For the third year in a row, an independent research firm surveyed IT leaders and implementers whose organizations suffered at least one ransomware attack in 2023. This year’s report surveyed 1,200 respondents — comprised of CISOs (or executives with similar responsibility), security professionals, and backup administrators — to assess different perspectives in the united fight against ransomware. Of the many data points and lessons learned that were captured in this report, we will be highlighting the information around where did those organizations recover to and how did they ensure that data was clean during restoration, thereby reducing their risk of another attack by the same villain?
Myth Bust: You Can’t Wipe Everything
Assuming that your backups haven’t also been affected (which is only true for a minority of cyber victims), many assume that the first step in recovery is to simply wipe the original servers and start restoring data. Unfortunately, the responses from the Ransomware Trends Report revealed that not all organizations can count on this approach. The 2024 Ransomware Trends Report noted that when the organizations were asked “were any parts of the production infrastructure not allowed to be immediately wiped and recovered”, an average of 31% of infrastructure was prohibited from being wiped and immediately reused due to restrictions by insurance carriers, forensics, legal, law enforcement, etc.
That’s a third — which leads to the implication that you better have extra metal, or you better have extra cloudy metal with a plan on how to reconnect it. One way or the other, you should not plan on being able to wipe roughly a third of your stuff. The other way to interpret these numbers is by taking a closer look at the two extremities:
- For the optimists, 1 in 7 (14%) organizations did not have any prohibition. Only one in seven was able to reuse all the metal they had.
- For the pessimists, 1 in 5 (20%) reported that their infrastructure was not immediately reusable.
Where Should the Data Go?
Knowing that not all your servers will be available for restoration leads us into the next question: where are you going to recover to?
This is the same question that traditional IT DR planners have been asking for years as they plan for fire, flood, tornado, or hurricane — but the assumption was that alternative infrastructure wouldn’t be needed for ransomware if you can simply wipe and restore. But you can’t, so cyber strategies need to also be thinking of alternative IT DR servers.
The good news is that there’s all kinds of options open to you. In fact, the Ransomware Trends Report called out a relatively balanced distribution, with different folks making different choices and they’re all good ones. But at the end of the day, 86% of the organizations think they’re going to use physical infrastructure and 75% of organizations think they have an ability to recover to a cloud. That’s over 160%, which means that many organizations have the flexibility to choose where they’ll recover to, based on which parts of their IT services need to be reconstituted!
That’s the optimist view. As pessimists, if 86% are going to servers, that means 14% don’t have alternative servers in their plan. If 75% are going to a cloud, that means 25% of folks don’t have a cloud in their plan. One would presume that even more organizations will be adding cloud services to their cyber/DR plan. And with the right virtualization and orchestration mechanisms, those few that don’t have secondary infrastructure already may find some new ROI as they proactively use it for testing and training prior to utilizing it for recovery.
Regardless of where those workloads will recover to, the infrastructure of choice isn’t the only thing to consider. It is also important to factor in the compliance rules, regulations, and other variables that could come into play. Maybe you have workloads that cannot run outside of your own premises which will take additional planning to recover. And then, once you have your place to recover to, you want to think about how you are going to ensure that that data is clean. In that regard, having some type of options around sandboxing and working in line with your security team should be a number one priority.
What About Cleanliness
The 2024 Ransomware Report found that only 37% are using a sandbox of some kind, which means 63% … could be doing better. Some form of quarantine “sandbox” is a crucial step in the security process to ensure that you aren’t re-infecting your production environment due to malware within your backup repositories. A well-orchestrated sandbox helps to prevent the likelihood of recovering bad data into a new environment by staging the recovery data, automating scans, and if clean moving the data back into production. To do otherwise is to simply reintroduce malware back into production; which you will (literally) pay for again through a second ransom.
There are a wide range of laws and regulations for different business sectors and government entities regarding how organizations handle a cyberattack. Cyber and insurance companies are constantly changing and implementing more policies around what should happen when a business is hit by ransomware due to lessons learned in the field. However, with more regulations comes more red tape so where insurance starts to help and or hurt a business depends on where your organization falls classified in those sectors.
Unfortunately, only about a third of people have a safe way to restore without reinfection. And for the other 63%? They could be on the cusp of creating a resume-generating event. On top of that, once bad actors know you’ve paid once, they check to see if you patched the holes and eradicated the malware that they hid. If not, then they’ll be back and you’ll likely have to pay again. Quite literally, if you don’t ensure cleanliness of your data during recovery, you are inviting the malicious actors to take your ransom money a second, third, fourth, or more times.
By deploying hardened repositories that assure you have data to recover from, preparing to use secondary infrastructure that may be elsewhere in your environment or your favorite cloud, and then ensuring clean restores that won’t re-infect your new environment, you’ll be leaps and bounds ahead of the bad actors and far less likely to pay the ransom to bad actors. If your organization doesn’t have those capabilities today, then you need to make some changes. They won’t be free, but wouldn’t you rather subscribe to the good guys for pennies and nickels than pay the bad guys with thousands in bitcoin?
