Ransomware attack recovery plan

Always prepare a ransomware attack recovery plan, starting with an alternative to ransom payment to help avoid losing access to your data.

Important

Read the whole ransomware prevention series, and make your organization hard to ransomware attack.

Ransomware actors in control of your organization have many ways to pressure you into paying. The demands primarily focus on two categories:

  • Pay a ransom to regain access

    Threat actors demand payment under the threat that they won’t give you back access to your systems and data. This is usually done by encrypting your systems and data and demanding payment for the decryption key.

    Important

    Paying the ransom won't guarantee restored access to your data.

Financially motivated cybercriminals (and often relatively amateur operators who are using a toolkit provided by someone else), might keep both the payment locked files. There is no legal guarantee that they will provide a key that decrypts 100% of your systems and data, or even provide a key at all. The process to decrypt these systems uses homegrown attack tools, an often clumsy and manual process.

  • Pay to avoid disclosure

    Threat actors demand payment in exchange for not releasing sensitive or embarrassing data to the dark web (other criminals) or the general public.

To avoid being forced into payment (the profitable situation for threat actors), the most immediate and effective action you can take is to make sure your organization can restore your entire enterprise from immutable storage, which neither the cybercriminal nor you can modify.

Identifying the most sensitive assets and protecting them at a higher level of assurance is also critically important but is a longer and more challenging process to execute. We don’t want you to hold up other areas in phases 1 or 2, but we recommend you get the process started by bringing together business, IT, and security stakeholders to ask and answer questions like:

  • What business assets would be the most damaging if compromised? For example, for which assets would our business leadership be willing to pay an extortion demand if cybercriminals controlled them?
  • How do these business assets translate to IT assets (such as files, applications, databases, servers, and control systems)?
  • How can we protect or isolate these assets so that threat actors with access to the general IT environment can’t access them?

Secure backups

You must ensure that critical systems and their data are backed up and backups are protected against deliberate erasure or encryption by a threat actor.

Attacks on your backups focus on crippling your organization’s ability to respond without paying, frequently targeting backups and key documentation required for recovery to force you into paying extortion demands.

Most organizations don’t protect backup and restoration procedures against this level of intentional targeting.

Backup and restore plan to protect against ransomware addresses what to do before an attack to protect your critical business systems and during an attack to ensure a rapid recovery of your business operations.

Learn how to restore your OneDrive files in the event of a ransomware attack.

Program and project member accountabilities

This table describes the overall protection of your data from ransomware in terms of a sponsorship/program management/project management hierarchy to determine and drive results.

Lead Implementor Accountability
Central IT Operations or CIO Executive sponsorship
Program lead from Central IT infrastructure Drive results and cross-team collaboration
Central IT Infrastructure/Backup Enable Infrastructure backup
Central IT Productivity / End User Enable OneDrive Backup
Security Architecture Advise on configuration and standards
Security Policy and Standards Update standards and policy documents
Security Compliance Management Monitor to ensure compliance

Implementation checklist

Apply these best practices to secure your backup infrastructure.

Done Task Description
Backup all critical data automatically on a regular schedule. Allows you to recover data up to the last backup.
Regularly exercise your business continuity/disaster recovery (BC/DR) plan. Ensures rapid recovery of business operations by treating a ransomware or extortion attack with the same importance as a natural disaster.
Protect backups against deliberate erasure and encryption:

- Strong Protection – Require out of band steps (MFA or PIN) before modifying online backups (such as Azure Backup).

- Strongest Protection – Store backups in online immutable storage (such as Azure Blob) and/or fully offline or off-site.
Backups accessible by cybercriminals can be rendered unusable for business recovery. Implement stronger security to access backups and the inability to change the data stored in backups.
Protect supporting documents required for recovery such as restoration procedure documents, your configuration management database (CMDB), and network diagrams. Threat actors deliberately target these resources because it impacts your ability to recover. Make sure they survive a ransomware attack.

Implementation results and timelines

Within 30 days, ensure that Mean Time to Recover (MTTR) meets your BC/DR goal, as measured during simulations and real-world operations.

Data protection

You must implement data protection to ensure rapid and reliable recovery from a ransomware attack and to block some attack techniques.

Ransomware extortion and destructive attacks only work when all legitimate access to data and systems is lost. Ensuring that threat actors cannot remove your ability to resume operations without payment will protect your business and undermine the monetary incentive for attacking your organization.

Program and project member accountabilities

This table describes the overall protection of your organization data from ransomware in terms of a sponsorship/program management/project management hierarchy to determine and drive results.

Lead Implementor Accountability
Central IT Operations or CIO Executive sponsorship
Program lead from Data Security Drive results and cross-team collaboration
Central IT Productivity / End User Implement changes to Microsoft 365 tenant for OneDrive and Protected Folders
Central IT Infrastructure/Backup Enable Infrastructure backup
Business / Application Identify critical business assets
Security Architecture Advise on configuration and standards
Security Policy and Standards Update standards and policy documents
Security Compliance Management Monitor to ensure compliance
User Education Team Ensure guidance for users reflects policy updates

Implementation checklist

Apply these best practices to protect your organization data.

Done Task Description
Migrate your organization to the cloud:

- Move user data to cloud solutions like OneDrive/SharePoint to take advantage of versioning and recycle bin capabilities.

- Educate users on how to recover their files by themselves to reduce delays and cost of recovery.
User data in the Microsoft cloud can be protected by built-in security and data management features.
Designate Protected Folders. Makes it more difficult for unauthorized applications to modify the data in these folders.
Review your permissions:

- Discover broad write/delete permissions on file shares, SharePoint, and other solutions. Broad is defined as many users having write/delete permissions for business-critical data.

- Reduce broad permissions for critical data locations while meeting business collaboration requirements.

- Audit and monitor critical data locations to ensure broad permissions don’t reappear.
Reduces risk from ransomware activities that rely on broad access.

Next step

Phase 2. Limit the scope of damage

Continue with Phase 2 to limit the scope of damage of an attack by protecting privileged roles.

Additional ransomware resources

Key information from Microsoft:

Microsoft 365:

Microsoft Defender XDR:

Microsoft Azure:

Microsoft Defender for Cloud Apps:

Microsoft Security team blog posts: