When a ransomware attack hits a business, the recovery doesn't stop at the decision of whether to pay the ransom.
For businesses, the first step post-hack is to contain the attack. "Evaluate systems that have been affected … [by] the attack and then look to contain and limit that attack," said Asher de Metz, senior manager of security consulting at Sungard AS. "Then once it's contained, they're also going to want to communicate with stakeholders."
Consider the recent Kaseya attack: After triaging and releasing a patch for on-premise customers, the company still had to mitigate the SaaS damage with a separate patch. Weeks after the attack, it's unclear if any backdoors have been exposed, prone to further attack.
With some hindsight, researchers are uncovering where Kaseya went wrong and what the company could've done differently to prevent the attack affecting 1,500 downstream customers. But for businesses watching the drama unfold as another company scrambles with a post-hack response, the lesson is to prepare for the worst.
"The most critical factor is completely eradicating the threat from the environment," Tim Grelling, director of innovation, security at Core BTS, said in an email to Cybersecurity Dive. "Attempts to 'uninstall' or clean ransomware from systems is rarely successful."
Because of the sprawling damage, recovering from a ransomware attack can be pricey. The average total cost of recovery from a ransomware attack was $1.85 million in 2021, according to a Sophos report.
Post-attack recovery actually begins before a cyber incident ever occurs. Drafting an incident response plan, practicing response tactics and making sure the systems are in place for a full recovery should happen before the attack as a part of the recovery process.
"Businesses that use the lessons learned from the incident and use them to not just restore services but improve their security policies, processes, tools and architecture will come out of the incident with something positive if they maintain the improved security posture," Grelling said.
When an attack first happens, the security team will lead a business's incident response to contain the issue and stop the bleeding, according to Mark Nunnikhoven, distinguished cloud strategist at Lacework. Most of the time, the decryption will get the data back, but there's still the possibility of corruption and whether back-ups are available in the meantime to restore systems.
Then, the unknowns set in. "Are we still vulnerable? Did we remove all of the malware and things that the attacker did from our network? It's a really long and drawn out process," Nunnikhoven said.
The challenge for businesses is managing the scale and scope of the attack. When attackers have access to the network, they take advantage of it to understand where the more important data is, according to Nunnikhoven. The business has to determine how the attacker got in and also trace for any additional damage or unwarranted access.
'Plan, plan, plan'
For a strong post-hack comeback, planning is required.
Two-thirds of companies estimate it would take five or more days to fully recover from a ransomware attack if they chose not to pay the ransom, according to the 2020 Ransomware Resiliency Report surveying 2,690 IT professionals. A similar number, 64%, say their security measures have not fully kept up with their IT complexity.
"The first step is, have a plan ahead of time. I know that sounds simple, but so many people don't do it," Nunnikhoven said. "You need to understand how you're going to work if you don't have access to your systems."
In combination with a plan, good cyber hygiene across the business can be preventative and help quickly respond to cyberthreats. For example, businesses can roll out patches more quickly without a massive effort, Nunnikhoven said.
Because of the string of recent high-profile attacks up the supply chain, incident response plans and preparation now include vendors in the process.
"Supply chain attacks have increased the focus on third-party risk management," Grelling said. "Businesses need to not only manage security and risk in their own environment, but identify those critical vendors and assess security and risk related to those vendors."
If an organization has a strong incident response plan in place — and has spent time practicing it — they'll likely be more successful in the recovery. The business can begin to respond instead of using precious time to plan.
"Plan, plan, plan," de Metz said. It's worth it to a business to spend the money now on the preventative measures because ransomware can be incredibly destructive.