Ransomware attacks have become increasingly common in recent years. These cyber attacks encrypt an organization’s files and demand payment to decrypt them. Recovering from a ransomware attack can be challenging, but is possible in many cases. Here we examine the key questions around recovering from ransomware.
What is ransomware and how does it work?
Ransomware is a type of malicious software (malware) that encrypts files on a device or network. Attackers use ransomware to extort money from victims by demanding payment to decrypt the files and restore access. Typically, ransomware spreads through phishing emails, compromised websites, or other malware. Once executed, it encrypts files and displays a ransom note demanding payment, usually in cryptocurrency like Bitcoin.
There are two main types of ransomware:
- Locker ransomware – Locks the user out of the device or computer.
- Crypto ransomware – Encrypts files so they cannot be accessed.
Crypto ransomware is more common today. Some of the most widespread ransomware variants include Ryuk, Conti, REvil, and LockBit.
What is the impact of a ransomware attack?
The impacts of a ransomware attack can be severe:
- Loss of access to critical files and data
- Disruption to business operations and production
- Financial costs from ransom demands and recovery efforts
- Reputational damage and loss of customer trust
A ransomware attack can grind business operations to a halt. Without access to essential files, systems, and data, organizations cannot deliver products and services. The financial costs are also substantial, with the average ransomware demand in 2021 being $170,000.
Is paying the ransom recommended?
Most security experts advise against paying the ransom. Reasons not to pay include:
- No guarantee files will be recovered – Attackers may delete files even after payment
- Encourages more attacks by funding cybercriminals
- May violate regulations around financing criminal organizations
However, some organizations do opt to pay the ransom if they have exhausted all other options for recovering files and data. In rare cases, negotiating the ransom demand down may be possible.
How can you recover encrypted files without paying the ransom?
There are several ways encrypted files may be recovered without giving in to ransom demands:
Use backups to restore data
Backups provide the most reliable way to recover encrypted files. Organizations should maintain regular backups that are isolated and disconnected from their network to prevent the backups from being infected. Cloud backups or offline local backups provide protection.
Leverage ransomware decryption tools
For some ransomware strains, decryption tools have been developed that may allow decryption of files without the attacker’s key. These are available from security companies like Kaspersky and Emsisoft.
Exploit weaknesses in the ransomware code
Security researchers have found flaws in some ransomware variants that enable decryption of files. This requires technical analysis of the code. Weaknesses have been found in ransomware like WannaCry and GandCrab among others.
Perform a system restore using backups
If the ransomware is caught quickly, restoring the system to an earlier state using backups may be possible before significant encryption takes place.
Rebuild systems and restore data from scratch
As a last resort, rebuilding systems from scratch and restoring data from clean backups can effectively recover from ransomware. This approach requires significant time and resources.
How can organizations prepare for and prevent ransomware attacks?
Preparing for potential ransomware attacks is a key part of limiting damage and improving the ability to recover. Prevention best practices include:
- Employee cybersecurity training to identify threats
- Email security filtering to block malicious emails
- Regular software updates and patches
- Strong passwords and multi-factor authentication
- Limiting user permissions and access controls
- Deploying endpoint detection and anti-ransomware software
- Network segmentation to prevent spread
- Frequent, isolated backups stored offline
Should ransomware payments be banned?
Some policymakers argue that banning ransomware payments could help deter attacks by eliminating the financial incentives. However, a ban also removes one recovery option for affected organizations. Considerations around banning payments include:
Arguments for banning payments
- Stops finances flowing to cybercriminal groups
- Forces organizations to improve security rather than pay ransoms
- Removes incentives for future ransomware development
- Ethically prevents rewarding criminal acts
Arguments against banning payments
- Takes away one option organizations have for recovering data
- Does not stop ransomware attacks altogether
- Difficult to enforce across jurisdictions
- May drive some ransomware operations further underground
A potential middle ground could be greater regulation around properly vetting and restricting any ransom payments.
Are cyber insurance policies helpful in covering ransomware damages?
Cyber insurance can be beneficial by cushioning some of the financial blow of ransomware attacks. Typical policies may cover costs like:
- Ransomware attack response and recovery services
- Expenses for IT forensics, public relations, and legal counsel
- Lost income from disruptions to operations
- The ransom payment itself in some cases
However, policies vary widely in the details. Key things for organizations to look for include:
- Does it cover modern ransomware strains?
- What specific damages and costs are reimbursable?
- Does it mandate cybersecurity best practices?
- What is the limit and excess amount?
Having cyber insurance coverage is certainly better than none. But organizations still need to follow strong security measures to prevent and respond to ransomware attacks.
What role can law enforcement play in recovering from ransomware?
Law enforcement agencies like the FBI can sometimes help ransomware victims by providing technical support and attempting to trace payments. However, they often have limited ability to actually get encrypted data back. The FBI advises victims against paying ransoms. Potential law enforcement assistance includes:
- Technical support in negotiating with attackers
- Cyber forensics to analyze how the attack occurred
- Identifying and tracking ransom payments if made
- Passing on information about the ransomware variant
- Updating victims on the progress of investigations
However, law enforcement has limited resources to apply to individual ransomware cases. Organizations typically can’t rely on them to recover encrypted data. The main focus is on conducting broader investigations and takedowns of ransomware gangs.
Should organizations hire a specialized incident response firm?
Third-party cybersecurity firms that specialize in incident response can provide valuable expertise and support when dealing with a ransomware attack. Potential benefits of hiring an incident response firm include:
- Faster threat containment and eliminating ongoing access by attackers
- Technical analysis of how the attack occurred and damage done
- Specialized experience negotiating with threat actors
- Improved ability to restore systems and decrypted data
- Assistance coordinating with law enforcement
The downside is the cost of hiring a high-end incident response firm, which can easily run into six figures. Organizations need to weight the potential benefits against the cost.
What lessons can be learned from recovering from ransomware?
Recovering from a ransomware attack provides useful lessons for enhancing defenses against future incidents. Key takeaways include:
- The critical importance of offline backups – One of the most crucial defenses
- Limiting access controls and lateral movement protects the network
- Staff cybersecurity training is essential to identify threats
- Prompt action early in an incident can limit damage
- Having an incident response plan makes recovery smoother
- Focus on security basics like patching and multi-factor authentication
- Work with cyber insurance providers and law enforcement ahead of time
Documenting details around how the attack took place and spread also provides data to shore up vulnerabilities. Ultimately, recovering from ransomware builds resilience and knowledge to avoid becoming a repeat victim.
Conclusion
Recovering encrypted files and systems after a ransomware attack can be a significant challenge. However, with careful planning and appropriate safeguards, organizations can often restore data and resume operations without paying ransoms. This relies on having isolated backups disconnected from networks, users trained to avoid infection, and prompt incident response when an attack hits. Cyber insurance and law enforcement provide useful additional support. While ransomware will remain a threat, the experiences of recovering from an attack makes organizations better prepared for the future.
