Ransomware Attacks and How to Recover from Them

Rohan Mathew

Besides COVID-19 or Coranavirus, ransomware is perhaps the most dreaded infection on the minds of most businesses today.  Ransomware has been noted by many as the most threatening cybersecurity risk for businesses.  When we consider the consequences that are brought about by a ransomware infection, it is easy to see why.

Businesses can be flourishing one day and literally overnight, they can be facing damages from ransomware that are so severe, they have to close their doors.  If your organization becomes the victim of a ransomware attack, what do you do?  What steps should you take?  Let’s take a look at ransomware attacks today, why they are so dangerous, and how to recover from them.  

Ransomware attacks and why they are so dangerous 

First of all, why are ransomware attacks such a dangerous cybersecurity threat to your business?  To answer this question, let’s take a look at three ways that ransomware is evolving to pose an even larger threat to your business, including the following:

  1. Ransomware is specifically targeting businesses
  2. It has become cloud-aware
  3. Ransomware is now using data leak threats on top of encryption

1.  Ransomware is specifically targeting businesses

Attackers are no longer using ransomware today, “willy-nilly”, without any coordinated plan.  They are now sharpening their focus on targeting businesses.  This is seen in alarming trends of ransomware infections targeting specific industries, business types, and sectors.  Waves of attacks since 2019 have seen city government offices, hospitals, media agencies and others as the target of such specific attacks with ransomware.

So, with this being said, your organization has never been in greater danger than it is today when it comes to a ransomware attack.  Attackers are specifically crafting new malware variants with businesses in mind.

2.  It has become cloud-aware

Ransomware has evolved from a mainly on-premises threat to a threat that is multi-capable of infecting environments both on-premises and in the cloud.  Public cloud Software-as-a-Service (SaaS) environments are becoming more and more popular among today’s businesses.  

SaaS environments are certainly included in the targets of today’s attackers using ransomware to extort money from businesses.  Attackers realize that many organizations are beginning to migrate business-critical on-premises data and services to the cloud.  Businesses are using SaaS environments like G Suite or Microsoft 365 for file storage and communications services such as email.  

Both G Suite and Microsoft 365 are prime targets cloud ransomware infections

Additionally concerning, many organizations may migrate their data to the cloud without thinking through the new requirements of their data protection solution.  Misconceptions about cloud SaaS may lead many to believe their data is “automatically” protected by cloud service providers.  This makes cloud SaaS environments especially appealing targets for attackers.

3.  Ransomware is now using data leak threats on top of encryption

To add insult to injury, new ransomware environments that may be targeting your organization’s data is not only using the threat of data encryption to extort money, it is also using the threat of data leak as well.  New ransomware variants using this tactic are now threatening to release sensitive data to the Internet if ransom amounts are not paid.  

This makes it imperative for your organization to have the cybersecurity tools in place to detect and stop ransomware as soon as possible.  Even if you have the backups needed to restore the data, data leak can cost businesses a fortune in downtime, lost customer reputation, fines, and legal fees.  

Ransomware capitalizes on lack of cybersecurity and backups

Ransomware quickly capitalizes on two major weaknesses that are found across the IT landscape of many organizations:

  1. Cybersecurity weaknesses
  2. Incomplete or non-existent backups

Cybersecurity weaknesses

Ransomware often capitalizes on the inability of organizations to both detect and remediate cybersecurity threats.  When it comes to ransomware detection, most organizations find out about ransomware infecting files when it is too late.  

By the time the ransom note is presented to the end user, it is generally too late.  At this point, ransomware data encryption has already finished and your files are most likely encrypted.  The only way to decrypt your data is with the decryption key held by the attacker.  

Organizations need effective cybersecurity solutions that are able to detect abnormal file behavior in the environment.  Abnormal file behavior detection is one of the most effective means of detecting a ransomware attack and presents with the fewest false positives when compared to signature based or network traffic-based detection.

Effective cybersecurity also includes good defensive mechanisms that protect business-critical systems like email.  Often ransomware affects organizations by means of a phishing email attack or an email that has a dangerous file attached or hyperlinked.  

If organizations are ill-equipped to handle dangerous emails, this can be an easy way for ransomware to make its way inside the walls of your organization’s on-premises environment or within the cloud SaaS environment.  With cloud SaaS environments in particular, controlling third-party applications that have access to your cloud environment is also extremely important.

Ransomware-infected third-party applications or browser plugins can easily be granted permissions in cloud environments.  This allows easily encrypting data found in business-critical file storage or an employee’s email inbox.  Securing the cloud environment to prevent third-party applications from being installed and granted access to your organization’s data.  

Incomplete or non-existent backups

A flawed backup strategy can often be taken advantage of by a ransomware attack.  Attackers can capitalize on environments that either have no backups or have flawed backup strategies.  A flawed backup strategy is one that may not be backing up important business-critical data.  Or, data that is thought to be contained in a backup is not in actuality being backed up.

It is very common to see businesses migrating data to cloud environments without any backup solution in place to protect data that has been migrated.  Misconceptions often exist that cloud service providers are protecting business-critical data and can recover it.

Can data be recovered after a ransomware attack?  

When it comes to ransomware, there is generally only two ways to recover your environment:

  1. Recover from backup
  2. Pay the ransom

1.  Recover from backup

The tried and true way to recover from a ransomware attack involves having good backups of your business-critical data.  The importance of backups cannot be underscored enough when it comes to ransomware.  Recovering from backup allows you to be in control of getting your business data back and not the attacker.  

Making sure you have good backups of all the data that is critical in your environment is extremely important.  This includes cloud environments.  All too often, businesses may assume incorrectly that the cloud service provider has “magically protected” their data.  While there are a few mechanisms in place from the cloud service provider side, ultimately, the data is your responsibility as part of the shared responsibility model of most CSPs.  You can take a look at Microsoft’s stance on shared responsibility here.  

Following the best practice guidelines found in the 3-2-1 backup best practices model is a great place to start.  This helps to define good practices when it comes to architecting your backups.  Keeping a copy of your backups outside your production environment is one of the cornerstone components of a good backup strategy.  

2.  Pay the ransom

If you don’t have backups of your data that is affected by a ransomware attack, your only other option is to pay the ransom demanded by an attacker.  This option is certainly not an option that you want to be forced into by not having good or effective backups.  

Even if you pay the ransom that is demanded, there is no guarantee that you will get your data back as is the case in many ransomware attacks.  A recent report found that some 42 percent of organizations who paid a ransom did not get their files decrypted.  

Paying the ransom is certainly not a good option for organizations who have been hit with a ransomware attack.  However, without backups, many are left with no option but to “roll the dice” and hope for the best to get their data back after paying the attackers.  

How to recover from a ransomware attack

By far, the best chance you have of recovering from a ransomware attack is having good backups of your data.  Assuming you do have good backups of your data, effective and timely recovery depends on quick and decisive action in order to contain the damage that may result when ransomware attacks your environment.  The following best practices helps to ensure you can recover as quickly and effectively as possible.

  1. Detect the ransomware infection
  2. Contain the damage
  3. Restore any affected data
  4. Notify any regulatory or law enforcement authorities as needed
  5. Test access to your restored data

1.  Detect ransomware infection

This is arguably one of the most difficult steps in recovering from a ransomware attack.  However, it is one of the most crucial.  The sooner you can detect the ransomware attack, the less data will be affected.  This directly impacts how much time it will take to recover your environment.

Ransomware is generally very hard to detect.  When you see the ransom note, it may have inflicted damage across the entire environment.  Having a cybersecurity solution in place that can detect anomalous behavior such as abnormal file behavior changes can help to quickly isolate a ransomware infection and stop it before it spreads further.

2.  Contain the damage

Containing the damage directly relates to detecting the ransomware.  After you have detected an active infection, the ransomware processes can be isolated and stopped from spreading further.  If this is a cloud environment, often it is a remote file sync or other process driven from a third-party application or browser plugin that is running the ransomware encryption process.  Isolating the source of the ransomware attack can allow containing the infection so that the damage to data is minimized.  

3.  Restore any affected data

Most likely, even if the ransomware attack is detected and contained quickly, there will still be a subset of data that will need to be restored.  This requires having good backups of your data that can quickly be restored to production.  Following the 3-2-1 backup best practice, it is extremely important to have your backup data in a separate environment than production.

If your backups are of cloud SaaS environments, storing these “offsite” using a cloud-to-cloud backup vendor that allows storing your backups in a separate cloud environment allows aligning with this best practice.  This greatly minimizes the chance that your backup data is affected along with your production data.

4.  Notify any regulatory or law enforcement authorities as needed

Many of the major compliance regulations that most organizations fall under today such as PCI-DSS, HIPAA, GDPR, and others require that organizations notify regulatory agencies of the breach.  In addition, it can be beneficial to notify law enforcement agencies as these may have resources available to help with investigating the breach and potentially recovering data.

5.  Test access to your restored data

Once data has been restored, you can test access to the data and any affected business-critical systems to ensure the recovery of the data and services has been successful.  This will allow finding any issues before turning systems back over to production use by end users and key business stakeholders.

Powerful ransomware recovery with SpinBackup

Organizations who have been affected by ransomware are often left with the questions: how to remove ransomware and how to restore access to data?  What if you had a ransomware recovery tool in the cloud that could automatically detect a ransomware infection, contain the damage that it is actively causing, and restore all the data that has been affected by the attack?  This may sound too good to be true, however, this is possible with a solution from Spin Technologies called SpinOne.  

SpinOne leverages an enterprise-grade backup tool called SpinBackup that protects your cloud SaaS environment.  SpinBackup allows effectively recovering from the damage of next-generation ransomware and other ransomware examples commonly circulating today.  

With SpinBackup, you have the following backup capabilities in your cloud SaaS environment:

  • Automatic backups of your cloud environment
  • Multiple backups a day – 1-3x daily
  • Efficient incremental backups
  • Secure backups including in-flight and at-rest encryption
  • Ability to choose which cloud you want to store your backup data (Azure, Google, and Amazon)
  • 100% accurate recovery

SpinOne’s SpinSecurity solution leverages SpinBackup to provide a completely automated AI-driven ransomware response that protects your environment by detecting, containing, and blocking the ransomware, and then restoring the data that has been affected.  This is a completely automated solution without any administrator interaction.  

The SpinSecurity workflow includes the following:

  1. Artificial intelligence (AI) algorithms automatically detect ransomware activity
  2. SpinSecurity immediately sends an alert to administrators
  3. SpinSecurity identifies the source of the ransomware process and blocks it
  4. Your environment is then quickly scanned to determine which files need to be restored
  5. SpinBackup is invoked to automatically recover the files that were affected

Without any administrator interaction, SpinOne can quickly detect, contain, and remediate a ransomware attack, including the files that are affected automatically.  Administrators are provided full alerting and logging of the actions taken.

To learn more about SpinOne, SpinSecurity, and SpinBackup, take a look at what the Spin Technology portfolio of products can do for you here.