Ransomware is projected to cost victims $265 billion by 2031 — more than ten times the damages reported in 2021. However, average ransom amounts are growing at a much slower pace. 

That can only mean that the frequency of successful ransomware attacks is growing. Cybercriminals are improving their techniques and targeting organizations more carefully than ever before. 

For many IT security leaders, protecting against ransomware is a top priority. Organizations that can successfully recover from ransomware attacks show increased resilience, better security incident outcomes, and a much stronger sense of trust between customers, partners, and employees. 

This article will describe exactly what IT security leaders need to do to recover from a modern ransomware attack. By the end, you’ll have a ready game plan for mitigating ransomware risk. 

Be prepared for complex multi-extortion attacks 

In the past, ransomware worked on a simple premise. Attackers would encrypt mission-critical files and data, and charge victims to get that data decrypted. 

Today’s ransomware attacks follow a more complex roadmap. Attackers are increasingly relying on additional extortion methods on top of the traditional encryption attack. 

For example, some ransomware groups threaten to publish sensitive data on the Dark Web. Others harass customers, launch distributed denial-of-service (DDoS) attacks on external websites, or use other methods to drive up the pressure on victims. Many launch simultaneous attacks against the users whose data they just stole, extorting them directly for money while also extorting the company they entrusted their data to. These kinds of double extortion attacks can generate enormous losses. 

Recovering from a ransomware attack in today’s environment means addressing each of these extortion attempts individually. It’s not enough to maintain control over sensitive data, you must also prevent attackers from exfiltrating that data and using it against you.Five steps for ransomware attack recovery 

If your organization is facing an active ransomware attack, it may suffer widespread operational downtime and communication issues. This is especially true in a multi-extortion attack that also leverages DDoS attack tactics. 

Threat actors will put maximum pressure on the organization and its stakeholders to capitulate. IT security leaders who take the following five steps will be well-equipped to resist. 

1. Prepare

The success of your ransomware recovery operations will largely depend on how well you prepared for the incident beforehand. Many elements of ransomware recovery rely on having robust security controls in place before attackers compromise your network. 

One of the most important ones to consider is whether the attack is covered by insurance. Cyberattack insurance can provide a vital safety net against the damage that a successful cyberattack can cause. Some of the things you can rely on your insurer for include: 

• Money to pay the ransom. Nobody recommends emboldening threat actors by paying them money, but there are cases when it is the only feasible course of action—like with attacks against critical healthcare services. 

• Incident response expertise. Insurance providers want to make sure their customers can leverage professional incident response actions when faced with a serious threat.  

• Ransomware negotiators. Your insurer may provide you with a professional negotiator who can reduce the ransom demand. Experienced negotiators can transform the organization’s position from one of weakness to one of strength. 

• Training materials. Cybercrime insurers want to know that their customers are following cybersecurity best practices. High quality training can help your organization reduce risk and avoid preventable attacks. 

Beyond insurance, the quality and accessibility of backup data is one of the most important elements of your overall ransomware response capabilities. Pay close attention to these two backup recovery metrics so you know what to expect:  

• Recovery time objective (RTO) is the amount of time that passes between the ransomware incident and the point you can resume operations. When an attack occurs, it will take you this long to recover from it. 

• Recovery point objective (RPO) is the amount of time between your last data backup and the ransomware incident itself. It describes how much data you’re likely to lose in the event of an attack. 

 Backups won’t protect you from data exfiltration or other extortion attempts, however. To do that, you’ll need additional prevention and detection technologies. 

2. Prevent

Prevention-based security technologies can help mitigate ransomware risks. Blocking attackers from gaining initial access to your network forces attackers to spend more time and effort breaching your defenses. The more resilient your network is, the more likely attackers are to get discouraged and seek easier victims. 

 Here are some things you can do to enhance your network’s prevention capabilities against ransomware attacks: 

• Invest in attack surface management. Digital risk vendors help IT leaders map out their organization’s attack surface and address vulnerabilities before hackers find them. This helps you keep systems and software updated, protecting them from known vulnerabilities. 

• Enhance network segmentation. Breaking your network down into small subnetworks can slow down lateral movement. Every network segment should have its own security controls, firewalls, and access policies. This limits how far ransomware can travel throughout your network. 

• Deploy phishing protection and email security. The vast majority of ransomware attacks start with phishing emails. Keeping these messages out of your users’ inboxes can be difficult, but it’s the best way to make sure they can’t click on them. 

• Training and Education. Employee training can have a significant impact on your organization’s exposure to ransomware risks. Most ransomware insurance providers offer training that helps instruct employees how to avoid ransomware infection.

3. Detect and Respond

This is where your security team can conduct incident response operations to identify and counter active ransomware attacks. Effective ransomware detection and response complements your organization's preparation and prevention capabilities and dramatically reduces its exposure to risk. 

The SOC Visibility Triad describes some of the technologies you can use to detect ransomware early on in the attack phase: 

• Security Information and Event Management (SIEM). Your SIEM provides in-depth visibility into device and application log data. If your SIEM is equipped with User Entity and Behavioral Analytics (UEBA), it can also trigger alerts when users or assets start behaving irregularly — like encrypting high-value sensitive files, for example. 

• Endpoint detection and response (EDR). Give administrators the ability to monitor and manage security for network endpoints. High-quality EDR solutions can automatically counter ransomware threats as they enter the network. 

• Network detection and response (NDR). Gain complete visibility into network traffic and prevent attackers from hiding on your network. Detect data exfiltration events that could indicate a multi-extortion ransomware attack. 

Consider adopting a standardized incident response framework that includes in-depth playbooks for addressing ransomware threats. This framework will help you organize a standard response that includes finding the ransomware trigger file, identifying the type of attack, and keeping IT assets safe from active ransomware encryptors. 

4. Assess

As your security team responds to the active ransomware threat, cybercriminals may respond by changing their techniques. Your team will have to continually adapt to these changes and be aware of new vulnerabilities and threats throughout the process. 

There will almost certainly be other high-severity challenges involved in a ransomware attack. Cybercriminals will try to maximize pressure by launching additional attacks, leveraging new vulnerabilities, and intimidating or threatening people. 

Regularly running attack and recovery drills  is vital to successful ransomware recovery. However, it can also be a difficult and time-consuming task that stretches internal resources thin. Consider entrusting ransomware recovery to a reputable third-party incident response provider who can lead your company through assessment and recovery. 

5. Recover

If you have secure, immutable backups that you can run business operations off of, the ransomware recovery process should be far easier. Once you have successfully addressed the primary ransomware threat, you can maintain strong security measures while dedicating resources to recovering lost data and productivity. 

If your organization benefits from comprehensive cyber risk insurance, your insurer may provide valuable resources for streamlining the recovery process. Your policy may cover the cost of repairing affected systems and returning them to operation.  

If your backups were compromised in the attack, the process will be much more difficult. You may need to reconstitute lost data and dedicate time and effort to rebuilding impacted databases.  

You may also have to protect your organization from additional extortion attempts during this time. Organizations with comprehensive cyberattack insurance will find navigating this delicate period much easier.  

Consider leveraging scalable, on-demand security resources through a managed detection and response partner like Lumifi. Our team of specialists can help you protect your data from ransomware attacks while building cyber resilience into every aspect of your security operations.