Is ransomware a disaster recovery?

Ransomware has emerged as one of the top cybersecurity threats facing organizations today. This form of malware encrypts files and systems, holding them hostage until the victim pays a ransom. With ransomware attacks on the rise, some have wondered whether ransomware can actually serve as a type of disaster recovery tool by forcing organizations to improve their data backups and security posture.

What is ransomware?

Ransomware is a form of malicious software (malware) designed to extort money from victims. It works by encrypting files or locking systems, rendering them inaccessible to the user. The attackers demand ransom payment, usually in cryptocurrency like Bitcoin, in exchange for the decryption key to unlock the files or systems. If the ransom is not paid, the data and systems remain unavailable.

Ransomware is typically spread through phishing emails containing malicious links or attachments. It can also be distributed through exploit kits on compromised websites. Once installed, ransomware quietly encrypts data and locks systems before deploying its ransom demand. Prominent examples of ransomware variants include Cryptolocker, WannaCry, and Ryuk.

The ransomware epidemic

Ransomware attacks have been rapidly escalating over the past several years. Some key stats on the ransomware epidemic include:

  • The global cost of ransomware is estimated to reach $265 billion by 2031, up from $20 billion in 2021.
  • There was a 105% annual increase in ransomware attacks in 2021.
  • 71% of ransomware victims paid the ransom in 2021, but only 65% had their data restored.
  • The average ransomware payment was $812,360 in 2021.

Healthcare, education, government, and technology are among the sectors most impacted by ransomware. Attacks can deal crippling blows to businesses and organizations by halting operations, creating massive recovery costs, and exposing sensitive data.

The disaster recovery connection

At first glance, ransomware seems like the antithesis of disaster recovery. Disaster recovery focuses on preparing for and recovering from disruptive events to restore normal operations. Ransomware deliberately causes disruption for financial gain. Despite these opposing goals, there are some ways ransomware forces improvements that bolster disaster recovery capabilities:

Boosting backups

Since having recent, isolated backups is critical for recovering files after a ransomware attack without paying the ransom, many victims find their backup systems were inadequate. This revelation spurs organizations to upgrade their backup technology, retention policies, and storage resiliency after an attack.

Improving security

Ransomware exploits security gaps to infiltrate systems and propagate. After a ransomware attack, organizations often undergo deep security reviews to find and fix vulnerabilities that allowed the malware entry. This can mean strengthening end user security awareness, patching systems, upgrading antivirus software, segmenting networks, and monitoring for threats.

Developing incident response plans

Many organizations are caught off guard when hit with ransomware, unsure how to respond in the crisis. Developing and practicing an incident response plan for ransomware can help organizations improve reaction time, contain damage, notify affected parties, and restore operations in an orderly fashion. Having an IR plan makes recovering from any emergency easier.

Increasing redundancy

Building redundancy across systems through measures like multi-factor backup systems, replicating data to separate locations, and utilizing high-availability infrastructure can help organizations stay online and maintain access to critical data, even when ransomware strikes.

Mandating cyber insurance

Many organizations purchase cyber insurance policies after being hit with ransomware to help cover potential costs. Insurers may require improvements to gain coverage, pushing policyholders to adopt better security and data protection. The insurance safety net also enables some victims to refuse ransom demands.

Why ransomware is not a viable DR option

While ransomware attacks can instigate disaster recovery improvements, relying on ransomware as a way to test or improve DR capabilities has major drawbacks:

Financial costs

The ransom demands, business disruption, recovery efforts, reputation damage, and productivity loss resulting from ransomware inflict severe financial losses on organizations. The overall price tag typically exceeds any DR infrastructure improvements.

Data loss

Even if the ransom is paid, data recovery is not guaranteed. On average, only 65% of data is restored after payment. Permanent data loss is detrimental.

Reputational harm

Data breaches linked to ransomware attacks damage brand reputation and public trust in the organization. This fallout can be difficult to recover from.

Liability concerns

There may be regulatory fines, legal action, and requirements to notify customers of data exposure after a ransomware attack. Organizations could be found negligent for allowing poor security practices.

Encouraging cybercrime

Paying ransomware demands fuels further growth of ransomware operations and funding for criminal hacking organizations to expand their attacks.

Ethical considerations

Using ransomware as a disaster recovery strategy raises some ethical concerns:

  • Paying ransoms funds criminal organizations and future attacks
  • Not paying may result in permanent data loss for customers
  • Users expect responsible data handling by organizations
  • Lax security itself may be unethical if others are put at risk
  • Organizations have a duty to be prepared for reasonable emergencies

These factors make condoning or intentionally allowing ransomware morally questionable in most cases.

Best practices for mitigating ransomware

Instead of viewing ransomware as a viable, if unethical, way to test DR capabilities, organizations should take proactive steps to defend against attacks:

Implement security awareness training

Training staff to recognize and avoid suspicious emails, links, and attachments through simulated phishing tests minimizes the ransomware entry point.

Maintain backups offline

Storing backups offline and immutable prevents malware from infecting them. Backups enable restoration without paying the ransom.

Install and update antivirus software

Antivirus solutions with ransomware detection capabilities can block known malware strains before they execute.

Segment networks

Limiting communication between systems through network segmentation controls ransomware spread.

Monitor systems

Monitoring network traffic, system files, and user activity aids early ransomware detection and swift response.

Control access

Restricting administrative privileges and system access provides fewer openings for ransomware to exploit.

Patch diligently

Promptly installing software, OS, and firmware updates closes vulnerabilities that ransomware often leverages.

Test incident response

Exercising and refining a ransomware response plan makes reacting to real incidents more effective.

Should you pay the ransom?

If hit with a ransomware attack, it is a complex decision whether to pay the ransom. Considerations include:

  • Ability to recover data from backups
  • Importance and sensitivity of encrypted data
  • Timeliness to restore operations
  • Ransom amount vs. recovery costs
  • Trustworthiness of attackers
  • Legal and ethical implications

Consulting with incident response experts is wise when evaluating options after a ransomware event.


Ransomware cannot be considered a legitimate or responsible disaster recovery strategy. While attacks may spur some DR improvements, the financial, reputational, ethical, and operational damage is too costly. Organizations must take responsibility through prevention, preparation, and response planning to manage ransomware risks. With vigilance and focus on security fundamentals, ransomware recovery can become just another exercise rather than a ransom-driven crisis.