Whole books have been written about both DR and IR planning. It’s impossible to do either topic justice in a single webpage, much less both topics. In keeping with the subject of this site, this page will focus on how ransomware should figure into your IR and DR plans. Ransomware attacks have been so rampant over the last several years that they’ve prompted organizations that never had IR and DR plans to suddenly develop them, and they’re almost entirely focused on ransomware.
Of course, IR and DR plans shouldn’t focus just on ransomware; there are a lot of other threats out there from both nation state and cybercriminal groups. It’s not just the ransomware itself that these plans have to take into account, but all phases of the ransomware attack:
• Initial Access
That being said, it’s understandable that the ransomware threat would prompt many organizations to start preparing for attacks. Recovering from a successful ransomware attack can take months or years and cost millions of dollars—if your organization doesn’t have to close its doors first. The possibility of getting hit with a ransomware attack scares everyone, rightfully, and being unprepared for that attack is even scarier.
Let’s see how organizations can better prepare themselves for ransomware attacks and, if not stop the attacks, then at least be able to quickly and somewhat painlessly recover. As Tony Stark famously said to Loki, “If we can’t protect the Earth, you can be damned well sure we’ll avenge it.”
Again, the goal of this section is not to act as a guide on how to build a DR plan from scratch. Instead, the goal is to advise organizations on ways they can incorporate ransomware recovery into a DR plan. Some of the ransomware DR plan will include the ransomware IR plan discussed in the next section, but DR is really focused on the long, slow—often mundane, and sometimes painful—part of ransomware recovery: getting the organization back up and fully operational.
Depending on the size of an organization, or the outsourced IR team, ransomware DR may be going on simultaneously with IR. Organizations have an obligation to get up and running as quickly as possible. Their constituents—patients, customers, students, and so on—will have expectations that at least some services will be back online quickly. Others could be brought back more gradually.
Of course, the IR and DR teams must coordinate their work. The ransomware attack must be truly contained before systems are bought online or there’s a good chance of reinfection. The DR team has to restore servers in isolation, making sure they’re restored from a point before the ransomware or other tools the ransomware actor used during the earlier phases of attack were installed. Otherwise, the ransomware can be reintroduced into the network.
There was a time when IR plans were static documents that were primarily written up for compliance purposes. IR plans were stored in binders that were pulled off the shelf and dusted off once a year to demonstrate that an IR plan existed, then were put back on the shelf until they were needed for the next audit. As one would expect, these plans bore very little semblance to reality and were often not used at all when there was an emergency.
Those kinds of plans still exist, but more meaningful IR plans are thankfully becoming more common. Ransomware has altered the IR landscape and made IR planning a critical business function. IR has gone from an obscure activity to claiming the attention of senior leadership and often even the board. Wait! If organizations are taking IR more seriously than they used to, why are ransomware attacks still increasing? Shouldn’t the focus on IR mean that more ransomware attacks are stopped, or at least, are more quickly contained?
Interestingly, most ransomware attacks are stopped. It doesn’t seem like it, given that dozens of attacks are made public every week, often against very large companies, but many other attacks are quietly blocked. Still, most organizations do a relatively poor job of IR planning, especially when it comes to ransomware. That’s why, despite the focus on IR, ransomware attacks are still occurring at a breakneck pace.
It’s the ransomware resource you can’t afford to be without. 437 Pages of ransomware know-how. Stay ahead of the cybercriminals: get your copy now!