Hot Topics
Cyberlaw Cybersecurity Data Security Incident Response Security Boulevard (Original) Threat Intelligence Threats & Breaches Vulnerabilities 

3 Ways to Improve Your Ability to Recover From Ransomware

Avatar photo by Subbiah Sundaram on March 17, 2022

‘It is not a matter of if, but a matter of when’ is becoming a familiar refrain whenever anyone discusses a ransomware attack. Regardless of the size or industry of the company; whether public and private, U.S. or international, all are susceptible. And it’s not just because of the sheer volume of ransomware attacks but also the types of attacks.

Cybercriminals are becoming increasingly clever and changing their tactics to take advantage of current conditions and compel quick action from victims. This behavior has taught us that we need to be more vigilant in preparing for the inevitable event of an insidious attack. In many instances, we’ve become too complacent with our preparedness initiatives. The ever-present news coverage and media exploitation of impactful ransomware attacks globally has left us desensitized to the point of apathy and fatigue. In turn, this has caused users to become lax in keeping track of emerging threats and added increased pressure on security teams to shore up their digital safety.

Add to that the increasing number of companies that simply pay up because they can’t afford to lose their data, and this is exactly the type of behavior that encourages threat actors. They’re becoming more certain that their efforts will be rewarded as they secure one ransom after another. 

What Does an Effective Ransomware Recovery Strategy Look Like?

There is a long list of items that we could look at. However, we’ve identified the top three fundamental ways in which companies can address their ransomware readiness and be prepared to recover when faced with a ransomware attack.

You first must have a simple vocabulary for your organization to discuss and assess your preparedness. It won’t help if you get bogged down in jargon and drown executives and team leaders in buzzwords.

This seems like a simple concept but is easier said than done. The most important thing to remember is to identify the problem, define/develop a strategy and implement a plan of attack. When having these difficult conversations, you should consider the following:

1. Prevention:

Secure the people you want on your prevention team.

Understand your business data and how important it is.

Identify the services needed to help with prevention.

2. Detection:

Keep an eye out for phishing attempts, malware, anomalies and be mindful of any unusual/suspicious activity.

Identify the existence of malware that might already be lying dormant in your systems.

3. Recoverability:

Have the confidence to adopt a mindset that you will recover from a malware/ransomware attack.

However, when it comes to recoverability, you must go deeper into your preparedness assessment and ask yourself these questions:

  • What is my current approach? Is it too traditional?
  • Am I safe?
  • Do I have a readiness plan in place?
  • Should I invest more money in recovery?
  • What are the main areas requiring focus?
  • Do I have the tools in place to streamline the conversation; for example, security scorecard ratings, R-SAT, Microsoft Secure Score, etc.?
  • Do I have threat monitoring services in place for detection?
  • Have I taken the R-Score assessment and listened to the recommendations?
  • Have I identified the key topics to determine recovery readiness?
  • Do I have best practices in place to assure the right data sets are being protected with the right data protection SLOs?
  • Is my backup solution/service resilient to attacks?
  • Are my security and networking practices safeguarded to back up traffic and infrastructure against ransomware?
  • Is my organizational readiness and recovery process resilient enough?
  • What about organizational readiness and operational readiness to handle recovery to secondary or tertiary locations in case of impact on production?

A Ransomware Recovery Plan is not the Same as a Disaster Recovery Plan

A common misconception is that a recovery plan for ransomware recovery and a traditional disaster recovery plan are the same. The plan many companies have to recover in the event of a natural catastrophe or another type of incident or malfunction is, often, the same one they use to respond to a ransomware attack. This is a compounded disaster waiting to happen; these two things are not the same. All recoveries are not created equal.

So, what makes the two recovery plans different? Just as the names suggest, the recovery demands for each will differ based on circumstances and/or events.

Data protection and disaster recovery (DR) is one of the most pressing and convoluted issues with IT infrastructure. In the unforeseen event of a natural disaster or human error, data needs to be quickly copied and restored from multiple sources. DR consultants may have implemented successful strategies in your organization already, but the data can be compromised and diluted during the recovery process. Do these DR strategies protect you against a ransomware attack? If you were a cybercriminal, would you want to copy compromised data?

The answer to both questions is a resounding “no.” Yes, ransomware recovery strategies require the same sense of urgency and demands as your disaster recovery plan. In fact, ransomware should also be treated as a disastrous event. However, unlike disaster recovery, ransomware recovery is triggered by a threat or criminal activity. The primary goal of a successful ransomware recovery plan should focus on business restitution without the loss of business continuity. Understand what it means to fully back up your data and have the capabilities to fully recover your data without having to pay a ransom.

Of course, there are similarities, too. With flexible recovery options available at any time—including recovery into public clouds, recovery from offsite copies and the ability to recover from point-in-time—both ransomware and disaster recovery plans have similar backup requirements needed for attack prevention.

Do you know the difference?

Not all Data is Created Equal

Not all of your data is equally as critical for your business. It’s important to identify and prioritize critical applications/data.

Much like all recovery is not created equal, not all data that is needed to run a business is created equal either. When it comes to your applications and data, there are differences in the order of importance. Core applications and data have different value for different reasons. So, which data and applications should you bring back first, post-incident?

Here are three thoughts to consider:

  1. Core infrastructure like Active Directory and DNS are essential for any of your other applications or services.
  2. Categorize or tier your applications and data.
  3. Align SLOs for the different data tiers and match them up with your business objectives.

Again, it’s not a matter of if you’ll be impacted by a ransomware attack; it will happen. It’s only a matter of when. Now is the time to check your ransomware readiness recovery score, create a ransomware recovery plan and identify those critical applications and data that must be brought back first after the incident. These three steps are vital to recovery and ensuring your organization’s ability to recover from a ransomware attack.

Subbiah Sundaram , , ,
Avatar photo

Subbiah Sundaram

Subbiah spearheads product management at HYCU. He has been instrumental in enabling the company to deliver HYCU Protégé along with the best-in-class multi-cloud solutions for both on-premises and public cloud environments. Prior to joining HYCU, Subbiah held senior executive positions at BMC, CA, DataGravity, EMC, NetApp and Veritas and has extensive experience in product development, planning and strategy. He holds a MS in Computer Engineering from the University of Iowa and an MBA from the Kellogg School of Management at Northwestern University.

subbiah-sundaram has 1 posts and counting.See all posts by subbiah-sundaram

Secure Guardrails