ransomware attack can be so damaging.

As noted above, the best way to ensure that you aren’t subject to repeated attacks is not to pay up. Hackers will be less motivated to try again if they encounter resistance, whereas getting paid will only provide more incentives. However, firms should also be taking steps to identify how they fell victim and address any weak spots in their systems.

This should involve a full forensic audit and review of systems to identify what went wrong. Was the breach due to an unpatched system? A configuration error? A social engineering attack?

For smaller firms, this may involve bringing in outside specialists, which can prove expensive. However, if firms have comprehensive cyber insurance coverage with provisions for ransomware, they may be able to claim back many of the direct expenses involved in these activities.

Double extortion ransomware is the most dangerous type of threat many businesses face. In this case, even if companies are able to use solutions such as continuous backup tools to complete a system restore and minimize downtime, once sensitive data is in the hands of criminals, there will be little they can do.

To avoid this issue, it’s vital that firms take steps to stop data exfiltration before it occurs. With the right ADX tools, companies will be able to use machine learning to identify what normal activity looks like and automatically block any unusual behavior that can indicate a hacker attempting to send data back to its command and control center.

This ensures that even if hackers do gain access to your systems, they won’t be able to steal the critical data they need to run a double extortion ransomware attack. By adding these solutions to every device on the network, firms can ensure they have a solid last line of defense that can remove the need to enact a last resort ransomware recovery plan.