5 vital steps for your ransomware recovery plan

19 Sep 2022

Image: © James Thew/Stock.adobe.com

Quest Software’s Bryan Patton outlines the starting points of a comprehensive ransomware recovery strategy, essential for getting back to business after an attack.

Ransomware is pummelling organisations of all sizes and in all sectors around the globe. In fact, the estimated cost of ransomware attacks soared to $20bn in 2021 – and is projected to reach $265bn by 2031.

The debate about how best to tackle this threat is always developing. Should organisations be focusing much more on prevention than cure? Or should you assume a successful attack is imminent and focus your efforts on the recovery stage?

The fact is, too many organisations have yet to plug the basic security gaps that allow threat actors initial access into their environment to set the stage for a devastating ransomware attack. Locking down the basics is fundamental to reducing your vulnerability to ransomware.

But can we really rely solely on prevention? We live in a world of zero-days and a newly exploited vulnerability can render your preventative measures ineffective in an instant. The ability to effectively recover from a ransomware attack is a major blind spot amongst organisations. When an attack happens, the clock is ticking, and your plan needs to be airtight.

‘The ability to effectively recover from a ransomware attack is a major blind spot’

At first blush, the simplest way to recover from a ransomware attack would seem to be to pay the ransom and wait for the hackers to hand over the decryption key.

However, research reveals that only 8pc of organisations that pay the ransom actually manage to get back all of their data. In fact, about three in 10 (29pc) get back half their data or less. Moreover, a staggering 80pc of organisations that paid a ransom suffered a second attack, and nearly half of them believe it was at the hands of the very same hackers.

Accordingly, it’s vital for every organisation to establish a solid ransomware recovery strategy, based on five best practices.

1. Air gap your backups – and your backup plan

Ransomware actors know that you can’t restore from backup if your backups have been corrupted. That’s why many ransomware strains are designed to actively seek out and destroy all the backups they can reach. Attackers want to maximise the chances that you’ll have to pay the ransom instead of being able to restore your data yourself.

Your ransomware recovery strategy requires backups to be kept in a state where they can’t be affected by an attack – a place that’s offline, disconnected and inaccessible.

One option is to go old school: write your backups to tape and send them to an off-site storage facility. However, this will significantly slow recovery from a ransomware infection. Every minute of delay increases the damage of the attack on your business, including longer downtime, more media scrutiny and a bigger hit to your company’s reputation.

Therefore, many organisations today are choosing to store their backups in the cloud as an easy alternate, off-site location that also enables a speedier recovery. But if you do choose use cloud storage, you must ensure that any backup data is encrypted before it leaves the network perimeter of the business.

2. Plan for the worst-case scenario

Your plan needs to assume that you will have no working IT environment at all. Be sure to consider the impact of a ransomware attack on things such as your network, routers, switches and VPN concentrators.

Often overlooked is the need to protect your Microsoft cloud infrastructure, which is especially important considering that Microsoft reported more than 25bn attempted attacks on Azure Active Directory in 2021 alone. Your Microsoft 365 backup data stored in Exchange and SharePoint Online, OneDrive, Teams and calendars are just as susceptible to user errors, accidental deletion, corruption and malware. While Microsoft may be responsible for keeping the cloud services available, you are accountable for protecting your data.

Also remember that you need to store your ransomware recovery plan in a location where you can access it even if you’ve been hit by the most severe ransomware attack you can imagine. Printing it out is a tried-and-true tactic. Another option is to store it in a separate cloud storage facility such as Dropbox.

3. Assemble your team

A ransomware recovery effort involves many different teams, such as the backup team, networking team, security team, and other external parties such as Microsoft or your cloud storage provider. It’s essential to have one person in charge who can direct and coordinate all these teams and make decisions on the fly.

Make sure you have clearly documented all roles and responsibilities. In addition, make sure your ransomware recovery playbook includes a virtual ‘war room’ where these teams can come together and sub-groups can break out to strategise about particular issues.

4. Consider a phased recovery

When a ransomware attack brings down more than just an isolated part of your IT ecosystem, strategically recovering data and applications in phases is often the best way to get your business back up on its feet as soon as possible.

Collaborate with your business counterparts to identify the applications that are most critical for core operations. Create a prioritised list to guide a phased recovery in which the Active Directory team restores the most critical domain controllers and then moves on to the other domain controllers; while the application teams, database teams and others start their recovery work on the most critical areas.

5. Don’t sacrifice quality for speed

While organisations are understandably anxious to get back to normal after a ransomware attack, it’s essential to ensure the recovery is done right so you don’t immediately get reinfected. It’s smart to choose a recovery solution that gives you the flexibility to choose the best way to restore each of your domain controllers.

For example, while bare metal recovery (BMR) is comparatively simple, it requires the target machine to have the identical layout as the original system, and the backup includes components that aren’t needed for the restore operation, giving ransomware plenty of places to hide and reinfect your organisation. Accordingly, you want to have other options in addition to BMR, such as restoring Active Directory onto a clean operating system on a new Windows server, to minimise the risk of reinfection.

By Bryan Patton

Bryan Patton is a principal strategic systems consultant at Quest Software. For nearly 20 years he has helped customers shape their Microsoft environments, with particular emphasis on Active Directory and Office 365.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.