Most companies now have the risk of ransomware on their radar. That’s a good thing, of course, but we also have to realize that the number of attacks and damage caused by ransomware has reached unprecedented levels. We often hear from affected organizations that they knew the impact of an attack could be severe, but the actual fallout exceeded even their wildest dreams. The reason? Your company was not adequately prepared to recover from such a catastrophic scenario.

In a recent report on data protection and ransomware recovery, 85% of organizations say they have been hit by ransomware at least once in the last 12 months. In 49% of the companies, hackers were on site two to three times. And in 17% of cases it was four times or more. These staggering statistics make one thing clear: every company should expect to face a cyberattack in the near future.

Focusing even more on the ransomware itself is not a solution. Companies are already so fixated on this one concept that they don’t see the rest of the big picture. Not only are there many more malicious methods than ransomware that pave the way for a successful and devastating attack. In the event of an attack, hackers often spend months to years undisturbed in company systems before releasing the ransomware. To prepare properly, we must first understand the mechanisms that precede a ransomware attack.

An uninvited guest in your system

In fact, the ransomware claim is just the last link in the attack cycle. It’s the moment when the attackers step out of the shadows and become visible. Unbeknownst to you, there is a good chance that hackers are currently breaking into your organization’s systems as well. Furthermore, not all cyber attackers intend to send ransomware. As long as they remain undetected, they can view and steal sensitive information, which can be even more detrimental to the organization than paying a ransom in exchange for encrypted data or systems.

A typical attack begins with an observation phase, in which hackers look for interesting targets in your company. They then send out phishing scams to create entry points. They can use it themselves, but they can also resell it to other cybercriminals, who in turn will spread phishing through internal channels to gain even more access and privileges. As we don’t see them, the hackers don’t know exactly where they are yet. It’s like walking through a dark hotel and gradually discovering where the reception, the kitchen and the elevators are located. Along the way, they take over machines and disable as many security mechanisms as possible.

We’re at least a few months further now, and the hackers are becoming more and more comfortable in your organization. Whether ransomware is being sent or not, they’ve already added malware at every stage of the attack. Your backups in particular receive a lot of attention, since your company can use them for quick recovery and thus also avoid any ransom demands. After an attack, the thorough cleaning of this malware should also have the highest priority, since this way hackers can quickly get into your company a second time.

Be prepared for any disaster

Is there nothing we can do to limit the impact of a cyber attack? While there is no silver bullet, we definitely need to increase organizational resilience. And for that, every company should have a strong contingency plan in place. It’s understandable that we haven’t looked into it that much in the past, when you know that many catastrophes (e.g. a major flood) only happen once every hundred years. However, the probability of a cyber attack is much higher. Like any other disaster, such an attack requires strong crisis management with clear communication and a crisis response team that can make decisions quickly.

A good cyber recovery plan therefore not only focuses on the IT department and the technological component of the organization, but also on the other two ingredients that are part of the winning formula of a modern company: people and process. In a digital society, we need to strengthen the cohesion between these three pillars. Only then can the organization truly increase its resilience and recover quickly from any disaster or setback, including a ransomware attack.

It gets worse before it gets better

We close this reflection with good and bad news. The Bad: Ransomware has not yet reached its peak. As the above report shows, we are following a trend where the situation must first get worse before it can improve. The good news is that a trend reversal will come at some point. Perhaps in a year or two companies will be resilient enough because they have learned from the past and know what steps to take in the event of a disaster.

Of course, cyberattacks always result in chaos, but with a strong contingency plan, we can control that chaos to some extent and ensure data can be recovered. The prerequisite is that we free ourselves from the romanticized atmosphere of cybercrime and recognize the seriousness of the situation. All too often, cybercrime is seen primarily as an exciting and suspenseful topic like a thriller, but we are too little aware that hackers are criminals who cause harm to many people. Ransomware is therefore a hard form of crime that we must all fight together once and for all.

This is a contribution from Edwin Weijdema, Field CTO EMEA at Veeam Software and Lead Cybersecurity Technologist.