IT has two major concerns today: One is to keep the business operational, and the other is to protect the business...
from anything that would keep it from being operational. Ransomware has positioned itself as the most serious threat to business operations, with the 2017 damage estimate being around $5 billion, according to Cybersecurity Ventures.
In 2016, 33% of organizations, on average, were hit with a successful ransomware attack, with the average attack infecting six workstations and two servers, according to a KnowBe4 report on ransomware. To make matters worse, SMBs were more susceptible to ransomware attacks (88% on average, according to that same report), likely due to the obvious differences between SMB IT shops and their enterprise counterparts: less staff, budget and time to devote to a ransomware recovery plan.
Now, you might think that because you have a pretty impressive layered defense strategy, you're in good shape, but of those organizations with layered defenses -- those having security software, user training and even phishing training and testing in place -- 22% of them still fell victim to a ransomware attack last year.
In reality, any SMB IT administrator should be thinking "It's going to happen" rather than "It could happen," as a statement of the position to take when planning how to deal with ransomware recovery.
So, what should SMBs do proactively to be ready to recover from ransomware?
The steps you'll be taking are similar to that of an enterprise organization, but this ransomware recovery plan will likely be a lot simpler and involve far less endpoints and data sets.
Step 1: Identify data sets and systems critical to operations
Who's involved: IT, executive team, power users and line-of-business owners (if applicable)
What's involved: You need to select those endpoints and data sets that the business can't run without and, if encrypted, would do irreparable harm to operations. Ask the question, "How long can we be without <insert system, data set, etc. here>?" repeatedly for all parts of the business to help hone the list.
How long should this take: If you do this from the top down (that is, from parts of the operation down to specific systems, data sets and workstations), it should be an hour-long exercise.
Step 2: Determine a ransomware recovery plan strategy to get operational
Who's involved: IT
What's involved: You're building a recovery plan that assumes one or more of those data sets and systems have been encrypted by ransomware and that either the ransom is too expensive or that the decryption fails. Taking the list of data and systems from Step 1, work backward to develop your recovery time and recovery point objectives that then, in turn, help you work backward to your backup definitions.
How long should this take: Assuming you're the person in charge of backups and/or the back team is relatively small, this is measured in minutes to plan and a few hours to execute.
Step 3: Determine the scope of a successful ransomware attack
Who's involved: IT, executive team
What's involved: Is it merely a single, noncritical endpoint, or was it a nasty strain of ransomware that infected your CEO's workloads, connected to your financial shared drive, sent emails to others in the office and infected several other endpoints as well?
How long should this take: There's no good answer here. Assuming you have endpoint protection in place, this step assumes it failed, so there's no help from alerting or reporting. You're going to need to go at this ransomware recovery plan stage manually in some cases.
Step 4: Do the cost analysis (aka "To pay or not to pay?")
Who's involved: IT, executive team
What's involved: Determine what needs to be recovered -- file data sets, entire systems, etc. Don't remove the ransomware; instead, reimage the machine. Then, do the math regarding payments. Most ransomware authors are cybercriminal organizations that treat this like a business, so the likelihood of getting a good decryption key is pretty high. But it may be Dr. Evil on the other end asking for $1 billion -- in which case, it's just cheaper to recover everything.
How long should this take: This is a pretty simple analysis, once you have all the details from Step 3. Figure an hour at most.
Step 5: Recover
Who's involved: IT
What's involved: Restoration of your operating environment (data and systems) fully back to pre-ransomware states.
How long should this take: That's a whole different post, as it all depends on what kind of backups you're doing (e.g., file vs. image, cloud vs. local backup, restoring to local vs. cloud, etc.). The answer here is all dependent upon how you did your backups.
Ransomware recovery plan on a budget?
It’s likely many of you either have no budget to dedicate to the proactive ransomware recovery effort or little staffing power to address it should an attack occur. If you’re thinking you can’t afford the time and cost associated with the steps above, you need to consider that most of the expense above is time, which is an intangible cost. In the event of a ransomware attack, the organization is going to feel the real costs of downtime. In essence, your organization can’t afford not to plan ahead.
Now, having said all that, some of you may have no IT staff. If that’s the case, it’s important to engage with an IT partner, preferably a managed service provider with experience around recovery, and get the partner to assist in building out even the most basic of plans. The effect of a ransomware attack is a bit of an unknown, so preparation is vitally important.
Ensure recovery from ransomware
Your best proactive stance is one where you make the assumption that ransomware is going to get past your endpoint, email and network-based defenses, causing you to put a recovery plan in place. The good news is that, with a recovery strategy lying in wait, ransomware becomes more of a nuisance than a real problem. It could be an issue that takes a few hours to remove from the network, instead of one that brings your operations to a screeching halt.
Follow the steps above, and you'll find yourself quickly dealing with a ransomware recovery plan that keeps the business running and IT looking like it's on top of this ever-evolving threat.