The road out of ransomware: Why recovery is the new frontier

December 01, 2023 10:45
Image: Reuters

As attackers target individuals, businesses, and governments alike, ransomware has emerged as one of the most significant cybersecurity threats of our time. When cybercriminals encrypt valuable data and demand hefty ransoms, it paralyses operations and causes severe financial and reputational damage. There are attacks that made some big headlines in the past, however, the ransomware threat has become an unfortunate reality for practically every organisation. According to the Veeam Data Protection Trends Report 2023, 85% of organisations were hit by at least one ransomware attack last year, and just under half (48%) suffered even two or three attacks.

So, as cybercriminals constantly evolve their tactics and find new ways to bypass security measures, it’s become a case of when not if a successful attack occurs. Traditional prevention methods, such as firewalls and antivirus software are still crucial, but on their own they are not enough to be prepared for advanced ransomware attacks. Organisations must prioritise robust recovery strategies to minimise the impact on operations, business continuity and reputation. While many recognise the importance of this shift, to build substantial resilience against ransomware attacks, more emphasis needs to be placed on strengthening your incident response and disaster recovery plan and process.

Ransom does not equal recovery

Paying the ransom is not a recovery strategy, and simply backing up data isn’t either. Our Veeam Ransomware Trends Report 2023 shows the majority (80%) of organisations opted to pay the ransom in order to end an attack and recover their data last year, rising 4% compared to the previous year. This comes despite 41% of organisations having a "Do-Not-Pay" policy regarding ransomware. But, out of those who paid the ransom, only 59% were successful in recovering their data and 21% who paid up still lost their data. Similarly, while you might think you have a sufficient backup in place and can avoid paying a ransom, over 93% of attackers target backups during cyber-attacks and were successful in debilitating their victim's ability to recover in 75% of those events.

A reliable disaster recovery process is made up of three stages: preparation, response and recovery. Preparation includes having backups in place (but all backups aren’t created equal, more on this later) and, just as importantly, having a recovery location prepared. This is something that many organisations don’t think about until it's too late. You can’t recover to the original environment, it’s compromised and an active crime scene. But you also don’t want to be preparing and getting to grips with a new cloud environment for the first time in the wake of an ongoing ransomware attack. Effective disaster response includes reporting and containing the incident, a pre-defined operational response and forensics to ensure you know what’s been affected and if environments (especially backups) have been compromised. Only then can you recover with confidence.

Starting from the right place

Being prepared for disaster recovery is only effective if the backups you are planning around are bulletproof. If you only have one data backup and it's hit during the attack, you are back to square one. Instead, organisations need to follow a few golden rules to increase cyber-resiliency.

• Security teams must ensure they possess an immutable copy of their mission-critical data, preventing hackers from altering or encrypting it.

• Data encryption is crucial to render stolen or breached data inaccessible and useless to hackers.

• The most critical aspect of bolstering your strategy lies in following the 3-2-1-1-0 backup rule. This rule is essential for ensuring reliable data protection and recovery in the face of potential threats like ransomware attacks. It involves maintaining a minimum of three copies of the data, ensuring that even if two devices are compromised or fail, there is an additional copy available. Since the likelihood of three devices failing simultaneously is low.

Organisations should store these backups on two different types of media, such as one copy on an internal hard disk and another in the cloud. One copy should always be stored at a secure offsite location, while another should remain offline (air-gapped) with no connection to the primary IT infrastructure. Lastly, the "0" stage is of critical importance, there should be zero errors in your backups. This needs to be accomplished through regular testing without any errors that should be ideally complemented with constant monitoring, and restoration process training.

Navigating the road out of ransomware

There’s no doubt that ransomware attacks continue to evolve significantly, growing in scale, sophistication, and impact. It’s no longer a matter of IF your organisation will be the target of a cyber-attack, but how often. This shift has meant the road out of ransomware is moving from prevention to recovery.

While security and prevention remain important, recovery is the new frontier in the fight against ransomware and ensuring you have a slick disaster recovery plan in place is paramount. By prioritising data backup, investing in modern recovery technologies, and establishing robust disaster recovery plans, organisations can strengthen their resilience, improve their ability to recover from attacks and navigate the road out of ransomware risk.

-- Contact us at [email protected]

Field CTO EMEA and Lead Cybersecurity Technologist, Veeam