The worst has happened. A month ago, someone in your organization clicked on a link or replied to a request in a very clever spear phishing email, which allowed a cybercriminal enterprise to bury malware deep into your network. For weeks, that malware has been quietly worming its way through your network, moving laterally across the environment into every data source you have, including those in the cloud. And for weeks, it went undetected.
That all changed today. The cybercriminal syndicate sent the malware a signal, which caused it to rapidly encrypt all of your data. Systems stopped working, the environment began locking up. All you have now is a text file that contains a ransom note with a deadline of 48 hours and an address where you are to send a substantial amount of money in the form of cryptocurrency.
Thankfully, you have backups. They were securely stored in another domain, with access protected by multi-factor authentication. A quick search of the logs shows the cybercriminals attempted to access them, but failed because they didn’t have access to other factors. The backups are safe. So you breathe a sigh of relief.
The problem with recovery
Then the other shoe drops. IT tells you that they expect it will take two to three weeks just to get critical systems back online. To get the whole operation back to normal? That could take at least a month. Maybe longer.
How could this happen? Unfortunately, it’s all too common:
-
- IT didn’t test for a full recovery: Sure, they had a plan on paper, but it was written two years ago and hasn’t been updated. The network has changed significantly since then.
-
- Dependencies aren’t fully understood: Because the plan is out of date, IT needs to reconstruct the order in which applications and data need to be restored. If the order is wrong, applications won’t work properly, if at all.
-
- Backup rehydration and transfer is slow: While IT knew it could meet RTOs for discrete applications and data, they never simulated a complete recovery, and it turns out recovery will take far longer than expected.
-
- Backups can’t be guaranteed to be malware free: The organization’s oldest full backup was just three weeks ago … which was after infection took place.
-
- Not all data was backed up: Turns out, when a couple of new VMs were added to the environment, they never got added to the backup queue.
Being down for two to three weeks would be catastrophic. There’s a massive loss of revenue, of course. And it would also dramatically harm customer relationships, perhaps even causing the company to lose a significant number of accounts. The damage to the business would be severe.
With the encryption key, you could probably decrypt all the data in less than a week. And a couple million dollars in ransom is less than the many, many millions that it will cost you to be down completely for up to three weeks, and only partially operational for over a month. So, paying ransom seems to be the most reasonable option, right?
The downside of paying ransom
Not necessarily. Before paying ransom, consider the following:
1. There’s no guarantee that the cybercriminals will provide the key: Certainly, they have incentive to do so — no one will pay ransom if they don’t believe they’ll get the key — but these are criminals. If they don’t give you the key, what are you going to do? Sue them?
2. You establish your organization as a good target: Pay ransom once, and you’ll earn yourself a reputation as a good target who can be compromised and will pay up. At least one study has shown that 80% of companies that pay ransom find themselves under attack again, sometimes by the very same criminal gang. After all, if they’ve penetrated your defenses once, they can probably do so again. They may even have additional ransomware that remains undetected in your network.
So, what are you to do? Well, once you’re in the situation above, there are no good answers. The best response is to ensure that you never face this kind of dilemma.
So, make sure that your organization is prepared for a full recovery. Regularly audit your environment to make sure you’re actually backing everything up. Create a full recovery plan and update it regularly. Ensure your team has a clear understanding of everyone’s role during a full recovery and the priority order for application and data restoration. And, most importantly, conduct regular tests including a full simulation so that, when it comes time to recover, this won’t be your team’s first time doing so.
Protect Your Organization From Ransomware
At CyberFortress, our experts have done dozens of full restores, where most IT professionals have done, at most, one over their entire careers. We’re dedicated to ensuring that you never have to worry about facing the terrible dilemma described above. If you are interested in taking the next steps against ransomware, contact CyberFortress today! We’d love to discuss how we can help you prepare so that a ransomware attack doesn’t become the worst day of your IT career.
