Mitigating the Impact of Ransomware Attacks With Business Continuity Planning

Ransomware attacks cause partial or complete shutdowns of business-critical functions. This is the same impact as those caused by business continuity events. Consequently, business continuity planning is one of the best ways to plan for the increasing probability that any organization will eventually become a victim of a ransomware attack.

The True Impact of Ransomware Attacks

Ransomware encrypts and sometimes steals information needed to conduct critical business functions. Ransomware has the same effect as a natural event that can completely cripple business operations. The only real difference lies in the continued use of office space and the physical availability of data centers after ransomware prevents access to data.

Unlike the information that usually makes the news, the total cost of a ransomware attack far exceeds the ransom demand. In one example, a company paid a $20,000 ransom but experienced business losses of about $700,000. Sophos’ The State of Ransomware 2021Opens a new window asserts that the average total cost of a ransomware attack is about $1.85 million. This is in contrast to the average ransom demand of $170,404.

Like during any event that results in the loss of critical business functions, organizations must implement a recovery plan that should include both preparation and response.

Key Components of Business Continuity Planning

The purpose of business continuity planning, or BCP, is to mitigate the interruption of critical business functions (CBF), and respond quickly to restore operations. A Disaster Recovery Plan (DRP) is a sub-plan of the business continuity plan and helps with bringing the right people together.

The BCP team must include representatives from all stakeholder departments and lines of business. Only CBF owners and the downstream recipients of CBF outcomes can accurately predict the costs associated with CBF interruption.

After the team receives support from C-Level management in a documented BCP policy statement, the team then identifies CBFs across the organization. IT maps the underlying infrastructure (the systems) that supports those functions.

The following steps prepare organizations to mitigate CBF interruption. Although these steps are used for all interruptions, I focus here on using them for situations involving ransomware attacks:

1. Business Impact Analysis: Part of BCP is determining the adverse business impact if a CBF is interrupted. The measures of BCP business impact include maximum tolerable downtime, recovery point objective, recovery time objective, and work recovery time.
2. Maximum Tolerable Downtime (MTD): This is the length of time CBF can be down before the business experiences a severe adverse impact. If the MTD of several CBFs is exceeded during a ransomware attack, the business might never fully recover.
3. Recovery Point Objective (RPO): The RPO is the point to which restored backups return business functionality. For example, if the latest backup is two days old, the RPO is 48 hours before the ransomware attack. The RPO is affected by how and when backups are performed.
4. Recovery Time Objective (RTO): The time it takes to reach the RPO is the RTO. In the case of a ransomware attack, it is the time needed to clean systems of malware and restore the latest backups.
5. Work Recovery Time (WRT): When a backup is restored, the databases usually lack the transactions entered between the backup and the ransomware attack. The WRT is the time needed to reenter the lost information and return to full functionality.

The Process of Mitigating the Impact of a Ransomware Attack

Figure 1 is an attack recovery timeline showing the relationship between the measures of impact. MTBF is the mean time before or between failures. The CBF is running well until a ransomware attack encrypts all required information. 

Figure 1: Recovery Timeline

The response team begins the recovery process, which extends through the RTO. This includes restoring backups. At the RPO, CBF functionality is restored, but transactions since the last backup might be missing. If so, they are recovered during the Work Recovery Time (WRT). Once the WRT is completed, the CBF is fully recovered. RTO and the WRT together make up the Maximum Tolerable Downtime (MTD).

Contingency Planning

The contingency planning step of a BCP includes developing a strategy for dealing with an event. One decision an organization must make is whether to pay a ransom if attacked. If they are willing to pay the ransom, or if their cyber insurance carrier will pay, then the response will be different than if management refuses to pay.

To Pay or Not to Pay

If an organization pays the ransom payment, there is no guarantee that CBFs will return to full functionality. Sophos’ The State of Ransomware 2021Opens a new window report claims that the chances of a victim organization getting access to all encrypted data are not good. 

“On average, organizations that paid the ransom got back just 65% of the encrypted files, leaving over one-third of their data inaccessible. 29% of respondents reported that 50% or less of their files were restored, and only 8% got all their data back.”

This means that systems might be available and some or most of the data, but systems still have to be cleared of malware and work transactions recovered. 

Not paying the ransom could result in a disaster recovery situation. This involves completely reimplementing systems and restoring data. The longer it takes to decide about the ransom and implement a response, the more costly the attack.

Regardless of the approach taken, organizations must understand how they plan to manage a ransomware attack before it happens. The adage “time is money” fully applies here. This is the purpose of business continuity planning, which must include ransomware attacks so that an organization can effectively recover within CBF MTDs.

System and Data Contingencies

Regardless of whether the victim organization decides to pay the ransom, the response team must have documented procedures for recovering affected systems. The first step is removing all malware. The most effective way of doing this is to wipe drive content and start over.

Starting over does not have to be painful. If the affected servers or desktops are imaged, recovery is just overwriting the infected device with a clean image. Also, many organizations use virtual servers for production. Taking down the infected server and bringing up an uninfected VM can quickly restore functionality. Part of preparing for an attack is ensuring efficient and fast server and user device recovery.

Recovering data may be more difficult. Recovery time includes restoring the data from backups added to the time needed to recover lost transactions. The type of backup determines recovery time, and the frequency of backup determines WRT. Services exist today to help with these challenges.

Disaster Recovery as a Service (DRaaS)

An alternate recovery method is often needed when managing a significant interruption of CBFs that cannot be recovered in-house within the MTD. Traditional approaches are mirror, hot, warm, and cold sites. 

The best way to mitigate ransomware tasks is a mirror site. However, mirror sites managed by internal staff incur facility costs and require regular IT engagement. A new alternative is DRaaS.

John Moore and Kim Hefner writeOpens a new window that DRaaS is a mirrored site managed by a service provider. It is available for immediate failover if the production data center is no longer able to support CBFs. Supporting infrastructure can be physical or virtual.

DRaaS is a good approach for small- and medium-sized businesses, the most common ransomware targets. StorageCraft claimsOpens a new window that the benefits of DRaaS, in addition to fast failover, include less complexity, lower costs, and scalability. 

Another approach is to maintain CBF infrastructure in the cloud. Cloud servers like Amazon’s AWS and Microsoft’s Azure also offer DRaaS services to maintain mirrored servers at other sites, as shown in Figure 2. 

Figure 2 (Source: MicrosoftOpens a new window )

Like all safeguards, DRaaS has associated costs. The costs must be balanced with the total potential costs of ransomware or other cyber-attacks together with the costs of other types of business continuity events.

Final Thoughts

Ransomware attacks are just another business continuity event. The difference lies in how organizations tend to respond. In many cases, the victim organization’s management seems to have little idea of how to respond. Since most ransomware victims are small- and medium-sized organizations, this is not surprising.

Most smaller organizations do not have the resources to create and manage a business continuity plan or take preparatory steps to manage risk associated with cyber-attacks. This is a condition that must change.

Smaller organizations, including government agencies, must take steps to manage the inevitable. This includes engaging with security services providers to implement reasonable and appropriate safeguards, including a business continuity plan. Also, all organizations should consider purchasing cyber insurance and work with the carrier to mitigate the costs when ransomware stops business operations.

Again, organizations must implement reasonable and appropriate safeguards, including safe network design. If this is not possible due to resource constraints, CBFs should be moved to a cloud service that provides needed operational safety.

An organization can do everything right but still become a ransomware victim. How well the organization weathers an attack depends on how well it prepares.

Do you think the business continuity planning methods described in the article are sufficient to restore operations in the aftermath of a ransomware attack? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!