Ransomware Recovery: How to Respond to Ransomware Attacks

Ransomware attacks show no signs of slowing down. The second quarter of 2022 witnessed a significant increase in ransomware activity compared to Q1, where activity slowed by about 25% from Q4 2021. Some prominent ransomware gangs, such as REvil and Conti, reported shutting down operations in recent times. However, REvil, one of the most notorious ransomware groups, is showing signs of returning to life after being quiet for several months. This year has also seen the birth of many new ransomware gangs like BlackBasta, Hive and Mindware. Moreover, with the emergence of open-source ransomware programs and subscription-based Ransomware-as-a-Service (RaaS) now readily available to anyone, ransomware attacks are expected to increase further in the foreseeable future.

Cybercriminals constantly update their techniques to infiltrate even the most formidable defense systems. Ransomware attacks have become even more sophisticated, effective and expensive to remediate. In such circumstances, what is the best solution against ransomware? Is paying a ransom the solution? Get answers to these questions and more in this blog. You’ll also learn how to effectively respond to and recover from ransomware attacks.

What is ransomware data recovery?

Ransomware data recovery or ransomware recovery is the process of restoring critical systems and resuming business functions to an operational state after an attack. Ransomware is a form of malware that locks up victims’ data. Ransomware attackers block access to files, folders and devices using strong, unbreakable encryption. They then demand payment for a key to unlock the encrypted files. Recovering from an attack requires several techniques and procedures to bring mission-critical systems back online. A comprehensive data backup and disaster recovery (DR) strategy is vital to recovering successfully from a ransomware attack.

A computer locked with ransomware.

Must-know ransomware statistics

With several noteworthy attack stories making the news headlines this year, ransomware continues to dominate the threat landscape. About 11% of breaches studied by IBM in their Cost of a Data Breach 2022 report were ransomware, indicating a 41% increase in ransomware-related breaches year-over-year.

Ransom demands have increased 144% over the last two years. This may be in part due to increased confidence among cybercriminals. Threat actors are encouraged by a run of success and continue to evolve their tactics, techniques and procedures.

Cybersecurity firm Palo Alto Networks noted an increased activity among ransomware gangs this year. Their 2022 Unit 42 Ransomware Threat Report found the rise of 35 new ransomware groups that use the double extortion model. These groups publicly posted the names and proof of compromise of 2,566 victims (an 85% increase) on dark web leak sites to pressurize their targets further. The report also discovered that threat actors exploited 42 vulnerabilities across technologies to launch attacks.

The ransomware threat is a major cause for concern for businesses across the globe. In 2021, ransomware leak sites posted a minimum of one victim from 90 countries. The top three regions with the most ransomware victims were:

  • Americas (60%)
  • EMEA (31%)
  • APAC (9%)

How long does it take to recover from ransomware?

Recovering from a ransomware attack is time-consuming and tedious. It involves several steps, from incident reporting to forensic analysis, dealing with public relations and media, looking for the decryption key, eradicating the ransomware, removing vulnerabilities, restoring impacted systems, and so on. Therefore, the timeframe to recover from ransomware attacks may greatly vary depending upon your organization’s preparedness and capacity to deal with such situations. In 2021, the average period of downtime after a ransomware attack was 20 days, where businesses experienced some interruption or productivity was below 100%.

How much does it cost to recover from ransomware?

As per the Cost of a Data Breach Report 2022 by IBM, the average cost of a ransomware attack is $4.54 million, surpassing the average total cost of a data breach, which is $4.35 million. It’s important to note that this cost does not include the ransom.

The consequences of a ransomware attack go beyond just financial loss. It causes business downtime and potential reputational damage, leading to loss of business and competitive advantage. To get the right insights on the actual cost of ransomware recovery, you must also consider working hours lost due to the attack, lost business and productivity, cost of fixing your company’s reputation and non-compliance costs, to name a few.

What should be the response to ransomware?

Ransomware attacks can make even the most experienced cybersecurity professionals cringe, given how destructive they can be. However, knowing how to respond to a ransomware attack can help mitigate the risks of the attack and its consequences. The first thing you must do when a ransomware attack occurs is to find and isolate the infected system from the network as quickly as possible. This will help prevent further infection; however, do not immediately wipe out systems as that may destroy forensic evidence. Identify the source of the attack to understand how threat actors entered the system and fill security gaps to prevent future occurrences. Report the incident to law enforcement agencies and seek help and guidance. Once the situation is contained, check if you can access the data and systems. We’ll go through ransomware incident response planning in detail below.

Should you pay ransom to hackers?

It’s easy to panic when devastating cybersecurity incidents like ransomware attacks happen. For businesses without a backup and disaster recovery solution or an incident response (IR) plan, paying the ransom might seem like a wiser decision. Unfortunately, there is no guarantee that paying the ransom will help get your files back or restore access to systems.

As per The State of Ransomware 2021 by Sophos, among the ransom victims who paid the ransom, 96% got their data back. However, only 65% of the encrypted data was restored even after paying the ransom. Encrypted files are often damaged or unrecoverable due to decryption keys crashing or failing.

Cybercriminals have found new ways to intensify the impact further and make more money through double and multiple extortion techniques. In a typical ransomware attack, hackers encrypt a victim’s data and demand ransom in exchange for the decryption key. In double extortion ransomware attacks, threat actors steal large volumes of sensitive data in addition to encrypting it, allowing them to extract more money from the victims. They will either destroy the exfiltrated data, publicly disclose sensitive information or sell it to the highest bidder on the dark web if the victims fail to pay the requested ransom.

What is the best solution for ransomware?

Cybercriminals and their tactics are constantly evolving, making them even more sophisticated and dangerous. That’s why cybersecurity experts, including the FBI, advise organizations to have a layered defense with protected backups for faster recovery from ransomware.

One of the most effective ways to recover from a ransomware attack is by having a backup of your data stored off-site and offline that you can quickly restore to resume operations.

Preparation is key when dealing with ransomware attacks. Your company should make sure that necessary tools and strategies are in place — like a data backup and disaster recovery solution and an incident response plan — to tackle ransomware attacks effectively.

Recover from ransomware with a tailor-made incident response plan

With ransomware attacks wreaking havoc on businesses of all sizes, an incident response plan has become critical to responding to these threats quickly and efficiently. An incident response plan provides the guidance and methodology used to detect, contain and recover from incidents such as ransomware attacks. Your IR plan should aim to minimize direct and indirect costs in the event of a ransomware attack, including downtime, recovery costs and brand reputation.

A well-defined IR plan will help to take appropriate actions following a ransomware attack. You must consider the following steps in your IR plan.

  1. Detection and analysis: Before proceeding with your IR plan, you must first validate if the incident was a ransomware attack. Ransomware attacks are well-known for locking victims’ data or encrypting files. Perform a thorough threat analysis to check if your files are encrypted.
  2. Call your IR team into action: Once you have analyzed the threat, communicate the issue to your IR team — management, technical lead, legal support and public relations so they can take suitable actions as defined in the IR plan.
  3. Examine the scope of the incident: Identify where the damage started and where it has spread. Knowing where the infection originated is vital to understand how cybercriminals entered the system, what they did by accessing the network and the extent of the damage. Examine which files and systems are affected.
  4. Containment: In this step, your IR team will decide how to minimize the damage from the incident and keep the business running. Every company has unique needs and capabilities; therefore, this step may vary depending on the systems and data affected. When a ransomware attack or a data breach occurs, the first thing (even before involving the IR team) you must do is to disconnect the infected system from the network immediately. It is important to identify and isolate the infected system as quickly as possible to contain the incident and prevent further infection or damage to other systems in the network. It is also essential to preserve the infected system for forensic investigation.
  5. Report the incident and engage law enforcement: If hit by a ransomware attack, you must immediately notify concerned authorities and law enforcement agencies, depending on who and when to inform as per your company guidelines. Compliance regulations such as PCI-DSS, HIPAA and GDPR require that companies immediately inform the regulatory agencies in case of a breach. You can contact the Secret Service, Cybersecurity & Infrastructure Security Agency (CISA), Internet Crime Complaint Center (IC3) or your local FBI office for guidance.
  6. Eradication and recovery: In this step, your IR team must decide the most practical and effective way to eliminate the problem. For example, removing the ransomware or getting the decryption key, or restoring data and systems from backups. Once affected systems have been restored, reset passwords immediately, including account and network passwords.
  7. Check your access to data and systems: Once backups are restored and things start returning to normal, check if you can access the data and systems to ensure the recovery is successful. If you notice any suspicious behavior, such as slower response time or unusual file sizes, the infection may still exist in the database or system. Run an anti-malware program and replace the storage (if needed) to completely wipe out any trace of the infection.
  8. Strengthen IR plan with lessons learned: This step is critical to enhancing your ransomware incident response efforts further. You must analyze what went as intended and what went wrong. Finding weaknesses in your IR plan and addressing them as quickly as possible will help to create a more robust method for the future. Spend some time understanding how threat actors managed to launch the attack in the first place and what steps can be taken to prevent such incidents in the future.

Ransomware recovery with Spanning Backup

Ransomware is a growing menace that’s hard to avoid. The most reliable form of protection your organization can leverage to safeguard your precious data is backup.

Spanning Backup for Google Workspace, Microsoft 365 and Salesforce protects your organization from ransomware attacks by automatically backing up your SaaS data daily. With enterprise-grade, robust backup and recovery capabilities, it protects your data from costly and catastrophic data loss. Its powerful yet easy-to-use capabilities empower IT administrators and end users to get data back exactly the way it was in just a few clicks.

Download our eBook, Preventing a Ransomware Disaster, to delve deeper into ransomware and learn how to successfully recover from such attacks.

Download the eBook