Want to quickly recover from ransomware? Plan ahead

Security teams need to understand how the business will work when an attacker limits access to its systems.

When a ransomware attack hits a business, the recovery doesn't stop at the decision of whether to pay the ransom or not.

For businesses, the first post-hack step is to contain the attack. Evaluate systems that have been affected by the attack and then look to contain and limit that attack. Once it's contained, you may need to communicate with stakeholders.

Consider the recent Kaseya attack: After triaging and releasing a patch for on-premise customers, the company still had to mitigate the SaaS damage with a separate patch. Weeks after the attack, it's unclear if any backdoors have been exposed, prone to further attack.

With some hindsight, researchers are uncovering where Kaseya went wrong and what the company could've done differently to prevent the attack affecting 1,500 downstream customers. But for businesses watching the drama unfold as another company scrambles with a post-hack response, the lesson is to prepare for the worst.

The most critical factor is completely eradicating the threat from the environment, attempts to 'uninstall' or clean ransomware from systems is rarely successful.

Because of the sprawling damage, recovering from a ransomware attack can be pricey. The average total cost of recovery from a ransomware attack was $1.85 million in 2021, according to a Sophos report.

Post-attack recovery actually begins before a cyber incident ever occurs. Drafting an incident response plan, practicing response tactics and making sure the systems are in place for a full recovery should happen before the attack as a part of the recovery process.

Businesses that use the lessons learned from the incident and use them to not just restore services but improve their security policies, processes, tools and architecture will come outa of the incident with something positive if they maintain the improved security posture.

When an attack first happens, the security team will lead a business's incident response to contain the issue and stop the bleeding. Most of the time, the decryption will get the data back, but there's still the possibility of corruption and whether back-ups are available in the meantime to restore systems.

Then, the unknowns set in. Are we still vulnerable? Did we remove all of the malware and things that the attacker did from our network? It's a really long and drawn out process.

The challenge for businesses is managing the scale and scope of the attack. When attackers have access to the network, they take advantage of it to understand where the more important data is. The business has to determine how the attacker got in and also trace for any additional damage or unwarranted access.

'Plan, plan, plan'

For a strong post-hack comeback, planning is required.

The first step is, have a plan ahead of time. I know that sounds simple, but so many people don't do it. You need to understand how you're going to work if you don't have access to your systems.

In combination with a plan, good cyber hygiene across the business can be preventative and help quickly respond to cyberthreats. For example, businesses can roll out patches more quickly without a massive effort.

Because of the string of recent high-profile attacks up the supply chain, incident response plans and preparation now include vendors in the process.

Supply chain attacks have increased the focus on third-party risk management. Businesses need to not only manage security and risk in their own environment, but identify those critical vendors and assess security and risk related to those vendors.

If an organization has a strong incident response plan in place — and has spent time practicing it — they'll likely be more successful in the recovery. The business can begin to respond instead of using precious time to plan.

Plan, plan, plan!. It's worth it to a business to spend the money now on the preventative measures because ransomware can be incredibly destructive.

If you need assistance, let me know. Feedback is appreciated; contact me at [email protected]