
The Best Way to Recover from Ransomware Attacks


James Blake, Global Cyber Resilience Strategist, Cohesity, 0
The increasing frequency of ransomware attacks and their more severe consequences expose a troubling reality. Regardless of the significant resources dedicated to prevention, these strategies alone fall short in addressing current threats. Whether we like it or not, cyberattacks are here to stay. Moreover, they will continually evolve in terms of frequency, intensity, and impact. That's the negative side. On a brighter note, there exists a tested strategy to enhance cyber resilience, and organizations are implementing it to reassess their strategies and achieve improved results.
James Blake, Global Cyber Resilience Strategist at Cohesity, Explains How to Handle Cyber Incidents or Unexpected Disruptions
James says, “Destructive cyberattacks, including ransomware and wiper attacks, are a certainty in terms of occurrence rather than possibility, posing a risk to operational continuity. Businesses can confront these challenges directly by enhancing their cyber resilience—defined as the capacity to swiftly react to and recover from cyber incidents or unexpected interruptions—through the implementation of contemporary data security, response, and recovery solutions.”
Paying ransoms has become not only commonplace but often contradicts the ‘do not pay’ policies of those same organizations. Among those who paid the mentioned amounts, 77 percent indicated that their company had a ‘do not pay’ policy. Additionally, it’s important to remember that ransom payments represent only a small portion of the total financial repercussions for an organization with weak cyber resilience. The downtime, disruptions, lost business opportunities, damage to brand and reputation, rising cyber insurance premiums, legal expenses, and other consequences resulting from successful cyberattacks create a financial burden that surpasses the ransom amount. Moreover, this financial burden does not disappear once the ransom is settled.
Also Read: Australia's Cybersecurity Plan is Arming Homegrown Solutions, Talents
Building Resilience Against Sophisticated Cyber Threats
Attackers are merely operating a business. It may be an illicit business, but they still operate it. They have retirement plans in place. They utilize a structured business model known as ransomware as a service. The operator managing the technology takes a 20 percent share, while the affiliate receives 80 percent of the profits. These affiliates are increasingly becoming criminal organizations that would typically be involved in drug trafficking, human smuggling, and prostitution. Since they no longer require technical expertise due to the "ransomware as a service" solution, the barrier to entry is exceptionally low.
Consider a genuine scenario where you encrypt the system, engage penetration testers to do the job, and ensure your incident response team is eradicating persistence, eliminating accounts, and thoroughly cleaning everything up. This is how you can evaluate your insurance company’s providers, your in-house incident response, and your team. I suggest that every organization should undertake this approach. When I typically enter an organization to establish a security operations center, their average maturity tends to fall below two on a CMMI scale.
They are usually somewhere between ad hoc practices and having documented processes; they handle things differently each time and often stray from their stated procedures.
One major issue with cybersecurity incidents is that they cannot be compared to train schedules; they are more like buses. If you develop an overly prescriptive playbook, as soon as the adversary takes an unexpected action, your security operations team will likely freeze up, unsure how to respond. It is essential to provide them with a framework while also allowing adaptability. However, the challenge is that most organizations have not attained that level of maturity; they haven’t even begun measuring anything. They are not engaging in continuous improvement efforts.
Therefore, we consistently advise clients to conduct drills. Establish a basic response capability, test it, enhance it, and then repeat the process. This approach to drilling is significantly more effective because it involves your people, organizational culture, internal dynamics, and competency while also allowing you to assess and refine it progressively each time. That is where I have witnessed notable improvements in organizations' cybersecurity capabilities.
Many companies often embark on extensive waterfall projects led by a project manager. They declare that they will enhance their cybersecurity over a period of two years. However, they must adjust the critical path each time they uncover a major issue. But ultimately, two years later, they provide a cybersecurity solution that is outdated—the threats have already evolved. Therefore, maintaining a consistent approach is crucial, and I encourage our clients to adopt this mindset.
Also Read: 5 Greatest Role Models in the Manufacturing Industry
Will Paying the Ransom Resolve the Issue?
According to the US Office of Foreign Assets Control, the message is abundantly clear: organizations should aim to build resilience against sophisticated cyber threats rather than resort to paying ransoms. They explicitly state that this will not be accepted as justification, and they will pursue legal action in such cases. While no organization has yet faced prosecution for paying a ransom, some have faced fines for violating OFAC guidelines, amounting to a billion dollars—significantly higher than the ransom of 1.5 million. So, it’s essential to start considering the broader implications of paying a ransom, as the consequences extend far beyond just the financial aspect.
If you happen to have 1.5 million in cryptocurrency lying around, you might consider paying the ransom, but doing so carries significant risks since cryptocurrency exchanges are frequently targeted. Additionally, when you finally receive your decryption keys, it's important to understand that they aren't a single "Golden Key" that unlocks everything; instead, each key is linked to the Ethernet address of individual machines. Therefore, you must contact your 55,000 branches and convey a 256-bit key over the phone. This is a challenge, especially since those employees might be at a different location, such as a donut shop, and could potentially make mistakes when entering the key.
The logistics of surrendering to a ransom demand are incredibly complex, and many believe that paying the ransom will resolve the issue. Still, it leads to a whole new set of challenges. Furthermore, after obtaining the decryption keys, you won't have access to the MAC addresses of the systems, as your Configuration Management Database (CMDB) will have been encrypted, and the media might get wind of the situation.
One major issue with cybersecurity incidents is that they cannot be compared to train schedules; they are more like buses. If you develop an overly prescriptive playbook, as soon as the adversary takes an unexpected action, your security operations team will likely freeze up, unsure how to respond. It is essential to provide them with a framework while also allowing adaptability. However, the challenge is that most organizations have not attained that level of maturity; they haven’t even begun measuring anything. They are not engaging in continuous improvement efforts.
Therefore, we consistently advise clients to conduct drills. Establish a basic response capability, test it, enhance it, and then repeat the process. This approach to drilling is significantly more effective because it involves your people, organizational culture, internal dynamics, and competency while also allowing you to assess and refine it progressively each time. That is where I have witnessed notable improvements in organizations' cybersecurity capabilities.
When you finally receive your decryption keys, it's important to understand that they aren't a single 'Golden Key' that unlocks everything; instead, each key is linked to the Ethernet address of individual machines
Many companies often embark on extensive waterfall projects led by a project manager. They declare that they will enhance their cybersecurity over a period of two years. However, they must adjust the critical path each time they uncover a major issue. But ultimately, two years later, they provide a cybersecurity solution that is outdated—the threats have already evolved. Therefore, maintaining a consistent approach is crucial, and I encourage our clients to adopt this mindset.
Also Read: 5 Greatest Role Models in the Manufacturing Industry
Will Paying the Ransom Resolve the Issue?
According to the US Office of Foreign Assets Control, the message is abundantly clear: organizations should aim to build resilience against sophisticated cyber threats rather than resort to paying ransoms. They explicitly state that this will not be accepted as justification, and they will pursue legal action in such cases. While no organization has yet faced prosecution for paying a ransom, some have faced fines for violating OFAC guidelines, amounting to a billion dollars—significantly higher than the ransom of 1.5 million. So, it’s essential to start considering the broader implications of paying a ransom, as the consequences extend far beyond just the financial aspect.
If you happen to have 1.5 million in cryptocurrency lying around, you might consider paying the ransom, but doing so carries significant risks since cryptocurrency exchanges are frequently targeted. Additionally, when you finally receive your decryption keys, it's important to understand that they aren't a single "Golden Key" that unlocks everything; instead, each key is linked to the Ethernet address of individual machines. Therefore, you must contact your 55,000 branches and convey a 256-bit key over the phone. This is a challenge, especially since those employees might be at a different location, such as a donut shop, and could potentially make mistakes when entering the key.
The logistics of surrendering to a ransom demand are incredibly complex, and many believe that paying the ransom will resolve the issue. Still, it leads to a whole new set of challenges. Furthermore, after obtaining the decryption keys, you won't have access to the MAC addresses of the systems, as your Configuration Management Database (CMDB) will have been encrypted, and the media might get wind of the situation.