The ransomware recovery process takes longer than you think
Ransomware recovery time frames vary wildly. In the very best circumstances, where the infection is contained, disaster recovery plans have been religiously tested and the decryptor runs without a hiccup, some companies can get their systems up and running within a couple of days.
But that’s rare. On average, organizations that have been impacted by ransomware face 21 days of downtime1. In some instances, the recovery process can drag on for months.
Companies routinely underestimate the time involved with resolving a ransomware incident. While it’s easy to fall into the trap of thinking that recovery simply involves restoring the system from backups or, less desirably, paying the attacker for decryption, the truth is that there are a lot of variables that can prolong the recovery process.
In this blog post, we discuss why it almost always takes longer than expected for businesses to recover from a ransomware attack.
1. Lack of documentation
Lack of documentation is often a major cause of time loss during recovery. Many organizations work with antiquated systems or services for which the documentation is outdated, inaccurate or simply non-existent.
Without effective documentation, IT personnel are forced to improvise response procedures during what is sure to be a confusing and uncertain time, which will almost certainly result in errors and inefficiencies. Infections may be improperly contained, data may be compromised unnecessarily and compliance requirements may be overlooked. Depending on the maturity of the company’s IT team, this may be the first time personnel have been exposed to a large-scale cybersecurity incident.
2. Inadequate testing
Developing a clearly defined incident response plan is an essential part of any ransomware recovery plan. But it’s not enough to simply have a documented plan. Recovery strategies also need to be tested regularly to ensure that staff understand current security procedures and know exactly what to do and who to report to in the event of an incident.
For example, simulating a ransomware event via tabletop exercises can be a valuable way to gauge a company’s ransomware readiness and reveal holes in the recovery plan that can be strengthened accordingly. More than half (57 percent) of companies have not tested their disaster recovery plan within the past two months, according to a Veritas report.
3. Forensic investigation process
Before systems can be restored, the impacted company must undertake a comprehensive investigation in order to understand the extent of the attack and how the system was compromised.
Because the attack chain may have started weeks or even months ago, conducting a thorough analysis can be extremely time-consuming and may require the assistance of external digital forensic specialists, which can further draw out the recovery process.
4. Poor decryptor performance
Recovery can also be hindered by poor decryptor performance. Companies should be mindful that attacker-provided decryptors often do not work as advertised and, consequently, the total recovery time may be substantially longer than expected. In some instances, the decryptor may contain bugs that irrecoverably corrupt data during the decryption process.
5. Communication
While recovery is largely a technical undertaking, it also requires a lot of communication with internal staff as well as external service providers that may be brought on to assist with the incident:
- Legal: Companies will likely need to consult their legal team for advice regarding reporting obligations, mitigating litigation and the legality of paying the ransom.
- Insurance: There will be an ongoing dialogue with the company’s insurance provider throughout the recovery period. Coverage, expected downtime, recovery costs, deductibles and more will be discussed at length.
- Customers: The impacted company may wish to disclose the incident to customers. Effective communication is essential for both transparency and minimizing reputational damage. A crisis communications specialist should be used if the company’s internal communications team is not experienced with serious cybersecurity events.
- Attackers: Depending on their circumstances, some companies may choose to communicate with attackers in order to obtain a decryptor and/or negotiate the ransomware amount. There are organizations that can conduct negotiations on behalf of the victim.
6. Rebuilding and strengthening the system
Technically speaking, recovery is complete once the impacted systems have been restored and the organization is back up and operational.
However, “operational” isn’t the same as “secure”. To prevent similar events from occurring again in the future, companies will need to invest significant time in strengthening their security processes, resolving vulnerabilities and improving response procedures, based on the findings of the forensic analysis.
Investing in a proven antivirus solution like Emsisoft Business Security can help organizations reliably detect and stop ransomware threats before encryption can take place
1 Ransomware Payments Fall as Fewer Companies Pay Data Exfiltration Extortion Demands
Emsisoft Enterprise Security + EDR
Robust and proven endpoint security solution for organizations of all sizes. Start free trial