Why It's Vital to Predictably Recover From Ransomware Attacks

eWEEK TREND ANALYSIS: A recent study from Forrester highlights the challenges associated with ransomware recovery.


Consider this: Ransomware attacks take place every 14 seconds and have increased by 700% since 2016. Such attacks—where malicious software blocks access to the production data until payment is made—cost companies around $11 billion in financial, productivity and downtime losses in 2019.

Attack prevention is necessary but not sufficient

Many companies focus their efforts on preventing attacks, but just as important is the ability to instantly recover from ransomware. Let’s face it: Ransomware can happen to any organization, regardless of its size. Cities, airports and hospitals are also popular targets. One recent example is a New Year's Eve Sodinokibi attack that forced London-based currency exchange site Travelex into manual mode. The company claimed to be making good progress with recovery and restoring customer-facing systems. Yet, Travelex services remained offline for more than two weeks following the attack, leaving some customers cashless during the busiest travel season.

The awareness of ransomware is high, but preparation is low

While a vast majority of the companies are aware of ransomware’s serious ramifications, they also agree to not be adequately prepared when facing similar threats.  In 2019, Cohesity commissioned Forrester to take a deeper look at the issues surrounding ransomware. The study found that 51 percent of respondents said they lost customer trust after an attack, and 43 percent said they lost revenue due to stalled business operations. However, only 41 percent restructured their business continuity plans as a result. Forrester surveyed 313 IT infrastructure and operations (I&O) decision makers across the U.S., Canada, U.K., Germany, France, Australia and Japan.

Many organizations have gone through the necessary steps to protect primary data, but sophisticated ransomware attacks are also targeting backup data. Even those that are able to recover using backup require several weeks to restore data and business applications. Forrester, in its study, also found only 11 percent of companies could recover data and restore applications within three days following a ransomware attack.

The minority of companies can fully recover from a ransomware attack

On average, companies could only recover 58 percent of their data after an attack. Only 25 percent were able to recover 75 to 100 percent of their data. The goal should be organization’s ability to defend the backup data against modern threats so when needed, they can leverage it to respond to an attack and recover their data instantly to reduce downtime.

The biggest process-focused challenges companies face when responding to ransomware attacks include:

  • legacy backups are not able to defend against sophisticated attacks or worst get compromised in the attack;
  • poorly defined recoverability responsibility across I&O and security and risk (S&R) teams;
  • rigid backup recoverability processes that don’t allow time-sensitive changes;
  • no communication between security and infrastructure operations teams;
  • lack of a well-defined flowchart for I&O and S&R teams to follow; and
  •  failure to verify backup copies for vulnerabilities before performing recovery.

Choosing the right vendor is critical to ransomware recovery

On the bright side, companies are eager to partner with vendors that can help with backup management and quick recovery of compromised data after a ransomware attack. Forrester found that predictable recovery, easy cloud integration and instant recovery are the most valuable capabilities companies seek in a vendor. Especially companies with a global data footprint want the ability to locate and take corrective action across all platforms, including the public cloud.

Companies are aware that hackers increasingly exploit weaknesses in legacy backup infrastructure. Some ransomware can destroy shadow copies and restore point data, so a company’s backup infrastructure then becomes an easy target for hackers. Having backups that are up to date is the first step toward ensuring that data doesn’t get lost if recovery is needed. The next step is investing in threat intelligence capabilities that minimize an attack’s impact on business operations.

When choosing a vendor, it’s important to look for data resiliency solutions that can tackle multi-cloud environments, since data now lives closer to business applications than ever before. Forrester has come up with three criteria for selecting a data management provider:

  •  policy-driven framework to manage the entire infrastructure;
  •  recover data when needed using different techniques; and
  • secure backup infrastructure to protect all copies of data.

Although the process of achieving predictable recovery may feel overwhelming, there are solutions on the market that are easy to navigate and use. For example, a company can choose a solution with a single web interface, where IT admins can perform all backup and recovery-related tasks. In case of a ransomware attack, admins have the capability to get alerted of a potential attack, get help identifying a clean copy that can be restored at scale. Moreover, such a solution can provide policy-based management for all workloads, including virtual and physical, databases, network-attached storage (NAS), cloud environments and business-critical applications.

In summary, ransomware attacks are becoming more sophisticated. Companies that are prepared to deal with the aftermath of these attacks can minimize serious repercussions, such as losing customer trust, revenue and business partners.

Zeus Kerravala is an eWEEK regular contributor and the founder and principal analyst with ZK Research. He spent 10 years at Yankee Group and prior to that held a number of corporate IT positions.