How To Recover From Ransomware

Ransomware cyberattacks are everywhere in the news, and they seem to be getting bigger. Take the attack in February that forced the UK’s Redcar and Cleveland council staff offline for three weeks and cost between a reported £11m and £18m to repair the damages.

Now, attackers are increasingly taking advantage of COVID-19 to coax people into opening malicious emails and attachments, leaving hospitals and medical facilities forced to turn away patients in a time of heightened demand. The threat is so great, the UK government even recently issued an official warning to businesses and individuals over ‘dangerous and malicious’ COVID-19 related cyber threats.

Hackers have been ruthless with their malicious malware attacks, exploiting users from small businesses to global enterprise organisations, both private and public.

The challenges

Just in 2019, ransomware threats increased by 300%—and not only are attacks growing more frequent, but they are much more costly to recover from as well. The average remediation cost of a successful ransomware attack to UK enterprises is $840,000, higher than the global average of $761,00. Globally, total damages related to cybercrime are set to hit $6 trillion by 2021.

A successful cyberattack can bring operations to a stop, potentially for days, weeks, or even permanently. Without the right plan and solution, data recovery efforts can leave gaps in data, become time-consuming, labour-intensive and costly. And even if a business does recover its data, damage to reputation can be lasting, causing customer attrition or brand avoidance. These costs, along with potential ransom costs, can cripple a business, as noted in a recent Gartner report.

Cybersecurity: the first line of defense

As hackers become more sophisticated and attacks to IT systems become more common, the reality is that it’s not a matter of if an organisation will be targeted by a cyberattack, but when. While it’s not possible to stop all attacks, creating a comprehensive cybersecurity and disaster recovery plan is paramount to minimising risk and achieving cyber resilience.

That was the intention behind the Cybersecurity Framework launched by the U.S. Commerce Department’s National Institute of Standards and Technology (NIST). This flexible framework helps organisations understand the best practices they should use to manage their cybersecurity-related risk, centered on these core functions:

  1. Identify

  2. Protect

  3. Detect

  4. Respond

  5. Recover

NIST identified these functions because they are “the five primary pillars for a successful and holistic cybersecurity program. They aid organisations in easily expressing their management of cybersecurity risk at a high level and enabling risk management decisions.”

Recovering from ransomware with cyber resilience

Many organisations do a good job with the first four pillars, yet when malware makes it through their defenses they struggle with recovery. But this final step has become more critical than ever before. Having to restore to a day-old or even week-old backup means data loss and increased time and expense in recovery efforts. No business can afford that kind of a non-resilient solution.

Continuous data protection is key

The key is having a solution that’s always on, with enough granularity to recover to a point in time precisely before the attack occurred, without time gaps. The best solution will be one that uses Continuous Data Protection and keeps valuable data protected in real time. In only a few clicks, all data is recovered in seconds. Additionally, businesses should be seeking a vendor that offers a journal-based recovery that is flexible enough to recover only what is needed: be it a few files, virtual machines, or an entire application stack.

To recover to the exact point before an attack, companies must be able to pinpoint exactly when the attack occurred. With proper DR plans and the right tools in place, organisations can use network, journal, and IOPS statistics to determine the precise moment the ransomware became active and recover to within seconds before it. Businesses should also ensure the provider can enable them to quickly perform a failover test to see if they have the right point in time. If not, they can easily failover again to a different point—all with minimal effort and recovery time.

A tale of two ransomware attacks

Take, for example, TenCate, a multinational textiles company headquartered in the Netherlands, which experienced ransomware attacks twice: the first before implementing sophisticated DR and Backup and the second after implementation. Its experience recovering from ransomware in these two experiences reveals the power of utilising the latest in DR solutions.

In the first attack, one of TenCate’s manufacturing facilities was hit with CryptoLocker, and all file servers were infected. TenCate’s used traditional disk recovery, experiencing 12 hours of data loss, and they were not able to recover for two weeks.

After implementing the sophisticated DR solution, directories on a file server were hit by a more advanced form of CryptoLocker. This time, TenCate only experienced 10 seconds of data loss and were able to recover in under 10 minutes.

With ransomware on the rise, and the current pandemic piling on pressure for many of the UK’s businesses, ensuring cyber resilience has never been more important. Although organisations may not be able to stop the threat of being targeted by a ransomware attack, their ability to successfully recover and continue operations will prove paramount in these trying times and beyond.