How to Recover from a Ransomware Attack

Having the right cybersecurity solutions in place now will go a long way toward helping you recover from a ransomware attack later.

• By Patrick Luce
• Feb 07, 2019

The discussion of ransomware isn’t as common as it once was.

Instead, recent conversations around IoT, cloud security and cryptojacking have gained a lot of traction lately. They’ve essentially overshadowed ransomware, which was once a top-of-mind cyber concern. Regardless, the threat of ransomware attacks remains very real and very potent.

What’s most alarming about ransomware — a type of malicious software designed to block access to a computer system until a sum of money is paid — is that once unleashed, it can wreak havoc on any business or organization regardless of its size.

Having the right cybersecurity solutions in place now will go a long way toward helping you recover from a ransomware attack later.

False sense of security trap

System security threats of all kinds, including ransomware, are essentially one or a combination of the following motivators. When someone attacks your system, typically:

1. They’re trying to steal something of value from your business or organization.
2. They're trying to steal something of value from your people.
3. They're trying to prevent you from accessing systems that are valuable to you so that you'll pay a ransom to gain that access back.

With their security technologies in place, many businesses or organizations are lulled into a false sense of security about ransomware thinking they’re fully protected with antivirus measures. What they fail to understand though is how a ransomware attack can penetrate even the most seemingly well-prepared defenses. With ransomware, there are many points of entry, and only one has to work for the attacker.

Backup systems are vulnerable as well

Even backup systems themselves are vulnerable. When a VectorUSA client was hit with SamSam ransomware in 2018, the client lost 200 servers within 30 minutes and all of their backups. This attack was so effective because SamSam is ingeniously designed so victims can’t recover quickly because their backup systems were wiped out first.

While there is no single technology available to prevent all ransomware attacks, there are proactive measures you can take. Starting with basic blocking and tackling, it’s critical that you minimize your “attack surface.”  Next, your IT systems need to be segmented so when a ransomware attack does occur, you can easily isolate the damage and recover quickly. Finally, your backup systems have to be immune from the attack and be available in a reasonable amount of time to recover.

The larger your organization, the more scale comes into play. If, for example, your own organization has 200 servers in-house and your backup system is in the cloud, consider how long it will take to recover your data to rebuild those 200 systems.

Ransomware is growing in complexity

One of the most disturbing aspects of the threat from ransomware is its explosive growth in complexity over the past few years. Hacking has evolved into producing sophisticated organizations that offer help desks, toll-free phone numbers and more. Frighteningly, it all works very well.

And don’t think that these organizations only target large enterprises. Small businesses generating less than a million dollars a year are just as vulnerable.  And attacks on them can be very targeted by a very talented attacker.

For instance, if a hacker living in an area where $3 an hour is a common wage invests an entire day targeting a company in order to obtain a $10,000 ransom, their potential payoff is huge.

There’s no doubt that if you’re not properly prepared, recovering from a ransomware attack will be difficult. You’re essentially limited to two things:

1. Identify the source of the attack and make sure that the attack is stopped.
2. Identify the key systems that will put you back in business or your organization back in operation, and what you need to do to recover.

But what may first appear as the most obvious systems required to remain in operation may actually be different than you might expect.

Determining what’s most important

In school districts, for example, many leaders identify payroll and student information systems as the most critical to keep their schools open. However, from an operational standpoint, that’s not necessarily the case.

Beyond a ransomware attack, if the school district were to suffer some kind of calamity or other disruptive event, many school districts can keep open without their payroll or student information system for a surprisingly long time. What the district couldn’t immediately operate without are transportation and food services, not to mention plumbing.

When you carefully examine IT systems that support overall operations, emotions need to be taken out of the equation before and after a ransomware attack. Three top-level concerns when in recovery are to determine:

1. What’s been lost while identifying the quickest way to keep schools open.
2. The bare minimum system requirements needed to resume operations and a recovery plan to restore those systems.
3. The plan for avoiding a secondary attack. Should you decide to pay the attacker’s ransom, which some school districts do, your recovery may be promptly followed by another ransomware attack. 

Prepare now to fully recover later

If you’ve never been a victim of ransomware, consider yourself fortunate. But don’t let your guard down. Rather than waiting until after an attack happens, the best time to seek counsel on such threats and how you can prepare to effectively recover is before an attack happens.

Talking to someone who's actually worked with businesses and organizations that have been through ransomware attacks, and who understands how attackers think, will provide you a better perspective on what you need to protect yourself.

By setting up basic security technologies and sound management processes now that will limit your ransomware exposure, you’ll be much better prepared to stay in business or operation should you become a victim of a ransomware attack.