#HowTo: Be More Resilient Against Ransomware

When the Colonial Pipeline shut down for six days due to a ransomware attack in early May, it triggered gas price spikes and widespread panic-buying. Consumers queued up at service stations as leaders from airline executives to governors scrambled to address the looming fuel shortage.

Most of them were unaware of an ironic fact: Colonial had already paid the $4.4 million ransom within a day of discovering the attack. The attackers sent a decryption tool in return, but it didn’t reverse all the damage. It took almost a week for Colonial to restore the pipeline’s function by other means.

Colonial Pipeline wasn’t an outlier. Ransomware attacks are on the rise across all industry verticals. The world’s largest meat processing company, JBS, was also temporarily shut down by ransomware just weeks after the Colonial attack.

Colonial was fortunate enough to recover most of the ransom it paid, with US authorities’ help. But their example goes to show that if your company is targeted, paying off your attackers won’t always be enough to avoid disruption. Instead, prepare for a potential ransomware attack as you would for any other disaster that could disable parts of your tech infrastructure. With backups of your data and a restoration plan in place, you can rebound quickly from an attack without paying any ransom at all.

The Rise and Risk of Ransomware

The relative ease of carrying out an attack and securing a payout makes ransomware an attractive option for cyber-criminals. Ransomware source code and do-it-yourself kits can be purchased on the dark web for as little as $300. Despite ransomware’s ubiquity, most companies are caught off guard by attacks — and as a result, they often feel like they have no choice but to pay. US companies paid $350m in ransom in 2020 alone.

Unfortunately, every payment only encourages more ransomware attacks. And cyber-criminals are increasingly testing the limits of how much money they can demand. Insurance giant CNA recently revealed that they paid a $40m ransom in March 2021, nearly 10-times the ransom in the Colonial Pipeline attack. If companies continue to cave to ransomers’ demands, these numbers will only grow.

To avoid becoming part of this troubling trend, protect your company by incorporating ransomware into your disaster recovery plans. Most large enterprises have such plans in place, but they’re often focused on maintaining business continuity during natural disasters like earthquakes and hurricanes. Ransomware is a very different threat that requires different precautions.

Designing Your Disaster Recovery Plan with Ransomware in Mind

The first step in any disaster recovery plan is to back up your data regularly — and properly. Ransomware can easily infect any backups stored in the same location as your operating data. For maximum security, follow the 3-2-1 method: Maintain at least three copies of your data on two different types of media, storing one backup offsite. Update your copies over different time periods (e.g., weekly and daily) so you’ll have a clean copy to go back to if your most recent copy is corrupted.

The rise of cloud storage has made backups significantly easier and less expensive. But to bolster your resiliency against ransomware, it’s important to store your backups separately from your everyday applications and data. If you use a cloud backup or disaster-recovery-as-a-service (DRaaS) solution, make sure they have security measures to prevent backups of infected files and make your most important files difficult for ransomware programs to identify. Also, ask all your software-as-a-service (SaaS) vendors about how they back up data that’s stored on their platforms, especially for vital services like email. Ransomware can easily spread to data stored in third-party solutions, too.

Disaster recovery is about more than backing up data and applications, however. To ensure you can restore operations quickly in the event of an attack, you’ll need to restore your underlying infrastructure as well. Some companies opt to run a stripped-down version of their most vital infrastructure in the cloud at all times, so it can be scaled up quickly to support core business processes if central systems are disrupted. If you maintain an on-premise data center, the US Cybersecurity and Infrastructure Security Agency (CISA) recommends maintaining “gold images” of key systems such as servers and virtual machines so they can be rebuilt according to a template in the event that the originals are corrupted.

Be Ready for (Almost) Anything

Disaster recovery isn’t one-size-fits-all. To build a comprehensive plan, you’ll need to determine which backup and restoration options are the best fit for your specific systems and budget. However, whichever options you choose, remember to keep recovery from ransomware top of mind and take precautions to protect your backups from infection. With the right plan in place, you’ll be prepared whether you’re facing a natural disaster or a human-made one.

What’s Hot on Infosecurity Magazine?