The costs associated with ransomware attacks are rising at an alarming rate. Recent research has revealed that from a global figure of $325 million in 2015, last year’s total reached an eye-popping $20 billion. As of now, we are nowhere near the peak, and by 2031, the global total could skyrocket to around $265 billion per annum.

For instance, more than 60% of businesses were hit by ransomware attacks in 2020, fueled by trends such as the ransomware-as-a-service model and nation-state activity. The grim reality for many organizations: it’s no longer just a case of “if” or even “when” attackers will strike, but how often. This has led to some dire warnings with The European Union Agency for Cybersecurity (ENISA) predicting we are entering a “golden era of ransomware” that has become a national security priority.

As a result, IT teams face a mission-critical task, especially because the reliance on cyber defense capabilities alone are not enough to ensure companies can prevent attacks. This leads to a crucial question: when the inevitable happens, how can businesses get back up and running with minimal disruption and data loss?

Know thine enemy

Understanding the mindset of those behind today’s ransomware attacks has become crucial to addressing the risks, especially so given the effort they put into seeking new and novel ways to cause havoc. Indeed, security teams need to study the stages of a ransomware attack to ensure that the correct recovery options are in place to get systems back online quickly and with the most recent “clean” version of data available.

Ransomware attacks can begin in a number of ways. These include phishing emails and rogue websites, exploiting RDP connection gaps, or directly targeting software vulnerabilities. Because of their stealthy character, these approaches frequently go undetected and can remain unnoticed for weeks or months after infiltrating a system.

Once active, attackers can also design ransomware to migrate laterally across other systems, accessing as much data as possible. This has serious consequences for businesses that will have no idea when their last "good" backup was done. Worryingly, many ransomware variants increasingly target backup systems, effectively removing any chance of data recovery once the attackers launch an assault.

A race against time

When ransomware attacks are successfully executed, it becomes a race against time to ensure that mitigation and recovery activities are activated. Different ransomware variations employ various encryption techniques, ranging from encrypting a file system's master boot record to encrypting individual files or entire virtual machines. This leaves the victims with a narrow set of options: pay the ransom in the hope that their data gets released (but run the risk it might not) or refuse to pay the ransom and try to recover with the very real prospect of prolonged disruption and massive financial impact.

For many, the cost, time, and effort needed to get systems back up are often prohibitively expensive if they can’t initiate a quick and efficient data recovery procedure. Last year the total cost of recovering from a ransomware attack was $1.85 million—10 times the average ransomware payment—with businesses often facing several weeks of disruption after an attack.

Paying the ransom offers no guarantee of a return to business as usual with only 14% of businesses that paid a ransom to their attackers in the past 12 months subsequently getting 100% of their data back. Others discovered that retrieving data from a backup or replica was a time-consuming operation that required checking for and removing harmful files and code to avoid reinfection.

Recovery position

Ransomware attackers bet that because traditional security thinking focuses solely on prevention, the organizations they target will lack sophisticated backup and recovery options. In many cases, they are right, and organizations that rely solely on older backups may experience weeks of downtime and days/hours of data loss.

Fully safeguarded data must be recoverable in its entirety within minutes. As a result, organizations are turning to continuous data protection (CDP) techniques for the always-on replication and journaling technology that lets them restore entire sites and applications at scale and with minimal data loss.

For a risk-free recovery, it’s essential to test data in an isolated setting. Before recovering, organizations need a sandbox environment in which they can test and assure there’s no remaining ransomware infection. They must also take advantage of features such as immutable copies of data that attackers cannot encrypt or corrupt, allowing them to recover with certainty in just a few clicks to a point seconds before an incident.

In today's security landscape, having a ransomware recovery plan has become a must-have for any company hoping to minimize the damage of an attack. When cybercriminals break-in, many businesses are left with little choice except to pay the ransom. However, by ensuring that the company safeguards its enterprise data and can quickly recover it with CDP, the IT staff can swiftly resume business-as-usual activities.

Kevin Cole, director, technical marketing and training, Zerto, a Hewlett Packard Enterprise company