The frequency and sophistication of cyber attacks continue to increase, presenting significant threats to organizations of all sizes and industries. Ransomware attacks, specifically, are a particularly damaging attack form where a threat actor(s) encrypts a business’s data and demands a ransom for its return.
This form of cyber attack comes with a host of concerns, with financial and reputational damages among the most pressing. In an attempt to grapple with the continually evolving nature of ransomware attacks, businesses are adopting multifaceted strategies and processes to not only promptly recover systems and critical data, but also minimize damages.
In this three-part article series, we will cover the ransomware recovery process, post-recovery review for continuous improvement, and planning and testing for future recoveries. This is part one, about the nature and prevalence of ransomware attacks and how your organization can recover when these attacks occur.
Global ransomware attacks: An overview
A recent survey by Cutover found that 56% of respondents identify cyber threats — ransomware in particular — as the leading contributing factor to their disruptions. This is unsurprising, as most organizations have experienced an increase in technology service disruptions or outages over the past 12 months. In the US, the average duration of downtime after a ransomware incident is nearly three weeks, a figure that aligns closely with the UK, where companies typically face one to three weeks of downtime following such incidents. Additionally, 6 out of 10 (66%) organizations were targeted by malicious ransomware attacks in the past year. Of those attacks, 76% resulted in the encryption of data yielding a mean data recovery cost of $1.82M.
Ultimately, of those affected in the private sector, more than 80% of businesses lost revenue as a result of the attacks. Given their prevalence, businesses are becoming increasingly aware of the associated risks — as exemplified by approximately 75% of businesses saying a ransomware infection would be enough to significantly, if not totally, disrupt their operations.
Healthcare companies are particularly susceptible to attacks, which have doubled from 2016 to 2021 and continue to increase today. They are also becoming more expensive - in 2022, healthcare organizations spent an average of $10.1 million per attack — a 9.4% increase from the prior year.
Banking, perhaps unsurprisingly, is the most highly targeted sector. In 2023, the average cost of a data breach within the financial sector was $5.9M. This extends beyond the organizational level, with hundreds of thousands of individuals experiencing malicious login attempts to their banking information.
While the data recovery costs within the education sector are lower than the financial industry's, it’s still a significant amount at $3.65M. Higher education institutions, in particular, are a target as tight budgets have led to outdated, unprotected technologies that are easier to infiltrate and are likely to contain valuable personal identifiable information (PII).
These trends extend across industries, highlighting both the pervasive threat that ransomware poses to businesses of all industries and sizes, and the need to implement comprehensive recovery measures.
Pre-recovery processes: Detection, analysis, containment, and eradication
Prior to the recovery process itself, ransomware attacks need to be detected and analyzed, followed by their containment and eradication.
Detect and analyze
The response to a ransomware incident begins with the detection and analysis phase, which aims to identify the presence and scope of the ransomware. This stage generally involves Security Operations Center (SOC) teams employing advanced monitoring and analysis tools to scrutinize system logs and behaviors. Early and accurate detection is necessary, especially since ransomware can often remain undetected for some time. The effectiveness of this phase lays the groundwork for a successful response, as timely identification can significantly reduce the potential impact.
Contain and eradicate
Once the ransomware is detected, the next steps are to contain and eradicate it. Containment is foundational for limiting the ransomware's reach and minimizing data loss and other further damages. The Cyber Security Incident Response Team (CSIRT) and other relevant stakeholders employ various strategies for containment, which may include disconnecting affected systems from the network, closing off certain network segments, or even temporarily shutting down critical systems to prevent the spread of ransomware. This phase is focused on quickly isolating the impacted areas to ensure that the ransomware does not propagate further into the organizational infrastructure.
Eradication follows containment, focusing on eliminating the causes and effects of the incident to reduce the risk of recurrence. This step involves removing the ransomware and any associated components, whether malicious files or software. The dual objectives of this phase are to prevent the ransomware from inflicting further harm and to prepare the ground for a secure ransomware attack recovery process.
Recovering from a ransomware attack
A ransomware recovery works to restore and secure organizational IT data infrastructure while minimizing downtime and ensuring business continuity. Here are a handful of key recovery process components and the role of runbooks within them.
Bare metal recovery: This step involves rebuilding the system from the ground up. It typically starts with setting up a new server or cloud compute resources, installing the operating system and hypervisors, and configuring the necessary access controls and networking components. The purpose is to create a clean, uncompromised foundation to restore data and applications, especially in situations where the existing system is severely compromised or damaged. This process ensures that no remnants of the ransomware remain, providing a secure and stable platform for the restored data and applications.
Restoration from last-known-good backups: Central to a ransomware recovery is the restoration of data from secure backups. Techniques like using air-gapped, immutable data vaults are common practice, ensuring backups are resilient against tampering and encryption. Such data vaults are often accompanied by data integrity checks, making sure that the data being restored is clean and uncompromised. Following data restoration, systems generally undergo rigorous validation and testing in isolated recovery environments; this step ensures no remnants of the attack remain and verifies the operational integrity of the systems.
Runbooks guide IT personnel and other relevant stakeholders through the process of ransomware recovery, including rebuilding the infrastructure, restoring data from secure backups, detailing how to access those last known good backups, the necessary steps to transfer and integrate data back into the system, and the protocols for validating the integrity of the restored data, among other components. The runbooks may also include contingency plans in case issues are detected during the recovery, ensuring a systematic approach to troubleshooting and rectifying problems.
Automated runbooks help to facilitate coordination and collaboration across IT and security teams during a recovery. They delineate specific roles and responsibilities, ensuring that all recovery tasks are covered and that there is no duplication of effort. This is particularly important in complex IT environments where multiple teams are working simultaneously to restore different system components.
Cutover’s automated runbook software further supports visibility, communication, and execution with intuitive dashboards and seamless integrations with other tools across the technology stack, including IT service management, business continuity management, infrastructure as code, monitoring, and communications tools. Such integrations facilitate seamless collaboration and execution to ensure timely recovery.
Gain confidence with Cutover
To ensure your organization can recover from a ransomware attack seamlessly and confidently, trust Cutover’s automated runbook software.
For our clients, Cutover has facilitated a:
- 50% reduction in application recovery execution time
- 60% reduction in the required time for regulatory audit reporting
- 70% reduction in recovery preparation time — days, instead of weeks
Our platform also offers teams the opportunity to plan, rehearse, and execute ransomware recoveries using detailed, intuitive runbooks that codify your cyber recovery processes. Recovery processes are enhanced via the platform’s ability to connect all relevant stakeholders to ensure streamlined collaboration throughout rehearsals and live recoveries.
Cutover’s Collaborative Automation SaaS platform enables enterprises to simplify complexity, streamline work, and increase visibility. Cutover’s automated runbooks connect teams, technology, and systems to increase efficiency and reduce risk in cyber recovery. Cutover is trusted by world-leading institutions, including the three largest US banks and three of the world’s five largest investment banks.
This article is part one of our three-part series. You can view the second article, titled ‘What to do after a ransomware attack recovery: Post-event analysis and improvements,’ by clicking here.