Ransomware is not only here to stay, it is thriving. So you need a plan for ransomware recovery.
That data protection push was a key takeaway from the virtual Actifio Data Driven conference last week.
Continually preying on businesses that don't have proper cybersecurity in place, in just the last few weeks ransomware attackers have hit school districts and indirectly caused the death of a hospital patient.
Prepare for ransomware as a DR event
The coronavirus pandemic led to a dramatic transition of the workforce from the office to a home setting.
"Businesses weren't ready for that. Corporations weren't ready for that," said Bryan Rice, CTO of cloud services provider Net3 Technology, during one of two ransomware recovery-focused sessions at the Actifio conference.
In many cases, users worked on whatever devices they had and businesses had no plan to tackle cybersecurity issues, Rice said in the session titled, "Be informed and prepared: Ransomware will be the most likely DR event in 2020."
As sophistication within the ransomware community has grown, a major goal for a business is to give itself as much of a chance for recovery as possible.
Bryan RiceCTO, Net3 Technology
Immutable data protection, which locks backups from potential deletion or modification, is an important piece of ransomware recovery. Rice said organizations should be careful about time lengths and set an expiration timeline.
Immutability can be local or cloud-based.
"You can always recover from it," Rice said. "The key is the data cannot be deleted."
Security-wise, Rice recommended having variation in credentials, limiting their potential exposure and using "pass phrases" over passwords.
Full disaster recovery testing is one element that many organizations are missing. Twice a year is a good cadence for standard DR testing, Rice said. He suggested getting complete runbooks on paper because if you're in a ransomware recovery situation, a digital copy doesn't help.
"It's going to be a constant battle," Rice said. "But having those layers of protection, having separation of duty, separation of credentials, all of those types of things protect you in the long term."
Prevent costly downtime
The estimated global damage from ransomware in 2020 is $20 billion, said Jarom Olson, director of solutions architecture at Actifio, citing statistics from cybersecurity firm PurpleSec. That's up from $8 billion in 2018.
"It is not a matter of if an attack is going to take place, but when. Everyone is at some point going to be susceptible to a ransomware attack," Olson said in his Actifio Data Driven session titled, "Reduce the stress caused by worrying about ransomware attacks."
The average downtime cost per ransomware incident has soared, from $46,800 in 2018 to $141,000 in 2019 to $283,000 in 2020, according to PurpleSec.
"Most ransomware attacks also infiltrate the backup system and deem them useless to restore from until the ransom is paid, causing significant downtime," Olson said.
Olson noted the FBI's recommendations for ransomware recovery:
- immediately take backup data and systems offline;
- contact law enforcement;
- collect and secure portions of the ransomed data;
- change online account and network passwords after removing the system from the network; and
- delete registry values and files to stop the program from loading.
These steps require around-the-clock work, Olson said.
"This is a significant burden on the operations team," he said.
However, similar to Net3 Technology's Rice, Olson stressed that having immutable, air-gapped backup data significantly eases the operational duties typical to ransomware recovery.