From Nick Cavalancia Techvangelist Business owners have two major concerns today: One is to keep the business operational, and the other is to protect the business from anything that would keep it from being operational. Ransomware has positioned itself as the most serious threat to business operations, with the 2017 damage estimate being around $5 billion, according to Cybersecurity Ventures. In 2016, 33% of organizations, on average, were hit with a successful ransomware attack, with the average attack infecting six workstations and two servers, according to a KnowBe4 report on ransomware. To make matters worse, SMBs were more susceptible to ransomware attacks (88% on average, according to that same report), likely due to the obvious differences between SMB IT shops and their enterprise counterparts: less staff, budget and time to devote to ransomware disaster recovery. Now, you might think that because you have a pretty impressive layered defense strategy, you’re in good shape, but of those organizations with layered defenses — those having security software, user training and even phishing training and testing in place — 22% of them still fell victim to a ransomware attack last year. In reality, any SMB IT administrator should be thinking “It’s going to happen” rather than “It could happen,” as a statement of the position to take when planning how to deal with ransomware recovery. So, what should SMBs do proactively to be ready to recover from ransomware? Step 1: Identify data sets and systems critical to operations You need to select those endpoints and data sets that the business can’t run without and, if encrypted, would do irreparable harm to operations. Ask the question, “How long can we be without <insert system, data set, etc. here>?” repeatedly for all parts of the business to help hone the list. Step 2: Determine a ransomware disaster recovery strategy to get operational You’re building a recovery plan that assumes one or more of those data sets and systems have been encrypted by ransomware and that either the ransom is too expensive or that the decryption fails. Taking the list of data and systems from Step 1, work backward to develop your recovery time and recovery point objectives that then, in turn, help you work backward to your backup definitions. Step 3: Determine the scope of a successful ransomware attack What’s involved: Is it merely a single, noncritical endpoint, or was it a nasty strain of ransomware that infected your CEO’s workloads, connected to your financial shared drive, sent emails to others in the office and infected several other endpoints as well?  Assuming you have endpoint protection in place, this step assumes it failed, so there’s no help from alerting or reporting. You’re going to need to go at this ransomware disaster recovery stage manually in some cases. Step 4: Do the cost analysis (aka “To pay or not to pay?”) What’s involved: Determine what needs to be recovered — file data sets, entire systems, etc. Don’t remove the ransomware; instead, re-image the machine. Then, do the math regarding payments. Most ransomware authors are cyber criminal organizations that treat this like a business, so the likelihood of getting a good decryption key is pretty high. But it may be Dr. Evil on the other end asking for $1 billion — in which case, it’s just cheaper to recover everything. Step 5: Recover Backups Recovery should restore your operating environment (data and systems) fully back to pre-ransomware states. Ransomware disaster recovery on a budget? It’s likely many of you either have no budget to dedicate to the proactive ransomware recovery effort or little staffing power to address it should an attack occur. If you’re thinking you can’t afford the time and cost associated with the steps above, you need to consider that most of the expense above is time, which is an intangible cost. In the event of a ransomware attack, the organization is going to feel the real costs of downtime. In essence, your organization can’t afford not to plan ahead. Now, having said all that, some of you may have no IT staff. If that’s the case, it’s important to engage with an IT partner, preferably a managed service provider with experience around recovery, and get the partner to assist in building out even the most basic of plans. The effect of a ransomware attack is a bit of an unknown, so preparation is vitally important. Ensure Recovery from Ransomware Your best proactive stance is one where you make the assumption that ransomware is going to get past your endpoint, email and network-based defenses, causing you to put a recovery plan in place. The good news is that, with a recovery strategy lying in wait, ransomware becomes more of a nuisance than a real problem. It could be an issue that takes a few hours to remove from the network, instead of one that brings your operations to a screeching halt. Or, call us and be proactive. 😉