3 critical steps to recover from a ransomware attack

Published
  • May 19 2017, 6:29am EDT

One week after the WannaCry ransomware attack impacted thousands of computers worldwide, ransomware has become top-of-mind for IT security professionals and corporate executives, drawing attention to issues related to cyber preparedness and cyber insurance.

Unfortunately for those organizations that were actually victimized and paid ransoms, those costs are unlikely to be covered by their cyber insurance policies, according to cyber insurance company Cyence.

“Cyber insurance policies would respond to this event, but there are a few factors which will limit insurer’s ultimate exposure,” explains Cyence Chief Technology Officer and Co-founder Dr. George Ng. “Cyber insurance policies have retentions/deductibles that are typically at least a few thousand dollars. Since WannaCry’s demand is only $300, this cost would be borne by the insured – not the insurer.”

That can be a tough lesson-learned for many organizations, especially since many organizations are just likely to pay the ransom due to its low figure, Ng says.

“WannaCry’s ransom demand of $300 is lower than what we’ve seen in other cyber extortion campaigns (those are typically $500 to $2,000),” Ng says. “But the grand scale of this attack may have influenced hacker demands to incentivize victims to just pay the ransomware price rather than spending on internal resources to address the issue. The ransom of $300 is on a similar scale (if not cheaper) than the cost of restoring from backup or a day’s worth of prorated salary for the average IT person in the United States.”

If Ng is right in his reckoning, based on the number of infected endpoints in the WannaCry attacks, direct ransom costs may have been on the order of around $10 million. But Cyence estimates that the business interruption cost to companies will have dwarfed direct costs at approximately $8 billion.

Growing awareness

One thing that IT security experts agree on this week is that the WannaCry attacks have raised awareness around data security and systems vulnerabilities.

“There have been more than 4,000 daily ransomware attacks since early 2016 – a 300 percent increase over 2015,” according to Scott Kinka, chief technology officer at Evolve IP. “Victims paid a total of more than $24 million to regain access to their data in 2015 alone.”

But Kinka believes the WannaCry epidemic raises the stakes, and organizations that haven’t placed a top priority on data security in the past need to now.

The WannaCry attack “represents a massive ransomware explosion, even by these standards,” Kinka says. “Truthfully, it is impossible to stop the ransomware epidemic. However, taking the right proactive and reactive measures can help mitigate the damage.”

Kinka offers advice on how to recover from a ransomware attack, and how to best protect the organization from becoming a ransomware victim.

3 steps to recover from ransomware

  • Step 1: Disconnect from the network and stop backing data up immediately
  • Step 2: Remove ransomware and clean computers of malicious software
  • Step 3: Restore from the most recent clean backup

Best practices to protect your organization from ransomware

  • Tip #1: Educate users on security best practices
  • Tip #2: Consistently update operating systems, antivirus and anti-malware software
  • Tip #3: Disable macros in Office documents
  • Tip #4: Prevent .exe from running in AppData or LocalAppData folders
  • Tip #5: Set up a next-generation firewall
  • Tip #6: Back up your data frequently and consistently

“Ransomware continues to become more common as hackers target organizations in an attempt to gain access to valuable corporate data,” says David Kramer, vice president and general manager of security operations at BMC. “Enterprises across all industries need to become more proactive to ensure connected devices, applications and infrastructure are constantly monitored for known vulnerabilities.”

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access