Prepare a ransomware attack recovery plan

Article
03/25/2024

One thing you must do in advance of a ransomware attack is prepare your organization so it has a alternative to paying a ransom.

Important

Read the whole ransomware prevention series, and make your organization hard to ransomware attack.

Cybercriminal ransomware attackers in control of your organization have many ways to pressure you into paying. The demands primarily focus on two categories:

Pay a ransom to regain access

Attackers demand payment under the threat that they won’t give you back access to your systems and data. This is usually done by encrypting your systems and data and demanding payment for the decryption key.

Important

Paying the ransom isn’t as simple and clean of a solution as it may seem.

Because you're dealing with cybercriminals that are only motivated by payment (and often relatively amateur operators who are using a toolkit provided by someone else), there is a lot of uncertainty around how well paying the ransom will actually work. There is no legal guarantee that they will provide a key that decrypts 100% of your systems and data, or even provide a key at all. The process to decrypt these systems uses homegrown attacker tools, which is often a clumsy and manual process.

Pay to avoid disclosure

Attackers demand payment in exchange for not releasing sensitive or embarrassing data to the dark web (other criminals) or the general public.

To avoid being forced into payment (the profitable situation for attackers), the most immediate and effective action you can take is to make sure your organization can restore your entire enterprise from immutable storage, which neither the attacker nor you can modify.

Identifying the most sensitive assets and protecting them at a higher level of assurance is also critically important but is a longer and more challenging process to execute. We don’t want you to hold up other areas in phases 1 or 2, but we recommend you get the process started by bringing together business, IT, and security stakeholders to ask and answer questions like:

What business assets would be the most damaging if compromised? For example, what assets would our business leadership be willing to pay an extortion demand if attackers controlled them?
How do these business assets translate to IT assets (such as files, applications, databases, servers, and control systems)?
How can we protect or isolate these assets so that attackers with access to the general IT environment can’t access them?

Secure backups

You must ensure that critical systems and their data are backed up and backups are protected against deliberate erasure or encryption by an attacker.

Attacks on your backups focus on crippling your organization’s ability to respond without paying, frequently targeting backups and key documentation required for recovery to force you into paying extortion demands.

Most organizations don’t protect backup and restoration procedures against this level of intentional targeting.

Note

This preparation also improves resilience to natural disasters and rapid attacks like WannaCry and (Not)Petya.

Backup and restore plan to protect against ransomware addresses what to do before an attack to protect your critical business systems and during an attack to ensure a rapid recovery of your business operations.

Program and project member accountabilities

This table describes the overall protection of your data from ransomware in terms of a sponsorship/program management/project management hierarchy to determine and drive results.

Lead	Implementor	Accountability
Central IT Operations or CIO		Executive sponsorship
Program lead from Central IT infrastructure		Drive results and cross-team collaboration
	Central IT Infrastructure/Backup	Enable Infrastructure backup
	Central IT Productivity / End User	Enable OneDrive Backup
	Security Architecture	Advise on configuration and standards
	Security Policy and Standards	Update standards and policy documents
	Security Compliance Management	Monitor to ensure compliance

Implementation checklist

Apply these best practices to secure your backup infrastructure.

Done	Task	Description
	Backup all critical data automatically on a regular schedule.	Allows you to recover data up to the last backup.
	Regularly exercise your business continuity/disaster recovery (BC/DR) plan.	Ensures rapid recovery of business operations by treating a ransomware or extortion attack with the same importance as a natural disaster.
	Protect backups against deliberate erasure and encryption: - Strong Protection – Require out of band steps (MFA or PIN) before modifying online backups (such as Azure Backup). - Strongest Protection – Store backups in online immutable storage (such as Azure Blob) and/or fully offline or off-site.	Backups that are accessible by attackers can be rendered unusable for business recovery. Implement stronger security to access backups and the inability to change the data stored in backups.
	Protect supporting documents required for recovery such as restoration procedure documents, your configuration management database (CMDB), and network diagrams.	Attackers deliberately target these resources because it impacts your ability to recover. Make sure they survive a ransomware attack.

Implementation results and timelines

Within 30 days, ensure that Mean Time to Recover (MTTR) meets your BC/DR goal, as measured during simulations and real-world operations.

Data protection

You must implement data protection to ensure rapid and reliable recovery from a ransomware attack and to block some techniques of attackers.

Ransomware extortion and destructive attacks only work when all legitimate access to data and systems is lost. Ensuring that attackers cannot remove your ability to resume operations without payment will protect your business and undermine the monetary incentive for attacking your organization.

Program and project member accountabilities

This table describes the overall protection of your organization data from ransomware in terms of a sponsorship/program management/project management hierarchy to determine and drive results.

Lead	Implementor	Accountability
Central IT Operations or CIO		Executive sponsorship
Program lead from Data Security		Drive results and cross-team collaboration
	Central IT Productivity / End User	Implement changes to Microsoft 365 tenant for OneDrive and Protected Folders
	Central IT Infrastructure/Backup	Enable Infrastructure backup
	Business / Application	Identify critical business assets
	Security Architecture	Advise on configuration and standards
	Security Policy and Standards	Update standards and policy documents
	Security Compliance Management	Monitor to ensure compliance
	User Education Team	Ensure guidance for users reflects policy updates

Implementation checklist

Apply these best practices to protect your organization data.

Done	Task	Description
	Migrate your organization to the cloud: - Move user data to cloud solutions like OneDrive/SharePoint to take advantage of versioning and recycle bin capabilities. - Educate users on how to recover their files by themselves to reduce delays and cost of recovery.	User data in the Microsoft cloud can be protected by built-in security and data management features.
	Designate Protected Folders.	Makes it more difficult for unauthorized applications to modify the data in these folders.
	Review your permissions: - Discover broad write/delete permissions on file shares, SharePoint, and other solutions. Broad is defined as many users having write/delete permissions for business-critical data. - Reduce broad permissions for critical data locations while meeting business collaboration requirements. - Audit and monitor critical data locations to ensure broad permissions don’t reappear.	Reduces risk from ransomware activities that rely on broad access.