Additional recovery pressures: Modern ransomware attacks now routinely involve double or triple extortion whereby attackers threaten to leak stolen data or launch distributed denial of service (DDoS) attacks even after payment.This fundamentally changes the calculus on what victims can expect in cases where they decide to make a ransomware payment, which more often than not fails to resolve many of the problems arising from a ransomware attack.”Paying only addresses the encryption element, not the broader compromise,” Bridewell’s John notes.Moreover, a ransomware incident puts an organization under enormous pressure, with legal, operational, and reputational issues all converging, often within a matter of hours.These factors, combined with the inherent uncertainty of dealing with criminals, help explain why paying the ransom so often falls short of achieving full data recovery.Lillian Tsang, senior solicitor in Harper James’ data protection and privacy team, warns that even when a decryption key is received, some data may already be permanently damaged, altered, or stolen.”That creates operational challenges but also raises data protection concerns, particularly where personal data is involved,” Tsang explains. “If records are lost or compromised, this can amount to a personal data breach under UK GDPR, which brings reporting obligations and the potential for regulatory scrutiny.”Paying a ransom doesn’t give a business any legal recourse if the criminals fail to deliver and, worse, “payment can create further risk if funds are unknowingly transferred to a sanctioned group,” Tsang warns.
Financial resilience and legal issues: How a ransomware attack plays out in practice is illustrated by an account from an executive at Kantsu, a midsize Japanese logistics company. Kantsu President Hisahiro Tatsujo told CIO.com about the company’s efforts to restore operations following a ransomware attack.Kantsu, which did not pay a ransomware, was obliged to ask financial institutions for loans to cover the cost of recovering its operations because, although it was insured, its insurance firm had to go through a claims process before making a payout. The incident illustrated how enterprises need a financial as well as an operational plan to successfully recover from ransomware attacks.Moreover, when systems are disrupted by ransomware attacks, legal obligations kick in almost immediately with requirements to notify regulators and affected individuals, especially if personal data is affected by a breach.”One of the biggest challenges is making rapid, high-stakes decisions with only fragments of information,” says Harper James’ Tsang. “Senior leaders have to weigh the legal risks of payment, the impact on business continuity, and the potential consequences for individuals, often with limited technical clarity.”
Forewarned is forearmed: Some experts advise maintaining a retainer with an incident response firm as part of disaster recovery plans that anticipate the all-too-real possibility of a ransomware attack.”Having a retainer with a reputable incident response or negotiation firm, one equipped to handle cryptocurrency transactions, is crucial,” says Jeremy Samide, CEO at Blackwired, a cybersec company focused on direct threat intelligence. “Such firms manage negotiations, have access to multiple crypto types (e.g., Bitcoin, Monero, Zcash), and can execute transfers securely if payment becomes the only path to recovery.”Samide adds: “Preparation doesn’t mean capitulation, it means being ready for every scenario.”Harper James’ Tsang cautions against setting aside funds to pay criminals in the event of ransomware attacks.”Setting aside funds to pay a ransom is increasingly viewed as problematic,” Tsang says. “While payment isn’t illegal in itself, it may breach sanctions, it can fuel further criminal activity, and there is no guarantee of a positive outcome.”A more secure legal and strategic position comes from investing in resilience through strong security measures, well-tested recovery plans, clear reporting protocols, and cyber insurance, Tsang advises.”Cyber insurance is crucial for ransomware attacks because not only does it provide financial protection, but it can also give organizations access to specialized support that can significantly reduce damage and downtime,” Tsang explains.Cyber insurance policies often offer active crisis management, with provisions that can cover:
Immediate incident response and forensic investigationContainment and remediation of infected systemsNegotiation and legal coordination with attackersData recovery and business continuity support”Insurance can’t prevent an attack, but it can soften the blow, bring structure to chaos, and ensure that organizations don’t navigate ransomware crises alone,” says Blackwired’s Samide.But cyber insurance still comes with caveats, other experts caution.”Insurance premiums are rising, and insurers now expect a stronger baseline of cybersecurity measures, multi-factor authentication, patch management, and tested backups, before offering or renewing coverage,” says Avella Security’s Flack. “This shift encourages organizations to adopt better security practices as part of their risk management approach.”
Cyber recovery: Cyber recovery following a ransomware attack needs to be treated similarly to disaster recovery with a fully defined, in-house recovery plan, fully documented, where uncompromised data can be restored confidently, experts advise.”When enterprises are hit by ransomware, one of the first and most pressing challenges is assessing the full scope of the attack, identifying which data has been compromised, which systems are affected, and whether existing backups can be trusted,” Jim McGann, CMO at Index Engines, explains. “Even when backups are available, verifying their integrity is a major hurdle, as they may contain corrupted or altered files that could reintroduce the threat during recovery.””Enterprises now need in-house recovery plans that include forensic-level data validation of data, not just restoration,” McGann advises.
Immediate incident response and forensic investigationContainment and remediation of infected systemsNegotiation and legal coordination with attackersData recovery and business continuity support”Insurance can’t prevent an attack, but it can soften the blow, bring structure to chaos, and ensure that organizations don’t navigate ransomware crises alone,” says Blackwired’s Samide.But cyber insurance still comes with caveats, other experts caution.”Insurance premiums are rising, and insurers now expect a stronger baseline of cybersecurity measures, multi-factor authentication, patch management, and tested backups, before offering or renewing coverage,” says Avella Security’s Flack. “This shift encourages organizations to adopt better security practices as part of their risk management approach.”
Cyber recovery: Cyber recovery following a ransomware attack needs to be treated similarly to disaster recovery with a fully defined, in-house recovery plan, fully documented, where uncompromised data can be restored confidently, experts advise.”When enterprises are hit by ransomware, one of the first and most pressing challenges is assessing the full scope of the attack, identifying which data has been compromised, which systems are affected, and whether existing backups can be trusted,” Jim McGann, CMO at Index Engines, explains. “Even when backups are available, verifying their integrity is a major hurdle, as they may contain corrupted or altered files that could reintroduce the threat during recovery.””Enterprises now need in-house recovery plans that include forensic-level data validation of data, not just restoration,” McGann advises.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4077484/ransomware-recovery-perils-40-of-paying-victims-still-lose-their-data.html
