Ransomware recovery: How to protect your data in the event of an attack

Time and time again, ransomware is the spark that motivates businesses to examine and reinforce their cybersecurity measures. The proliferation of widespread attacks makes recovery more costly and time-consuming than ever. Ransomware-infected businesses face debilitating downtime and operational disruption that cause a raft of challenges, including lost revenue, diminished productivity, customer distrust, regulatory fines and irrecoverable data loss. Some organizations may be subject to legal proceedings and class-action suits as a result of an incident. 

For victims, the ramifications of an attack span reputational, operational and financial harm. In some cases, the cost of organizational downtime outweighs the ransom payment demand. This unforeseen downtime can put a huge damper on productivity. Employees struggle to maintain normal performance without access to applications and data while all organizational efforts have shifted to focus on recovery. Another factor that contributes to high recovery costs includes the need to hire outside expertise. The typical midmarket or small business works with a resource-constrained IT security team and may lack the security talent and bandwidth to rebuild and implement their security infrastructure. Recognizing these limitations, small and medium-sized organizations frequently decide to outsource ransomware recovery altogether. 

According to IBM, the average cost of a data breach hovers at $4.45 million. What factors contribute to the multimillion-dollar cost of ransomware recovery? Aside from downtime and the resources required to carry out ransomware recovery, there are other variables that contribute to skyrocketing recovery costs. These variables include legal implications due to impacted clients, lawsuits from shareholders and compliance violation fines. 

Ransomware recovery plans ensure an organization’s preparedness against an attack. The plan outlines procedures, standards and policies that the company should take to mitigate operational disruption and damage caused by ransomware. The most effective ransomware recovery plans include an incident response plan, detection and analysis, and data backup and recovery. 

At Acronis, we recommend following these 12 steps for ransomware response. Within these steps, there are five core principles for recovery. To ensure successful recovery from ransomware, organizations should: 

Businesses should consider keeping a physical copy of essential internal and external contacts, names, phone numbers and email addresses. Online records might be rendered inaccessible during a ransomware attack. Additionally, thoroughly establishing and testing alternative internal communication methods such as social media apps or organizational messaging apps will help ensure key stakeholders can be reached if usual systems become inoperable. Within an effective IRP, developing an organized communication strategy that maps which teams need to be informed during an active ransomware attack will make certain the appropriate individuals are informed as events may escalate. This includes IT and security operations professionals, executive leadership, legal and compliance teams, impacted partners and customers, the press and the public, regulatory authorities and investors. 

Modern businesses can supplement traditional signature-based antivirus software by implementing enhanced anti-malware measures. An endpoint detection and response (EDR) solution that utilizes machine learning and AI to detect suspicious activity (including ransomware-like behavior) helps IT security experts proactively detect malicious patterns sooner. Neglecting to take a behavioral-based detection approach makes it impossible to detect zero-day malware and other sophisticated attacks that manage to elude perimeter security and signature-based anti-malware measure. 

One of the recovery benefits of EDR is that cybersecurity analysts can evaluate collected EDR data to better understand cybercriminal techniques, analyze the intrusion and identify infected machines. This data is pivotal to performing the appropriate incident response activities and can be used to prevent similar attacks in the future. 

Whether a company is impacted by natural disasters, cyberattacks or human factors, disaster recovery is vital to returning operations to normalcy. Traditionally, it can take days to weeks to restore mass amounts of backed-up data, resulting in serious delays that prevent businesses from returning to normal operations. Following a ransomware attack, disaster recovery enables companies to immediately resume operations by switching over to malware-free replicas of data and applications maintained in the cloud. Equipped with disaster recovery, organizations are far more resilient against outages and unforeseen disruptions to their business. Additionally, the concept of disaster recovery as a service (DRaaS) offers small businesses the same business continuity benefits while remaining cost effective and simple to manage.   

Back up critical data frequently and regularly 

By implementing an enhanced data protection regimen, companies acknowledge the strong likelihood of successful breaches and prioritize creating a safety net against data loss. As a final attempt to defend valuable data, companies can rely on recent backups to resume business operations and avoid paying the ransom. However, criminals recognize that backups are a mainstay of data protection and commonly target backup archives for exploitation. To counter these attacks, data encryption is vital to maintaining malware-free backups, and it’s recommended that data copies be stored in multiple alternative locations. Whether organizations prefer on-site, off-site or hybrid backups, the location will depend on the individual business’s needs, budget and protection strategy. 

There are a multitude of vulnerabilities that lead to data loss. These vulnerabilities are typically exploited by adversaries and allow them to gain unauthorized access to networks. 

Here are a few common security vulnerabilities that should be on every company's radar: 

• Known but unpatched software vulnerabilities. 
• Loosely assigned privileges or excess privileges. 
• Lack of multi-factor authentication (MFA). 
• Natural disasters such as earthquakes, floods, hurricanes, tornadoes and blizzards. 
• Human error. 
• Poor physical security. 
• Unrestricted bring your own device (BYOD) policies. 

As a last line of defense, adopting a 3-2-1 backup strategy is one of the most effective ways to safeguard data against security vulnerabilities. The 3-2-1 strategy ensures that organizations have three copies of valuable data with one copy stored locally and two copies kept off-site. By dispersing secure backups in both local and offsite locations, businesses significantly reduce the risk of data loss regardless of the location or cause — including natural disasters, human error and cyberattacks. 

Taking precautions to actively reduce exposed vulnerabilities not only strengthens security posture, but also shows clients, compliance regulators and cyber insurance underwriters the organization is focused on reducing cyber risk and protecting sensitive data. Companies can identify security weaknesses through conducting a comprehensive risk assessment that will pinpoint data exposures and empower IT security leaders to examine weak points in the infrastructure. 

Additionally, performing regular data audits helps stakeholders understand the types of data being collected, stored and shared on a daily basis and identify who should have access to it. This enables organizations to bolster areas of protection where measures may be lacking. 

Following a ransomware attack, an organization’s immediate actions will be crucial to minimize damage and ensure swift recovery. At Acronis, we’ve outlined three immediate steps companies should take in the wake of an ongoing ransomware attack. 

Step 1: The first step is to isolate the infected systems from the network to stop the spread of the ransomware. This involves disconnecting affected devices from the internet and other network connections.  

Step 2: Next, refer to the company’s IRP to establish clear communication within the organization and make sure proper individuals are notified. This includes communicating with relevant stakeholders, such as IT teams, management, legal departments and executives about the attack. Effective communication is key to coordinating successful incident response and enables prompt decision making.  

Businesses should consider legal and regulatory compliance obligations. This involves reporting the incident to the appropriate authorities. Adhering to legal and regulatory obligations helps maintain trust and transparency with customers and partners and can reduce the exposure to regulatory sanctions.  

Step 3: Finally, the company should shift its focus on recovery efforts, which may involve restoring systems from backups, engaging with cybersecurity experts for assistance, closing security gaps and implementing improved security measures to prevent future attacks. 

In many larger organizations, cybersecurity operations and IT operations are organized as two separate branches of protection with their own leadership, staff, budgets and tools. But there is a growing recognition of the value of more tightly integrating cybersecurity and data protection to help reduce the probability of successful ransomware attacks and more quickly and cost-effectively recovering from the ones that do succeed.  Benefits include the ability to scan backups and disaster recovery replicas for known vulnerabilities and malware before they are used in a failover or recovery options (to ensure that the issues that led to the attack are not reintroduced in the recovery process), and better collection and analysis of post-attack forensic data to drive changes that might prevent similar attacks from recurring.  

Integrated cyber protection is a cornerstone of multilayered defense. At Acronis, we define integrated cybersecurity and data protection as “cyber protection.” The key benefits of integrated cyber protection include: 

Integrated cybersecurity and data protection empowers organizations with enhanced visibility over their infrastructures. This minimizes potential management and reporting gaps between defense-in-depth measures spanning EDR, endpoint anti-malware, vulnerability scanning and patch management, and backup and disaster recovery.  

Integrated cyber protection simplifies management processes by centralizing policy creation, configuration, monitoring and administration in one place. Security professionals can operate more seamlessly, reduce complexity, improve efficiency and save time. 

In the event of a ransomware attack, time is crucial to minimizing the impact of damage. Integrated cyber protection enables security teams to investigate, analyze and triage more readily when they have eyes on all aspects of security and data infrastructure. Integrated cyber protection gives them the ability to quickly identify affected assets, including malware-infected backups, endpoint devices, servers, VMs and workstations, easing isolation of unaffected systems from the attack and narrowing the response focus to infected systems. 

Integrated cyber protection can help organizations to better satisfy compliance requirements and align with industry regulations. Organizations that demonstrate a commitment to data protection and privacy and show proactive cybersecurity measures to safeguard critical data, are likelier to qualify for cyber insurance to help defray ransomware recovery costs and receive more lenient treatment from regulatory authorities. 

Integrated solutions can lead to cost savings in the long run. By consolidating security tools and technologies, organizations eliminate redundancies, reduce licensing and maintenance costs and optimize resource allocation. Moreover, the prevention of data breaches and security incidents saves organizations from potential financial losses, reputational damage and unwanted downtime. 

As businesses move toward vendor consolidation, the integration of cybersecurity and data protection offers improved security, operational efficiency, and financial advantages. Amid rising overhead expenses, we predict that security technology consolidation will continue to gain traction, helping businesses secure their infrastructure to protect their data and uptime against an increasingly complex array of cyberthreats. 

Acronis Cyber Protect consolidates cybersecurity, data protection and management to enable businesses to meet cyber insurance qualifications, comply with industry regulations and fortify cyber resilience at an accessible price. The solution empowers businesses to centrally manage, provision and scale cybersecurity, backups, recovery and endpoint management on a single console — eliminating the resources and time wasted in managing an array of individual tools.