Why is Recovery from Ransomware failing?

The Cyber Insurance industry has seen a 131% increase in claims related to Ransomware attacks, and recovery outcomes are not good. Studies show that 27% of organisations with Cyber Insurance that suffer a successful ransomware have the ransom paid by the insurer. The US Treasury has legislated against Ransomware payments to prevent the funding of terrorism, so paying the hackers for the keys to decrypt data is one remediation strategy that is being cut-off, and this is impacting UK companies already

While prevention is critical, recovery should not be ignored, and needs to be regularly assessed against emerging ransomware threats

For prevention measures to succeed they must repel 100% of the attacks, 100% of the time. For the attack to succeed, it need only break through once. Ransomware is becoming more sophisticated as are the attack techniques to plant ransomware into a network and disrupt the recovery and DR processes

IT Operations have access to well proven technology solutions to cope with a range of IT Disaster Recovery scenario’s. These typically address hardware failure, fire, flood, power, network or telecoms outages. One of the common characteristics of all these incidents is they are localised. It is unlikely that hardware will fail simultaneously across multiple sites, or there will be a fire in two city locations at the same time, that knock out both your primary and secondary IT locations, it is even more unlikely if one is a public cloud.

Technology that provides high availability, by replication or clustering of servers and storage across multiple sites is ideally suited to maintaining the operations of systems and access to applications if an application service at the primary site fails. This architecture underpins the popular Public Cloud services that Microsoft, Amazon, Google and Salesforce operate. In recent years, organisations have been building IT Disaster Recovery plans based on rapid recovery of complete virtual machine workloads through snapshots, it is reliable, it can be optimised to near-zero Recovery Time Objectives and equally addresses the localised failure scenarios, often at a price point significantly less than high availability solutions.

But there is a new and fundamentally different threat that has been growing in frequency and is evolving in its sophistication, Ransomware.

The behaviour of Ransomware changes, and as it does that different type of attack has to be combatted. The architectures for high availability actually propagate Ransomware, embedding the infection into data that is then replicated across all instances of the infrastructure. IBM and Ponemon Institute have calculated that the average time between a cyber breach and detection is over 200 days. What is a hacker doing during this time?

The Cyber Insurance industry is having to pay ransom when their clients can’t recover their data. Yet every Cyber Insurance application form ask of the applicant one or some of these typical questions

  1. Do you have a Disaster Recovery plan?
  2. Is your backup system managed by a third party?
  3. How regularly is it tested?
  4. When was it last tested?
  5. Describe your data backup policy?

So why can’t organisations reliably recover from ransomware attacks?

To answer this question please take a look at the panel discussion Recovery from Ransomware from the recent London Markets Forum Cyber Insurance event hosted by Roger Oldham LM Forum.

Or download our 5 questions to ask to see if you can recover from ransomware attack.