There’s a cultural barrier to investing proactively in cybersecurity, Johnson admits. “We are a reactionary society, but cybersecurity is finally being seen for what it is: an investment. An ounce of prevention is worth a pound of cure.”

8. Test, test, and test again

“A lot of people are approaching backups from a backup point of view, not a recovery point of view,” says Mike Golden, senior delivery manager for cloud infrastructure services at Capgemini. “You can back up all day long, but if you don’t test your restore, you don’t test your disaster recovery, you’re just opening yourself to problems.”

This is where a lot of companies go wrong, Golden says. “They back it up and go away and are not testing it.” They don’t know how long the backups will take to download, for example, because they haven’t tested it. “You don’t know all the little things that can go wrong until it happens,” he says.

It’s not just the technology that needs to be tested, but the human element as well. “People don’t know what they don’t know,” Golden says. “Or there’s not a regular audit of their processes to make sure that people are adhering to policies.”

When it comes to people following required backup processes and knowing what they need to do in a disaster recovery situation, the mantra, Golden says, should be “trust but verify.”

What steps should companies take if they’ve experienced a ransomware attack

The US Cybersecurity and Infrastructure Security Agency (CISA) has a framework for companies to follow that covers the main steps that need to be taken after a ransomware attack.

Evaluate the scope of damage: The first step is to identify all affected systems and devices. That can include on-premises hardware as well as cloud infrastructure. CISA recommends using out-of-band communications during this stage, such as phone calls, to avoid letting the attackers know that they have been discovered and what actions you are planning to take.

Isolate systems: Remove affected devices from the network or turn off their power. If there are several affected systems or subnets, take them offline at the network level, or power down switches or disconnect cables. However, powering down devices might destroy evidence stored in volatile memory, so should be a last resort. In addition, protectively isolate the most mission-critical systems that are still untouched from the rest of the network.

Triage affected systems for recovery: Prioritize systems critical for health or safety, revenue generation, and other critical business services as well as the systems that they depend on. Restore from offline, encrypted backups and golden images that have been tested to be free of infection.

Execute your notification plan: Depending on your cyber incident response and communications plan, notify internal and external teams and stakeholders. These can include the IT department, managed security service providers, cyber insurance company, corporate leaders, customers, and the public, as well as government agencies in your country. If the incident involved a data breach, follow legal notification requirements.

Containment and eradication: Collect system images and memory captures of all affected devices, as well as relevant logs and samples of related malware and early indicators of compromise. Identify ransomware variant and follow recommended remediation steps for that variant. If data has been encrypted, consult federal law enforcement for possible decryptors that may be available. Secure networks and accounts against further compromise, since the attackers may still have their original access credentials or obtained more during the breach. In addition, extended analysis should be conducted to find persistent infection mechanisms to keep them from reactivating.

How long does it take to recover from ransomware?

According to Sophos, only a minority of ransomware victims recover in a week or less. On average, 35% took less than a week. About a third took between a week and a month. And the final third, 34%, took a month or more to recover. Only 7% of victims recovered in less than a day — and 8% of victims took three months or longer.

Recovery times are significantly reduced, however, if a company has good backups.

If a company’s backups were also compromised, only 25% of companies recovered in less than a week. But if the backups were not compromised, 46% of companies took less than a week to get back on their feet.

Ransomware best practices for prevention

CISA has a detailed list of best practices for preventing ransomware.

Backups: CISA recommends maintaining offline, encrypted backups of critical data and testing these backups and recovery procedures on a regular basis. Enterprises should also have golden images of critical systems, as well as configuration files for operating systems and key applications that can be quickly deployed to rebuild systems. Companies may also consider investing in backup hardware or backup cloud infrastructure to ensure business continuity.

Incident response plan: Enterprises should create, maintain, and regularly exercise a cyber incident response plan and associated communication plan. This plan should include all legally required notifications, organizational communications procedures, and make sure that all key players have hard copies or offline versions of this plan.

Prevention: CISA recommends that companies move to a zero-trust architecture to prevent unauthorized access. Other key preventative measures include minimizing the number of services exposed to the public, especially frequently targeted services like remote desktop protocol. You should conduct regular vulnerability scanning, regularly patch and update software, implement phishing-resistant multi-factor authentication, implement identity and access management systems, change all default admin usernames and passwords, use role-based access instead of root access accounts, and check the security configurations of all company devices and cloud services, including personal devices used for work. CISA also has specific recommendations for protecting against the most common initial access vectors, such as phishing, malware, social engineering, and compromised third parties.