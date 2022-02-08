It is no secret that ransomware has been gaining momentum. According to Cybersecurity Ventures, attacks are occurring every 11 seconds and in 2021, ransomware cost the world $20 billion in damages - which was 57 times more than it was in 2015. Thanks to the rise of Ransomware-as-a-Service (RaaS), ransomware has become mainstream because practically anyone can launch an attack.

RaaS gives cybercriminals the ability to use malware for a percentage of the funds while remaining completely anonymous. Even those who lack the technical skills to develop the malware and deploy the attack on their own can attack your business. In 2020 almost two thirds of ransomware attacks came from cybercriminals operating on a RaaS model.

Ransomware is getting smarter

Ransomware attacks are quickly evolving. With emerging strains like Conti, cybercriminals are encrypting, corrupting, and deleting backups before compromising as much production data as possible, which makes recovery a gruelling challenge.

Conti ransomware is highly malicious due to the speed with which encrypts data and infects systems. (Image credit: Sophos)

Meanwhile, advanced cyber criminals are now targeting the software supply chain so they can compromise your security without even breaking in. This was the case with the ransomware attack on Kaseya Software, which halted the business operations of 1,5000 organisations during the company’s breach and recovery.

Paying the ransom will simply never be the solution to fight off ransomware. It only validates the criminal activity and leads to higher ransom demands. Unfortunately, IDC reports that 87 percent of organisations paid a ransom after suffering a ransomware attack or breach.

We’ve seen some of the largest payouts in the last 12 months alone – topping out at $40 million paid by insurance company CNA Financial in March 2021. Everyone agrees that payments like this cannot and should not continue, but when attacked, unprepared organisations feel that they have no choice.

Governments around the world are banding together to try to reach a consensus about the best way forward. Earlier in 2020, The U.K. National Crime Agency and 60 other members from technology companies, law enforcement bodies, and academia formed the Ransomware Task Force.

Since then, we’ve seen many other governments begin to form their own task forces to mitigate ransomware’s threat. Regardless of the country, however, we cannot reverse the trend of paying criminals if organisations do not have a well-prepared recovery strategy in place.

Bouncing back – better than ever

Despite a hacker’s attempts to compromise an organisation’s defences and ability to recover, there is hope. It starts with a resilient, full-proof ransomware recovery plan, which can be broken down into three simple steps.

Step 1: Initial Response

When you’ve been attacked with ransomware, you need to first understand where it started and how it spread, so use forensics to track its path. Your backups should provide historical information to your forensic analysis tools to speed up this process.

Historical logs can be useful for tracking the progress of the malware, and backup catalogue searches can identify when and where malware files arrived onto OneDrive, a VM, or a NAS share. It’s important to also assess the damage so you know what data has been affected. Backups can identify affected files and systems, so organisations can track exfiltrated data, compromised services, and time to recovery.

Step 2. Validate the Recovery

After you detect the malware, know where and how it started, and have an understanding of the damage that has been done to your systems, you need to make sure you eliminate it from the backups before running any system recovery.

Your data protection vendor should scan and remove the malware strain for you, but to be safe, you should run your own scan. Many organisations will bring up the restored data in an isolated environment, run their own scans, and then proceed to restore the data into production.

Step 3. Recovery

While the first two steps are specific to ransomware, the last step should leverage your disaster recovery plan. In order to do so, there are three key aspects to consider:

Invest in your people

Training staff on cybersecurity best practices is vital to keep your business secure (Image credit: Getty)

Successfully recovering from ransomware doesn’t mean you are immune to attacks in the future. In fact, many organisations have been hit multiple times with the same strain of ransomware.

This is why investments in your people are critical, especially because research shows that 98 percent of attacks rely on social engineering. All users of your systems and infrastructure should be trained on security risks and how to identify them. All developers should be trained on use of 3rd party and open source software packages to minimise software supply chain attacks.

Governments should also fund companies that are developing the next generation of security defences. The UK’s Future Fund, which matches private investment for innovative tech companies, is vital.

Moving forward

In today’s ransomware epidemic, attacks are constantly evolving, so your strategies must evolve to meet them. By building a more cyber-aware workforce and investing in a full-proof protection and recovery strategy, you will better be able to combat these threats and lessen the impact of an attack.