Ransomware readiness and recovery

Ransomware continues to be the biggest cyber security threat for most organisations

The number of “human-operated” ransomware attacks continues to rise. Recovering from these attacks can take organisations months and cost millions, all while they are unable to operate and provide key services.

In these attacks, criminals gain access to an organisation's networks and deploy ransomware to encrypt data and systems – often to devastating effect – before attempting to extort organisations into paying seven or eight figure ransoms.

Before deploying ransomware, attackers steal and exfiltrate the organisations' most sensitive data to further extort victims. These attacks represent a greater challenge than other common cyber security threats due to their immediate operational impact on the victim organisation. They are carried out by skilled and adaptable criminals, who can overcome defences, as well as evolve their tactics to maximise their chances of getting organisations to successfully pay out.

Bridging the disconnect between cyber security and business resilience

The cyber security function’s core focus is to prevent a cyber attack from reaching critical IT services, and to rapidly detect and contain it should prevention fail. It rarely considers how to recover if an attack cannot be contained in time.

The IT and business resilience teams focus on avoiding downtime, but are commonly built around "failure modes" which are physical in nature and limited to a single location (e.g. natural disasters impacting a data centre) and fail to consider cyber security threats which scale across multiple locations simultaneously.

This organisational disconnect often results in gaps in both operational resilience and cyber security capabilities which are not well understood or articulated.

Resilience solutions, which do not take cyber threats into account by design, may even inadvertently facilitate the spread of ransomware across the IT estate via data replication technologies, including to disaster recovery facilities which are then also infected and cannot be relied upon.

Resilience solutions may also not be secured against deliberate tampering by an attacker (e.g. to prevent their use for recovery). In the event of an incident this means that resilience solutions either fail, are ineffective or even exacerbate the problem.

The end result is that the business cannot restore its IT services in the timescales or state needed, and operations are significantly interrupted. In some cases, this interruption can be severe enough to create a “going concern” risk for the business.

How organisations can protect themselves against the latest ransomware threats

  • Have key cyber security controls in place to prevent attackers getting a foothold.
  • Obtain clear visibility of their IT estate to maximise the chances of early detection before the attacker “detonates” their ransomware.
  • Build a resilient business which can contain the spread of ransomware and respond quickly.
  • Prepare and plan for disruption, and become confident in how recovery will be achieved.
  • These efforts require concerted engagement from both technology and business teams to deliver holistic resilience to ransomware.

Comprehensive preparation and exercising

Ransomware attacks are unique in the immediate scale of impact they can have across an entire organisation. Continuing to operate through a catastrophic ransomware attack requires a well-organised, well-rehearsed response from technical front line to C-Suite and Board and across the supporting functions such as corporate affairs; everyone needs to play a part.

The initial response to a ransomware attack is only the beginning - recovery often takes weeks, if not months.

End-to-end scenario preparation and exercising will help you understand the potential routes and validate the timelines to recovery, including the processes which are required to recover both with and without paying a ransom.

The first step to reducing the exposure for your organisation to ransomware disruption is:

  • Understanding your risks and current defences.
  • Making rapid, targeted preparations to respond if you’re attacked.
  • Planning to build your resilience.

How can we support?

We provide a multi-disciplinary best-in-class team of cyber security incident response, crisis management, crisis communications, and business resilience experts who can rapidly baseline your current exposure to ransomware risk, and help you plan to improve your resilience and your ability to respond effectively.

1. Ransomware readiness review

  • Assess the cyber security controls which are key to defending against ransomware attacks.
  • Review your ability to respond and recover from ransomware attacks.
  • Provide a clear understanding of your vulnerability to ransomware and identify priority improvements.
  • (Optional) Simulate an attack against your organisation using security testing to identify quick-win improvements.
  • (Optional) Conduct training for your teams on how they can assess ransomware risk

2. Response and recovery exercising

  • Understand the complex business challenges which come with a catastrophic ransomware attack.
  • Rehearse how IT, security and IT disaster recovery (ITDR) teams work together when corporate IT ceases to function.
  • Explore the realities of recovering from ransomware, both with and without a decryption tool.
  • Prepare for the significant internal and external communications challenges which come with ransomware attacks.

3. Establishing a ransomware recovery playbook

  • Establish a recovery playbook structure specific to the organisation and link it to existing crisis plans and processes
  • Define the workstreams and the sequence of actions required to recover
  • Integrate functional level plans with the playbook, establish gaps
  • Identify efficiencies and build resilience into playbook workstreams  

Get the benefit of our real-world experience of responding to ransomware

Our specialist teams bring experience and insights from the front-lines of assisting hundreds of clients respond and recover from real ransomware attacks. This is used to deliver realistic exercises and reviews focused on the cyber security capabilities and technology design decisions which make a real difference in a ransomware scenario. Below are just a few examples of exercises and reviews we have conducted for clients:

  • Performed a ransomware readiness review for a UK manufacturing firm to assess its vulnerability to human-operated ransomware attacks.
  • Developed a series of priority tactical and strategic projects to reduce its risk of attacks, and improve its ability to respond and recover.
  • Simulated attacks with security testing to validate improvements and that the risk of ransomware attacks has been reduced.
  • Delivered a series of escalating ransomware response and recovery exercises for a professional services organisation.
  • Exercised how the IT major incident and cyber response teams would work together to respond against challenging timeframes.
  • Developed a comprehensive ransomware recovery playbook for a financial services organisation, supporting operational resilience objectives
  • Simulated the complex decision making and leadership challenges executives would face when responding to catastrophic attacks.

Contact us

Will Oram

Will Oram

Director, PwC United Kingdom

Tel: +44 (0)7730 599262

Alex Gornoi

Alex Gornoi

Security Operations Advisory Lead, PwC United Kingdom

Follow us