Ransomware Recovery: RTO and Optimizing the Recovery Process

Originally published by Rubrik.

Written by James Knott and Steve Stone.

Recovery Time Objectives (RTOs) are on everyone’s mind. It bears repeating, one of the most fundamental ways to reduce recovery time from a ransomware or cybersecurity attack is being well prepared and ready to take actions quickly and effectively. This is one of the many variables firmly within a customer’s control and key to a faster and more efficient recovery process.

A ransomware attack can be one of the most stressful events an organization and its employees will encounter. Additionally, ransomware events continue to expand in impact and variety. Several core threat trends are important to frame this challenge:

• Cybersecurity Ventures estimated ransomware likely cost the global economy 20 billion USD in 2022 – a 57x increase from 2015.
• According to IBM, 4.54 million USD is the average cost of a ransomware breach in the last year. (X-Force)
• In the State of Data Security report from Rubrik Zero Labs, 98% of respondents reported being aware of a cyberattack against their organization in the last year.
  • The average number of cyberattacks brought to an organization’s leadership in the same timeframe was 47 times last year.
  • 52% of these organizations suffered a data breach and 51% endured a ransomware event in the last year.
  • The same report identified 76% of organizations would consider paying a ransom demand and over half (52%) are very to extremely likely to pay a ransom demand.
• Attackers typically have access to an environment from 4.5 days to 5 days before deploying ransomware.
• Microsoft estimates 1 hr and 12 min is the median time for an attacker to gain access to an organization’s private data after a user clicks on a malicious link or file from a phishing email.
• The European Union Agency for Cybersecurity estimates more than 10 TB are stolen on average per month as part of ransomware intrusions.

Based on these data points, consider a ransomware intrusion as an expected event instead of an anomaly. Threat actors will likely spend days in an environment before deploying ransomware, where they will attempt to steal data as well as encrypt it, and if successful it will produce significant cost to an organization.

Oftentimes, when an organization is unprepared to respond to an attack, they spend valuable time trying to figure out what to do, or are unaware of basic processes such as initial response action items, what teams or whom on their teams are responsible, and even basic interactions between these teams and your trusted vendors. We recommend focusing on several key areas to improve recovery actions. In particular, incident response, threat identification and neutralization, risk reduction, and recovery planning and execution must be clearly understood. Requirements, dependencies and orders of operations must be taken into account regarding the overarching response & the recovery workflow.

Response & Recovery Process

• Create a comprehensive plan, which will be readily available if your infrastructure is offline. Regularly test and refine it with practical & realistic tabletop exercises.
  • All responsible internal teams should participate in these exercises.
  • Include all types of workloads in your recovery exercises and perform validations.
  • Include full stack, application & line of business recoveries.
• Provide advanced visibility into recovery operations and capabilities before an actual ransomware event. This will ensure critical participants will understand available options and visibility, receive training, and can identify limitations before critical moments.
• Identify key decision makers and assigned decisions with associated documentation.
• Understand notification requirements for both intrusion actions as well as data issues dependent on regions, industry policies, and government regulations.
• Identify key business capabilities along with the technology systems and data elements associated with these same capabilities. This will allow for prioritized recovery actions and illuminate both coverage and dependencies.

Recovery infrastructure

• Identify a recovery location for restoring systems and data.
• Identify forensic environments where compromised assets can be recovered into, for further analysis.
• These same infrastructure locations should be used in tabletop exercises as well as critical for actual ransomware recoveries.

Proactively reduce risk

• Identify legacy architecture and remove it from production environments to deny it to threats as intrusion surface area.
• Verify the location and volume of sensitive/critical data. This allows response teams an accurate view of where to prioritize their efforts and also reduce the risk of inadvertent sensitive data disclosure during a ransomware event.
• Prepare for data exfiltration and assume that the threat actor’s goal is to threaten a data leak for extortion purposes. This should include threat hunting for the possibilities of data lateral movement, unexpected data transfer operations, and identifying users with access to critical data.

Engage your trusted vendors

• Have an established relationship with a competent infrastructure security vendor. Contact your vendor at the first sign of an attack or breach. Don’t delay!
• Create access in advance for recovery technologies for these same vendors before use is necessary for event response.
• Work to ensure vendors can access key platforms and understand established playbooks and process motions.
• Prepare your associated vendors to look for initial intrusion actions, data theft, and other intrusion actions beyond solely the encryption event. This should include how to threat hunt in an encrypted environment, pass indicators of compromise across organizations, and work across multiple teams.

Communications

• Out of band communications - ensure you have your essential personnel’s mobile phone numbers and private email addresses. A severe attack will very likely take down corporate email and possibly even phones. Be prepared for this and include it in your playbook.
• Internal communications - ensure all of your teams (including leadership and non-technical teams) are included and able to communicate effectively. This can be part of the tabletop exercises.
• Vendor communications - during an actual attack & recovery scenario, keep your trusted vendors regularly updated. Help us help you!
• Foster vendor/vendor interaction & collaboration.
• Be prepared to recover data into communication systems or platforms if initial access is lost during the ransomware event. As an example, if a chat program is necessary for event response, plan on the data within this application becoming encrypted or denied to the organization. Both a standalone communication tool will be necessary as well as restoring data into these communications mechanisms.

Best Practices

• Multi-Factor Authentication - this is absolutely essential on all administrative accounts.
• Two Person Rule - this ensures that no one user can perform key operations (data destructive) on their own. Identified key operations will require the consensus of an identified secondary approver to complete. From Security/Operations/Legal roles, the assigned reviewer/approver must agree on the changes before the operation can take effect. Enabling this will protect your SLAs not only from any outside threat actor, but also any malicious or unintentional SLA modifications internally.
• Create threat hunting accounts for internal and vendor teams in advance of an event. Additionally, ensure all users are trained and prepared to execute threat hunting actions against the data backups if needed.
• Create sensitive data accounts for internal and vendor teams in advance of an event. Additionally, ensure all users are trained and prepared to execute data discovery, governance, and compromise reporting actions against the data backups if needed.

Start Preparing for an Attack Now

The key message behind all of this information is preparation is the key to recovery success. Having all your ducks in a row ahead of a cyber event is a key differentiator between a lagging and successful recovery.