Oct 15, 2024 - Ransomware Recovery: Strategies for Small & Mid-sized Businesses

Ransomware is one of the most disruptive—and most common—cyber threats facing businesses today. The fallout can be devasting. Attacks can lock devices, encrypt files and folders, steal and delete data, and threaten to leak sensitive data. 

For small and mid-sized businesses, which often lack the resources to fully recover from the impact, a ransomware attack can have devastating consequences, including prolonged downtime, reputational damage, and fatal financial strain. Given the increasing frequency and sophistication of ransomware attacks, ensuring your business has a well-structured recovery plan in place is more critical than ever.

And there’s no time to waste. According to Datto’s Global State of the Channel Ransomware Report, 85% of managed service providers (MSPs) reported ransomware attacks against clients in the last two years. And 96% of MSPs predict attacks will continue at current, or worse, rates. 

The NIST Cybersecurity Framework (CSF) provides a detailed, real-world approach to cybersecurity. The framework's Recovery function is focused on getting back to normal as quickly as possible following an attack. Here, we’ll look at the function’s specific strategies and tools that smaller organizations can use to recover effectively from a ransomware attack.

An Attractive Target: The Impact of Ransomware on Smaller Businesses

Today, cybercriminals are increasingly focused on small and medium-sized businesses, which are more vulnerable than larger organizations due to several factors:

• Limited IT resources: Many smaller companies don’t have dedicated cybersecurity teams and may rely on a single IT person—or only external resources—to manage both operations and security, leading to gaps in protection.
• Inadequate cybersecurity budgets: Smaller businesses often don’t have the ability to invest sufficiently in cybersecurity, making them easier targets for attackers.
• Third-party risk: Small businesses frequently work with larger organizations, making them an attractive point of entry for ransomware operators who are looking for vulnerabilities in the supply chain.

A ransomware attack can be particularly damaging to a smaller business because of the financial strain it imposes. The company faces the prospect of ransom payments, as well as the loss of access to critical business data, which can cripple operations. Without an effective recovery plan, these organizations will struggle to resume normal operations.

Specific Recovery Strategies for Ransomware Incidents

Let’s look at a few key steps you can take now to minimize the impact of a future attack.

Create a Ransomware-Specific Disaster Recovery Plan

While a comprehensive disaster recovery plan is essential for all businesses, it’s critical that your plan addresses the unique challenges posed by ransomware. Unlike natural disasters, where physical infrastructure might be damaged, ransomware severs your access to digital data and can spread across systems if it isn’t contained.

A ransomware-specific recovery plan should include:

• Prioritized Restoration: Identify the most critical business functions and ensure they’re the first to be restored.
• Offline Backups: Ensure that data backups are stored offline or in locations that aren’t accessible from the compromised network.
• Alternative Communication Channels: If email and internal communications are compromised, you’ll rely on these pre-established alternative channels for coordination.

Leverage Backup and Recovery Solutions

Regular backups remain one of the most effective defenses against ransomware. However, not all backup solutions are equal, and you’ll want to ensure that their backup strategy aligns with their recovery needs.

• Cloud Backups: Cloud-based backup solutions keep your critical data offsite, reducing the risk of compromised backups during an attack. Cloud backups also offer scalability, making them accessible to businesses of all sizes.
• Immutable Backups: Quickly gaining in popularity, immutable backups can’t be altered or deleted by a ransomware perpetrator, ensuring you always have a clean, recoverable version of your data.
• Versioning: Backup tools that support versioning allow you to revert back to previous versions of files, which can minimize data loss if your files are encrypted in the attack.

Test and Improve Recovery Plans

Having a recovery plan in place is only half the battle. You also need to ensure that your plans work in real-world scenarios. Regularly testing recovery procedures helps you spot gaps in your strategies and make necessary improvements. Here are two effective ways to test your plans.

• Tabletop Exercises: Simulating ransomware attacks through tabletop exercises ensures that all employees understand their roles in recovery and can coordinate effectively during a real incident.
• Live Testing: Performing live recovery drills where backup data is restored enables you to evaluate speed and reliability. Several tools are available that can automate your recovery tests and help you ensure your backups can be restored as expected.

Seek External Assistance

If you’re a small or mid-sized business, it’s likely you don’t have the in-house expertise to recover from ransomware incidents on your own fully. An external Incident Response Team (IRT) or Managed Service Provider (MSP) can provide the expert assistance you need to navigate complex recovery efforts. Consider establishing a relationship with a provider now so you know exactly who to contact in the event of an attack, and they’re familiar with the specifics of your networks and technology infrastructure.

Professional IRTs and MSPs can help identify the source of the attack, isolate the infection, and guide the restoration of your data and systems. For example, IRTs can ensure that ransomware doesn’t re-encrypt systems after recovery.

Cyber insurance can help with the costs of these services. Many cyber insurance policies cover the cost of hiring IRTs or other recovery services, further easing the financial burden of your recovery.

Develop and Maintain a Communication Plan

In the aftermath of a ransomware attack, clear and timely communication with stakeholders is crucial. You should have a predefined communication plan in place that outlines how and when you’ll notify key stakeholders, including employees, customers, partners, and regulators.

• Internal Communications: Ensure that all team members are aware of the recovery timeline and their roles in bringing systems back online.
• Customer Notifications: Transparency is key when communicating with customers. You’ll want to find a balance that enables you to provide sufficient information without divulging sensitive details that could further harm your reputation.
• Regulatory Compliance: If personal data has been compromised in an attack, you may be required by law to notify regulators, and failure to do so may come with legal consequences. Ensure that your communication plan includes compliance with any relevant data protection regulations, such as GDPR or CCPA.

Take Advantage of Recommended Recovery Tools and Procedures

The NIST Cybersecurity Framework includes several tools and strategies to aid in recovery from ransomware:

• System Restoration: NIST emphasizes using automated tools and techniques to restore systems to normal. Business continuity software, like Datto, can help automate this process, ensuring that your systems are restored with minimal downtime.
• Risk Management: After recovery, you’ll want to reassess your risk management practices to help prevent future attacks. This includes updating security controls, improving network segmentation, and adopting least-privilege access controls to limit the spread of malware.
• Learning from Incidents: The Recover function highlights the importance of post-incident reviews. You should analyze the attack to determine weaknesses in your defenses and update your incident response and recovery plans accordingly.

Recovering from a ransomware attack can be a daunting task. However, aligning with the Recover function of the NIST Cybersecurity Framework can help ensure you’re able to implement recovery strategies that minimize downtime, reduce data loss, and prevent future attacks. Whether it’s leveraging immutable backups, working with an MSP, or regularly testing recovery plans, proactive planning is essential to ensuring a successful recovery.

No business is immune to ransomware. By building a robust recovery plan and leveraging the available tools, you can swiftly and efficiently navigate the aftermath of an attack and return to normal operations.

Join us for the next session of our Cybersecurity Webinar Series: 

You're invited to join us on October 24th at 1PM EST for "Recover: Building Resilience -
NIST Framework Recovery Strategies for Sustainable Growth".