Ransomware attacks have become an unfortunate reality for many businesses in recent years. These cyber attacks involve malware that encrypts an organization’s data and systems, rendering them inaccessible until a ransom is paid to receive a decryption key. For companies that fall victim to ransomware, a key question is whether they can fully recover after paying the ransom or refusing to pay. There are no easy answers, as every ransomware incident is unique based on the specific malware strain involved and the extent of encryption. However, with the right preparation and response, organizations can potentially recover from a ransomware attack.
What is ransomware and how does it work?
Ransomware is a type of malicious software, or malware, designed to extort money from organizations and individuals. It works by encrypting files, databases, applications, and entire IT systems, preventing the rightful owners from being able to access or use them.
The encryption algorithms used by ransomware are very sophisticated and robust. Without access to the decryption key held by the ransomware operators, it is practically impossible for victims to break the encryption. This leaves organizations with few options other than paying the ransom demand in order to obtain the key and regain access to their systems and data.
Common ransomware strains
Some of the most notorious ransomware strains organizations have battled in recent years include:
- Ryuk – Targets large enterprises and demands ransoms up to millions of dollars in Bitcoin.
- Cerber – Known for using the .cerber file extension and a ransom note image of a three-headed dog.
- Locky – Spread rapidly through spam campaigns with ransom demands of 1-4 Bitcoin.
- WannaCry – Notorious May 2017 attack that crippled hundreds of thousands of systems globally.
- REvil – Also known as Sodinokibi, linked to attacks on tech giants like Apple and Acer.
The cybercriminals behind ransomware are often very sophisticated, patient, and well-funded. They invest heavily in development to make their malware as effective and disruptive as possible.
How ransomware spreads
Cybercriminals use various techniques to infiltrate victim networks and install ransomware, such as:
- Phishing emails – Malicious emails with infected attachments or links that download the ransomware when opened or clicked on.
- Drive-by downloads – Visiting compromised websites that automatically download and install the ransomware.
- Remote desktop protocol (RDP) – Guessing weak passwords to breach RDP connections and access internal systems.
- Software vulnerabilities – Exploiting unpatched flaws and bugs in operating systems and applications.
Once inside the network, the ransomware often leverages legitimate system administration tools and network shares to rapidly fan out, infecting as many devices and servers as possible.
Immediate response to ransomware attack
When ransomware is discovered in the network, organizations should initiate response procedures immediately. Time is of the essence. The key initial steps include:
- Isolate infected systems – Disconnect affected devices from wired and wireless networks to prevent further spread of the malware. Turn off any storage area network (SAN) or network-attached storage (NAS) connections as well.
- Shut down network shares – To keep ransomware from mapping and spreading to open network shares, shut them down if possible.
- Determine the strain – Identify the ransomware strain if possible, as this can provide insight on which vulnerabilities were exploited.
- Evaluate impact and damage – Assess which systems, servers, data sets, and applications have been impacted and to what extent.
- Consult incident response – Contact qualified cybersecurity incident response experts for assistance with containment and remediation.
Organizations should also immediately notify senior management of the attack and establish ongoing lines of communication to keep leadership informed.
To pay or not to pay the ransom
One of the most difficult decisions facing ransomware victims is whether or not to pay the ransom. There are compelling arguments on both sides:
Reasons to pay the ransom
- Quickly regain access to encrypted systems and data
- Prevent disruption and loss of revenue during downtime
- Retrieve data that was not properly or frequently backed up
- Cyber insurance may cover or reimburse the ransom payment
Reasons not to pay the ransom
- No guarantee files will be recovered or decrypted
- Paying encourages and funds further ransomware crime
- Stolen data may still be exfiltrated and sold
- Shows cybercriminals the organization will pay ransoms
In reality, the situations and calculations involved are unique for each victim. Factors like the importance of impacted data, tolerance for downtime, and capabilities for removal and restoration all come into play.
Recovering after paying the ransom
If the difficult decision is made to pay the ransom, the recovery process begins:
- Obtain the decryption utility – The cybercriminals provide a decryption program for unlocking files and systems after the ransom is paid.
- Test decryption process – Run the decryption utility against sample files to validate it is functioning properly before wider use.
- Decrypt priority systems – Once trusted, use the utility to decrypt the most critical systems and data first.
- Scan for bugs, backdoors – Carefully scan decrypted systems for any lingering malware, vulnerabilities or backdoors introduced.
- Restore data – Restore decrypted data from backups if available to validate integrity.
- Monitor for reinfection – Closely monitor systems for any signs of lingering malware or reinfection in the weeks after.
Paying the ransom provides the key to start recovering encrypted data, but risks still remain as decryption can be slow and incomplete. Continuous backups and malware scanning safeguard against future compromise.
Recovering without paying the ransom
For victims that choose not to pay the ransom, recovery looks much different:
- Wipe and rebuild systems – Completely wipe and rebuild infected systems from the ground up to eliminate malware.
- Restore data from backups – If backups are recent and intact, data and configurations can be restored to rebuilt systems.
- Recover lost data – In the absence of backups, forensic data recovery specialists may be able to recover some lost data.
- Account lockouts – Expect and plan for widespread account lockouts on encrypted systems that required resets.
- Prioritize most critical capabilities – Focus initially on rebuilding business-critical systems, while less essential capabilities may take weeks.
Avoiding payment places a much heavier burden on IT and data recovery teams to completely rebuild compromised environments.
Using backups to recover from ransomware
Reliable, segmented, and recent backups are one of the best defenses against the impact of ransomware attacks. With good backups, organizations can get back online more rapidly, with less data loss and reduced downtime. Important considerations for maximizing backup effectiveness against ransomware include:
- Storing backup data offline, disconnected from the network.
- Backing up regularly with shorter intervals between backups.
- Retaining multiple generations of backup data for added protection.
- Testing backups frequently to validate usability.
- Segmenting backups – don’t allow single backup set to be compromised.
However, even large organizations with mature IT environments still face backup challenges:
- Quantity of data across disparate systems makes comprehensive backup difficult.
- Backup administration requires expertise and can be very labor intensive.
- Meeting appropriate backup data retention policies has cost implications.
- Restoration from backup can be very slow and complex.
Investing in the right people, processes and technologies for backups and ensuring full organizational commitment to their importance is key for managing ransomware risk.
Preparing a ransomware response plan
Given the significant threat ransomware poses, every organization should develop and document a ransomware response plan. Key elements to include in the plan are:
- Recovery strategies for various scenarios – With payment, without payment, partial payment, etc.
- Decision making authority – Who decides whether to pay ransom?
- Communication protocols – For sharing information internally and with outside parties.
- Technology capabilities assessment – Backup status, malware protection, and segmentation.
- Incident response – Procedures for isolation, remediation, eradication.
- Cyber insurance – Coverage terms, claim procedures, insurer reporting.
The plan should be periodically updated as the threat landscape evolves. Tabletop exercises to simulate ransomware response are also very beneficial for testing readiness.
Implementing cybersecurity best practices
Strengthening cybersecurity protections and best practices is imperative for managing evolving ransomware threats. Top initiatives include:
- Ransomware-focused user awareness training to prevent phishing and social engineering.
- Email security and phishing simulation to block malicious links and attachments.
- Next generation antivirus, endpoint detection and response (EDR) technologies.
- Strict system, network and data segmentation to prevent lateral movement.
- Zero trust and least privilege access models.
- Continuous security monitoring and vulnerability management programs.
- Active penetration testing to find security gaps.
- Mature patch management for quick remediation of vulnerabilities.
This represents the layered defense-in-depth approach required to substantially improve ransomware resilience.
Leveraging cyber insurance
Cyber insurance is increasingly seen as an important component of a comprehensive ransomware risk program:
- Provides expert incident response resources
- Covers costs like ransom payments and business interruptions
- Eases some of the financial impact of an attack
However, organizations should ensure thorough evaluation of cyber insurance policy provisions, exclusions, deductibles, and reimbursement limits. Cyber insurance complements, rather than replaces, strong IT security.
Focusing on cybersecurity culture
In large part, defending against ransomware comes down to building a culture focused on cybersecurity and resilience:
- C-suite establishes cybersecurity as a top priority
- Security awareness is ingrained at all levels of the organization
- Vulnerability and openness about security gaps is encouraged
- Collaboration between IT security, IT operations, and the business
- Willingness to invest resources necessary for cyber resilience
This cultural commitment makes the difference in effective preparedness, response, and recovery.
Learning from ransomware attacks
There are always valuable lessons to be learned from ransomware incidents:
- Understand where existing controls failed and strengthen them accordingly.
- Analyze the initial infection vector and bolster related defenses.
- Increase focus on security weaknesses highlighted by the attack.
- Assess whether certain data should have been better protected.
- Validate incident response plans against real-world scenarios.
The insights gained from each incident should be incorporated into security strategies and fuel continuous improvement.
Conclusion
Ransomware events can significantly impact companies financially, operationally, and reputationally. Paying the ransom may provide access to encrypted data but sets a dangerous precedent and encourages further cybercrime. Rebuilding without paying requires a major time and resource investment but avoids direct financial loss.
The most important factors in effectively responding to and recovering from ransomware are:
- Comprehensive and tested backups
- Incident response planning
- Security best practices and controls
- Cyber insurance coverage
- Culture focused on resilience
With strong preparation, an understanding of trade-offs involved, and a long-term commitment to cyber defense, organizations can potentially recover from ransomware attacks. But prevention through cybersecurity best practices is far preferable to any recovery plan.