IT Leaders: 9 Things To Expect When Recovering From Ransomware

One of the things that can get lost in discussions about ransomware is the work it takes to recover from an attack. Depending on which devices have been affected and how many of them, the task of cleaning up and getting things back to normal can take many, many work hours. And dollars.

Here’s what the research says you can expect and how you can better prepare:

According to The 2018 Threat Impact and Endpoint Protection Report from KnowBe4, a leading security awareness training company, the impact of ransomware continues to be significant, despite companies being better prepared for it. KnowBe4 surveyed 500 organizations about ransomware, ransomware readiness, attack recovery processes, and the impacts that attacks have on their employees. Most respondents (74%) were from the U.S. and they were from organizations of all sizes. At Leapfrog, our experiences with ransomware largely parallel the reports’ findings.

As an IT leader, the most important thing you can do to limit the types of damage from a ransomware event is to be ready to deal with it.

1. Expect your organization to look to you for recovery

As an IT leader at your organization, your team will be looking to you to handle the situation as quickly and effectively as possible. So, you need to be ready to go.

Ransomware attacks can come at your company from either a wide-net approach — such as a random phishing attack — or a targeted approach, or both. Every organization is susceptible to the wide-net approach, but if your company is growing (or is in the news a lot or has leaders who travel for business), it’s more susceptible. Cybercriminals target their likely victims in the same way salespeople target their likely prospects.

• Use our Cybersecurity Partner Interview Guide to find the right security partner for your company.
• Is your IT budget ready for 2020? Our IT Budgeting Guide for 2020 can help – download here.

Your organization is also more susceptible if it’s midmarket, or around 500-1,000 employees. According to the report, midmarket organizations were hit the hardest last year — 29% dealt with ransomware. The next hardest hit group was enterprises (over 5,000 employees) with 23% experiencing a ransomware attack. Overall, the percentage of organizations hit by ransomware has dropped from the previous year, as IT departments have gotten better at strengthening their security stance.

Regardless of the size company you work for, if you are in an IT leadership position you will be the one responsible for dealing with an attack. If you work for a growing midmarket organization, you’re more likely to be a target.

2. Expect Microsoft Office files to be encrypted

A whopping 97% of all ransomware attacks encrypt Office files. Why? Because your organization needs them to do their work. Those files are critical to your operations and they want you to pay up! Encrypting your log files won’t get the same blackmail response.

While it’s tempting to think that your Excel and Word files are secure because they’re encrypted in Office 365 or DropBox, they are not. A lot of ransomware attacks are successful because criminals were able to gain access to systems by using legitimate credentials acquired through phishing. Once inside the system, they have the same access to files as the employee whose credentials they’re using.

After Office files, these are the types of files most commonly encrypted by ransomware: databases (32%), personally identifiable data (29%), proprietary ops-related data (26%), intellectual property (21%), compliance-protected data (13%), and operating system (5%). Sure, the criminals know you have backups of these files but they’re banking that it will cost more in time and effort to restore from backup than to pay the ransom.

3. Expect your usual IT duties to take a backseat during recovery

Each person on your team can only be doing one thing at a time and it’s often all hands on deck for ransomware recovery, at least in the early stages. So, expect a significant upset to your usual routine.

Finding and isolating all of the ransomware-related issues can be an intense experience that affects your entire system and company – so your projects are likely to be sidelined. This may cause you (and others) to miss deadlines, cancel meetings, postpone rollouts, and hold up productivity or progress for other staff.

Unless you have a team in place that’s ready to absorb the ransomware recovery tasks into their daily operating procedures, you should be ready to put everything else aside and quickly allocate IT staff and resources with the skill of an ER triage doc.

4. Expect to pay for ransomware remediation

Whether your organization is already investing in ransomware readiness or plans to pay for recovery as it’s needed, expect to get an invoice. The size of the invoice depends on when you get it and what it’s for.

There is certainly an up-front cost to having, managing, and verifying backups. End-point backup, for example, is the best way to go but can cost $10-$100 a month for each device. Your organization may consider this cost too high but the cost of remediation without these tools can be a lot higher. And the costs can be higher still if you invest in the tools but don’t manage them properly or ensure your employees are abiding by your policies. If your tools aren’t working properly then you pay twice — once for the tool and once for emergency remediation activities after an event.

At Leapfrog, we have seen a single cybersecurity event wreck profitability for an entire year. We’ve also seen IT leadership lose their jobs over a single event. And while bringing in outside experts after an event can help you recover faster, it’s usually not your best value. Most cybersecurity remediation experts bill hourly. Even when you can manage to allocate enough resources to handle the remediation internally, your employees might end up cutting corners to speed the process along, and this can lead to re-infection. Being ready is more cost-effective than the alternatives.

5. Expect to spend hours, days, weeks, or even months on remediation tasks

The total amount of time you’ll need to eradicate ransomware from your system depends on a lot of variables — what’s been encrypted, the number of devices impacted, and the remediation methods you choose. After identifying the servers, computers and other devices that have been affected (which in itself can take hours to days), each impacted device will need to be rebuilt and the data will need to be recovered.

If your organization experiences what KnowBe4 has identified as a typical ransomware attack — 16 workstations and five servers — you can expect to spend 48 hours on remediation tasks.

Plenty of attacks are worse than average, of course. It took the City of Atlanta over a week to recover from an attack.

And keep in mind it’s not just ransomware attacks that disrupt organizations (and even cities). Other cyber attacks can be just as disruptive, require the same amount of resources, and take longer to recover from. While ransomware is like a sudden car accident, malware can be like a long-term infection.

6. Expect to conduct a cost-benefit analysis on the fly as you decide next steps

We’ve talked a lot about remediation but what about just paying the ransom and being done with it? How do you decide your best move?

Leapfrog recommends that you do not pay. Some organizations pay but never get the key. Even if you pay the ransom and get the decryption key, it doesn’t mean that decrypting will take less time than restoring from backup. And when you pay the ransom, you don’t know if the initial attack was just the first prong — there could be other attacks from the same criminals to come. What if they left behind more malware? Only pay if you have no choice.

If you’re considering paying the ransom, calculate the cost of remediating the devices, including the work hours and lost productivity, against the ransom amount and risks of paying it. The current research shows that ransom amounts vary so widely that the average isn’t a helpful number, but the average range is helpful — expect a ransom of $600 to $33,000.

Cybersecurity Partner Interview Guide

7. Expect your employees and their productivity to be affected

The average ransomware attack on an organization impacts 22 users with an average downtime of 14 work hours. Organizations that have the greatest amount of employee downtime during a ransomware event mirrors organizations that are most likely to be attacked — midmarket organizations and enterprises.

The report indicates that the size of the organization is unrelated to whether it has current backups and that companies back up data on servers more consistently than data on endpoints. For servers, 61% of data is recoverable on average but only 35% of data on workstations is recoverable. That means 65% of workstations on average lose data during a ransomware attack. Which means the typical ransomware attack causes a lot of employee productivity loss!

8. Expect insurance coverage to help but not be a panacea

Every organization should have a cyber liability policy. Many policies cover cyber extortion and therefore cover some of the expenses related to a ransomware event. But few cover the time it takes for your internal team to complete the recovery tasks. It’s important to be aware of your policy’s specific ransomware coverage in advance — better yet, be involved in crafting the policy. Knowing what’s covered will help you make speedy cost-benefit analysis decisions. Also, make sure you understand if your organization’s business interruption insurance policy might kick in during a ransomware event.

9. Expect consistency to save the day

Since you never know what day will be “ransomware day,” you need to be prepared for it every day. This means having the right tools on the right machines, including all endpoints, and having your team consistently follow your back-up policies and verify that the backups are working. If you do this, everything will work in concert if there’s a ransomware event, and you can expect the fastest possible recovery.

But if anyone on your team gets busy and pushes backups to the back burner, expect to have to answer for the fallout.

Effective IT leaders require consistency when it comes to cybersecurity. They hire people who understand what’s at stake and give them the time they need to do their work properly. Of course, this isn’t always easy when running an IT shop on a limited budget or with limited resources. IT leadership can feel forced to choose between priorities, and consistency might not always make the cut. So it’s important to make the rest of your leadership team aware of the situation before a ransomware event occurs — they need to be prepared for recovery to take a long time. Or to come with a hefty remediation price tag.

IT leaders are in charge of ransomware recovery. From making key decisions to managing the work required to rebuild devices, recover files, and get back to normal, make sure your recovery is as successful as possible. Know what to expect and plan ahead.

If you liked this post, don’t forget to subscribe to FrogTalk, our monthly newsletter.