Sponsored Post: Nasuni
In the early hours of May 7, 2021, Colonial Pipeline’s CEO, Joseph Blount Jr., made the difficult decision to immediately shut down the company’s IT network in response to a ransomware attack that had been discovered only an hour earlier. Within 15 minutes of the decision, all 5,500 miles of the company’s pipelines (see Figure 1) had been completely shut down to contain the attack and ensure the operational technology (OT) network controlling pipeline operations did not become infected.
Despite the company’s rapid response and subsequent decision (one day later) to pay the $4.43 million ransom “to swiftly get the pipeline back up and running”, the six-day shutdown caused major disruptions to fuel delivery along the U.S. Eastern Seaboard, directly impacted more than 50 million U.S. consumers, and cost tens of millions of dollars (estimated). Ultimately, the company had to restore its data from backups because the decryptor provided by the attackers (after the ransom was paid) was too slow.
Colonial Pipeline’s ransomware experience is likely atypical for organizations that don’t have access to similar resources as Colonial Pipeline. Prior to the attack, Colonial Pipeline spent an average of $40 million annually on cybersecurity. How does your cybersecurity budget compare? Colonial Pipeline transports more than 100 million gallons of fuel daily through its pipeline network and is thus considered part of our National Critical Infrastructure. Would a ransomware attack against your organization garner direct and immediate assistance from the U.S. Federal Bureau of Investigation (FBI), Department of Energy (DOE), and Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA)—as well as the attention of the U.S. president?
According to the Information Technology Intelligence Consulting (ITIC) Hourly Cost of Downtime survey, a single hour of downtime costs approximately $300,000 for the majority of enterprises, and more than $1 million per hour for 44% of midsize and large enterprises. Even a conservative estimate ($300,000 x 24 hours x 6 days) shows how the cost of downtime ($43.2 million) can quickly eclipse the average ransom payment of $1.5 million in 2023 (according to Sophos). The Coveware Quarterly Ransomware Report found that business interruption costs are the largest source of losses associated with a ransomware attack, with ransomware attack victims experiencing an average of 21 days of downtime.
It takes just a single “bad click” to launch a ransomware attack with potentially catastrophic results. On average, employees have access to approximately 11 million files according to Varonis, and 15% of companies have more than 1 million files accessible to every employee. Restoring 200,000 files from a single mission-critical snapshot takes roughly 8 hours. Restoring 11 million files (assuming other user accounts and file repositories haven’t been compromised by an attacker) would take approximately 18 days (440 hours) and would incur between $132 million and $440 million in downtime costs.
Protecting your organization from ransomware and downtime requires a robust cyber resilience strategy that includes cybersecurity training for all users, fast and effective incident response, comprehensive business continuity and disaster recovery plans, and rapid data backup and restore capabilities. Restoring millions of files from backup can take days or weeks (or longer) for most organizations today—during which time business operations may be down or severely disrupted. To enable rapid recovery of your data, you need a file storage and backup solution that includes the following capabilities and features:
- Rapid ransomware recovery. After detecting, containing, and eradicating a ransomware threat, recovering your files should be the shortest operation in your response timeline—measured in seconds and minutes, rather than days and weeks.
- Granular restores. Many snapshot solutions can only recover an entire volume—not specific files or directories—thus users will lose work, even if they weren’t infected, because the whole volume gets restored from the previous week’s (or worse) snapshot.
- Immutable and infinite snapshots. Newer ransomware attacks can employ a time-bomb effect that might take days, weeks, or months to detect. If file backups and snapshots aren’t retained for long enough, the risk of losing data and not being able to restore files is greater.
- Testable/verifiable. Your file data platform should allow you to create a test location—either a test directory containing files or a test volume with directories and files—to verify the speed and viability of the restore process.
The Nasuni platform can restore millions of files in less than a minute—because seconds count when it comes to ransomware recovery and downtime. Learn more about ransomware threats and how to protect your business from costly ransomware attacks and downtime.