What Businesses Need to Know About Ransomware Removal and Recovery

Ransomware is a major threat for businesses of all sizes. According to figures from Statista, there were more than 623 million of these attacks in 2021, and the average cost of a ransomware payment reached $541,000 last year – though this only accounts for a fraction of the total cost of these incidents. This correlates with confirmed attack statistics by BlackFog which saw a record number of attacks in 2021 and 2022.

Therefore, preventing ransomware from causing harm must be a top priority. But while efforts to prevent ransomware entering a business in the first place are vital, it’s also crucial that firms have a strong response plan in place should their first lines of defense fail.

A clear strategy for ransomware removal and recovery can help minimize the costs and disruption associated with these incidents, prevent data from being exposed and reduce the chances of cybercriminals returning for repeated attacks.

Prevent and Recover From a Ransomware Attack

Prevention is better than cure, as the old saying goes, and this is especially true in the case of ransomware. A cyberattack such as this can be especially devastating if it destroys or exfiltrates valuable data.

In worst-case scenarios, this could completely prevent the business from operating, while even if firms are able to get up and running again, the costs of doing so can be prohibitive. In fact, almost a third of ransomware victims in the US never recover and are forced to shut down for good.

Are You The Victim of a Ransomware Attack?

One of the biggest problems for many firms is that they do not even realize they are under attack until it’s too late. Especially in the current environment, where data exfiltration and extortion play a key role in getting firms to pay up, hackers could be inside your network stealing valuable data unnoticed for months before making a ransomware demand.

By this time, the damage has already been done. Therefore the best way to prevent ransomware threats from causing harm is to have a defense-in-depth approach that covers every part of your network and emphasizes data security.

Can You Scan For Ransomware?

The best way to defeat a cybercriminal once they’re in your network is to conduct constant monitoring of your systems to look for any telltale signs that you’ve been infected by malware seeking to exfiltrate or destroy digital assets. Advanced data protection solutions should not only include strong access controls, but also look at all traffic leaving the network in order to spot anything suspicious.

This can be a good way of spotting an attack in progress, as while threat actors will go to great lengths to disguise their activities within a business, sooner or later they will have to exfiltrate data. Unusual traffic volumes, unknown destinations or file transfers outside of working hours are just some of the ways these efforts can be automatically identified and blocked.

What Should I Do If a Ransomware Attack Has Hit My Company?

If you do fall victim to ransomware, there are several steps you need to take immediately, before even considering whether or not to pay a ransom. The first must be to isolate any infected systems and ensure any devices are physically disconnected from the rest of the network.

Shutting down systems is even more important as the tactics used by ransomware groups evolve. For instance, one increasingly common tactic is to use data destruction tools to permanently corrupt or delete files once they have been exfiltrated.

Ensuring that any backups are protected and isolated is also a vital part of successful disaster recovery, as ransomware authors are increasingly looking to target and infect these before making their presence known.

Can Ransomware Data be Recovered?

In some cases, it may be possible to use decryption tools to recover compromised data. While the technology used by ransomware groups is usually very tough and impossible to crack without the key, there may be options available. However, none of them offer a guarantee of success, so should not be relied on as a viable disaster recovery solution.

One option may be to turn to law enforcement for help. If the attack uses an older strain of malware, it may already have been broken or have keys publicly available. For example, Europol offers tools that can help decrypt 165 ransomware variants, including Gandcrab, REvil/Sodinokibi and Maze/Egregor.

Ransomware recovery is a very complex process, however, and it may not always be possible to fully restore data. As such, it should only play a partial role in any ransomware protection strategy.

Should Companies Pay After Ransomware Attacks?

The most important question when receiving a demand is whether to pay in order to recover data or prevent exposure of sensitive files. In principle, the best choice is always to refuse to pay ransomware gangs, as doing so only encourages further attacks. But this is far from a simple decision for many companies.

A Ransomware Infection has Occurred: What are Your Options?

In some cases, risk assessments may determine that the continued disruption that will occur if firms don’t pay up will end up costing more than the expenses associated with a ransom. This may be especially the case for organizations working in highly sensitive areas like critical infrastructure or those who are worried about top secret materials being publicly exposed.

Making a payment is not a decision that should be taken lightly. Before doing so, firms should discuss their options with law enforcement and their ransomware insurance provider, who are likely to advise against this course of action.

The best advice is not to pay. Indeed, the UK’s National Cyber Security Centre highlights four key reasons why handing over money is a bad idea. These are:

  • There is no guarantee that you will get access to your data or devices
  • Your devices will still be infected
  • You will be paying criminal groups
  • You’re more likely to be targeted in the future

What are the Chances the Data Will be Released After the Ransom is Paid?

One reason to be wary of making a ransom payment is that this does not necessarily mean you’ll actually get all your data back. In fact, there are many occasions where ransomware authors have simply disappeared with the money without holding up to their end of the bargain – which should not come as a surprise.

Research by Veeam found that among firms that did hand over ransomware payments, only around half (52 percent) were able to recover all their data, while 24 percent were unable to recover any of their digital assets.

Even if you do receive the data recovery tools you need to release any ransomware-encrypted files, actually going through and recovering files can be a lengthy and expensive process.

What’s more, this only covers files still on your systems – who knows what criminals will do with data they’ve already exfiltrated. They will have little reason to delete it from their own servers when they could continue to make money by selling it on the dark web, for instance.

How Can You Prevent Repeated Ransomware Attacks?

If you want to ensure you don’t become a victim of repeated ransomware attacks, the best strategy is not to pay. Research has shown that once a payment has been made, this often acts as a green light for future attacks, as ransomware groups will be quickly aware that they have found a profitable target.

Cybereason suggests that 80 percent of companies that pay up the first time will be targeted repeatedly, with 70 percent of those that pay up twice facing a higher ransom the second time.

Therefore, refusing to play along is by far the best way to prevent future attacks. While some ransomware authors have political goals or just want to sow disruption, the vast majority are financially motivated, and if they know they won’t get paid, they’re likely to move on to other targets rather than waste their time.

How Long Does it Take to Recover From a Ransomware Attack?

Whether you pay or not, a ransomware incident can have repercussions for months or even years to come. Removing ransomware from devices, rebuilding and improving systems and regaining lost business and reputation take time and money. Therefore, a thorough recovery plan is vital to minimize the pain.

Should Systems That Have Been Attacked by Ransomware be Used Again?

Devices and systems that have fallen victim to ransomware can be used again, but only after a comprehensive ransomware removal program has been completed. This should usually involve a complete system restore to ensure all traces of the malware are gone. Until this has been completed, it’s essential that any infected systems and devices are isolated.

Even so, it’s likely that firms will have to invest significant resources into hardening systems, networks and devices from future attacks, which may mean it is more economical in the long run simply to replace infected hardware.

What Can You Do if You Don’t Have a Backup of Your Data?

The worst-case scenario for any business will be data destruction of materials where no backups exist – or incidents where backup data has also been compromised. It is in these situations where the most damage can be done and the business will be most at risk of failure.

Unfortunately, if firms haven’t taken the right precautions ahead of time, there is often little they can do to make a successful data recovery, short of hoping that decryption keys will be available. If this is not the case, firms face the very real prospect of having to start from scratch – emphasizing the importance of proactive prevention tools rather than a reactive ransomware response plan.

With criminals placing an increasing focus on data destruction as a tactic rather than simply encrypting files, having a strong prevention plan must be a top priority. Whether it’s perimeter protection to spot malware and block phishing attacks at the source or anti-data exfiltration tools that can prevent data leaving the business, a full ransomware defense plan needs to focus on continuous data protection at every touchpoint.

How Much Does it Cost to Remove Ransomware?

Once ransomware has infected your system, removing it will be a lengthy and expensive process, regardless of whether or not you pay. Even if you do pay, total costs can add up to as much as ten times the ransom itself, according to recent figures, which noted that in 2021, the total average remediation cost for ransomware rose to $1.85 million.

Other contributors to the recovery process include business downtime, lost orders and operational costs, such as employing cyber security experts to strengthen defenses. Decrypting and recovering data is only the start.

A major challenge is that even the definition of a ransomware attack is changing. While once a recovery may have been a case of restoring an encrypted file or computer, firms now have to deal with the fact that sensitive information such as financial, operational or personal data will be in the hands of criminals and out of the company’s control. At the same time, evolving data destruction tactics make ransomware data recovery harder than ever.