Ransomware Recovery Plan for 2023
Ransomware continues to be a significant global threat for organizations in all sectors. In 2022, it accounted for 41% of breaches, with an average cost per breach of $4.5 million. While authorities have had some success cracking down on ransomware perpetrators, bad actors are expected to evolve their tactics and business models, generating new attack types and pursuing new targets such as the enterprise cloud.
Since the ransomware risk is less a question of “if” than “when”, growing numbers of organizations are seeking ransomware recovery strategies to mitigate potential damage and ensure business continuity. To do so, they need three things: a clear understanding of the critical data they need to protect most, good backup procedures, and a formal incident response plan.
Ransomware recovery step 1: Identify and protect critical data
What constitutes critical data varies by organization and industry based on operational, competitive, and commercial requirements, customer and supply chain relationships, privacy laws, industrial regulations, and other factors. Identifying that critical data brings focus to a ransomware recovery strategy, pinpointing where the strictest protections and controls need to be applied.
Today, those protections and controls usually involve a zero-trust approach that regards all connections to the corporate network as untrustworthy and assigning least-privilege access to users, devices and applications. With that as a foundation, other ways of safeguarding data can also be applied, such as multi-factor authentication to verify user identities, encryption of data at rest and in motion, and good data hygiene practices.
Data hygiene is often emphasized as an individual responsibility, something all employees can and should be aware of. But it can also be institutionalized at the corporate level, for instance by deploying technologies to scan outbound data such as email and block anything considered sensitive. At Trend Micro, all files—including email—are classified ‘internal only’ by default and must be reclassified if they are to be shared externally.
Ransomware recovery step 2: Implement good backup procedures
With data protection measures in place, the next consideration for a ransomware recovery strategy is data preservation, which can be achieved with regular, consistent, rigorous backups. A sufficiently robust backup approach will ensure that even if ransomware takes down a specific data source or repository, the information can be recovered and brought back online to keep operations running.
Many best-practice backup approaches are based on the classic ‘3-2-1 Rule’: always have three copies of every piece of critical data, two of them backed up on different media, and one of them stored offsite.
That formula still holds in principle for today’s distributed and decentralized IT environments. While virtualization has made backing up to different media less relevant, it is still vitally important to maintain multiple data copies: a production copy, a rapidly restorable failover copy (typically a snapshot), and a robust, longer-term backup copy.
Storing backups in multiple data centers provides the kind of site diversity called for by the 3-2-1 Rule, ensuring that if one physical location is damaged or compromised, data is still retrievable because the other sites are unaffected.
Ransomware recovery step 3: Make an incident response plan
The final piece of a ransomware recovery strategy is a formal incident response plan to ensure the continuity of processes and systems, and to gather insights that can be used against future attacks.
An incident response plan or playbook should cover all four stages of a breach: 1) preparation; 2) detection, identification, and analysis; 3) containment, eradication, and recovery; and 4) the post-recovery phase, when tools can be used to determine the root cause of the breach and identify weaknesses and gaps in existing security controls and processes.
Documenting the actions to take at each stage provides clarity and consistency when incidents occur. It can also help an organization obtain cybersecurity insurance or negotiate better premiums when it’s time to renew, because it shows insurers the organization is serious about addressing cyber risks.
Because fully recovering from a ransomware attack requires knowledge of all enterprise IT assets and what’s stored on them, endpoint detection and response (EDR) and extended detection and response (XDR) are important technologies to support incident response. Combined, they reveal the entire corporate attack surface and pinpoint what needs to be restored where.
Since the threat landscape is constantly evolving, it’s essential for incident response plans to stay up to date. Accessing a knowledge base such as MITRE ATT&CK—which continuously aggregates publicly sourced insights into cyber threats, vulnerabilities, attack types, and the like—is invaluable for keeping ransomware recovery plans current.
Not in it alone
Once an incident response plan is defined, most organizations will want to bring on a partner to enact it, both for the benefit of specialized expertise and to minimize burden on internal IT security teams. Different vendors have different capabilities, service-level commitments, availabilities, pricing structures, and solutions, so it’s important to thoroughly investigate potential partners and confirm that what they offer fits with the organization’s requirements and means.
The ideal option is usually a vendor that provides managed solutions with built-in incident response support and procedures for staying up-to-the-minute on threat intelligence and research.
The ability to bounce back
The ransomware threat isn’t going away anytime soon. Organizations can take steps to defend themselves by adopting zero-trust approaches and architectures and deploying EDR/XDR technologies. Many may also want to consider implementing a unified cyber security platform capable of real-time responsiveness and effort-saving automation—with reach into the cloud, where cybercriminals are likely to set their sights next.
At the same time, it’s important to accept that attacks will come and breaches are a very real possibility. Preparing a well thought-out ransomware recovery strategy and plan will position organizations to bounce back faster if a breach does occur—and solidify their cybersecurity safeguards going forward.
Next steps
For more Trend Micro thought leadership on ransomware recovery, check out these resources: