Cybersecurity
Don't Wanna Pay? Ransom Gangs Test Your Backups
A common assumption after a ransomware attack makes headlines is that the victim could have avoided paying if only they had maintained proper data backups. The reality is more complicated.
A common assumption after a ransomware attack makes headlines is that the victim could have avoided paying if only they had maintained proper data backups. The reality is more complicated. Organizations regularly end up paying ransoms even when they have backups in place, and the reasons why are instructive for any business that relies on backups as its primary recovery strategy.
The Three Most Common Backup Failures.
According to Fabian Wosar, chief technology officer at security firm Emsisoft, the biggest reason organizations pay even when backups exist is that no one ever tested how long a full restoration would actually take.
"In a lot of cases, companies do have backups, but they never actually tried to restore their network from backups before, so they have no idea how long it's going to take," Wosar explained. "Suddenly the victim notices they have a couple of petabytes of data to restore over the internet, and they realize that even with their fast connections it's going to take three months to download all these backup files. A lot of IT teams never actually make even a back-of-the-napkin calculation of how long it would take them to restore from a data rate perspective."
The second most common problem is the location of the decryption key. Many organizations use off-site, encrypted backups, which is exactly what best practices recommend. But if the key needed to decrypt those backups was stored on the same local file-sharing network that got encrypted by the ransomware, the backups become inaccessible. The key that was supposed to protect the backups is now locked behind the attack itself.
The third scenario involves ransomware that corrupts or destroys the backups directly. Wosar notes this is less common than the first two, but it still happens. Attackers increasingly look for and target backup systems as part of their attack sequence, knowing that accessible backups are the primary thing standing between the victim and paying the ransom.
Bill Siegel, CEO of Coveware, a company that negotiates ransomware payments on behalf of victims, put it plainly: "Most companies that pay either don't have properly configured backups, or they haven't tested their resiliency or the ability to recover their backups against the ransomware scenario."
He described a real scenario where an organization had 50 petabytes of data backed up at a facility 30 miles away, connected by a copper wire. When restoration began, someone did the math and realized it would take 69 years to pull everything back across that connection. In another common case, the software applications required to perform the restoration were themselves stored on the encrypted network, making them inaccessible at the exact moment they were needed most.
Knowing the Order of Restoration Matters.
Wosar points out a fourth issue that organizations frequently overlook: not knowing in which order to restore systems.
"In a lot of cases, companies don't even know their various network dependencies, and so they don't know in which order they should restore systems," he said. "They don't know in advance, if we get hit and everything goes down, these are the services and systems that are priorities for a basic network that we can build off of."
Without a documented restoration priority list, a business can waste critical hours making decisions under extreme pressure that should have been made during calm, methodical planning.
The Case for Tabletop Exercises.
The solution to all of these problems is practice. Wosar recommends periodic tabletop exercises that walk an organization through its breach response plan from start to finish. These exercises surface the gaps, including restoration time estimates, key storage problems, missing recovery tools, and unclear prioritization, before an attacker does it for you.
"Many victims see themselves confronted with having to rebuild their network in a way they didn't anticipate. And that's usually not the best time to have to come up with these sorts of plans. That's why tabletop exercises are incredibly important. We recommend creating an entire playbook so you know what you need to do to recover from a ransomware attack."
If your organization has never tested a full restoration from backups, or never walked through what a ransomware response would look like in practice, now is the time to do it.
Cyber One Solutions Can Help.
From backup strategy review to incident response planning, Cyber One Solutions helps businesses identify gaps before they become crises. Contact us today to schedule a consultation.