Ransomware Recovery Guide for MSPs
How confident are you in your ability to recover one client from a ransomware attack? How about more than five clients? What if all of your clients, plus your MSP, was hit? You may think it’s an impossible scenario, but that’s precisely what happened during the July 2021 Kaseya attack – and the hackers are only getting more sophisticated, complex, and relentless in their efforts to steal data.
Table of Contents
Despite the abundance of research, regular headline news, and the target on MSPs and their SMB clients – some MSPs are still not prepared with comprehensive business continuity and disaster recovery (BCDR). On top of that, BCDR is just one piece of the recovery puzzle. MSPs also need cyber liability insurance, an incident response plan, and disaster recovery planning and testing to protect clients from potentially business-ending data loss. Not to mention the growing legal ramifications MSPs now face following a client’s cyber incident.
Luckily, it’s never too late to create a ransomware recovery guide for MSPs, and that’s exactly what we’re outlining here.
- Understand the current risks and realities of ransomware so you can educate clients, justify BCDR expenses, and proactively plan for recovery no matter what comes next.
- Take a multi-layer security approach with an “it’s not if, but when” perspective to ensure that you and your clients are always prepared.
- Continuously optimize your plan for recovery according to new threats, internal changes, solution updates, insurance policies, and available support systems because data loss is inevitable.
Ransomware Refresh: A Quick Look at What MSPs Are Up Against
Ransomware has been such a hot topic in the cybersecurity landscape, especially with the spike in 2020, that many professionals have grown numb to the realities of an attack. But, unfortunately, thinking, “it won’t happen to me,” is the worst response an MSP or an SMB client can take. So perk up, and let’s talk about the state of ransomware today. But, first, according to the Cybersecurity and Infrastructure Security Agency (CISA).
An ever-evolving form of malware designed to encrypt files on a device, rendering any files and the system that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or lead exfiltrated data or authentication information if the ransom is not paid.
Today’s ransomware attacks are calculated, strategic, and advanced methods of stopping businesses from running. Whether it’s holding data hostage, shutting down operational systems and communication channels, or deleting backups, ransomware is a business killer with costly consequences. Here are some of the latest stats – be sure to reuse these when talking BCDR with clients!
- 78% of MSPs reported ransomware attacks on their clients from 2020 – 2021.
- 13% increase in ransomware in 2021 – a rise as significant as the last five years combined.
- 40% of ransomware incidents involve desktop sharing software, typically used by remote and hybrid employees.
- 35% of ransomware incidents involve email, such as phishing attacks.
- 50% of ransomware demands are more than $50,000.
- 80% of businesses that pay the ransom suffer a second ransomware attack, often by the same threat actor group.
What these numbers tell us is that ransomware attacks are continuing to rise, they’re expensive, SMBs are being targeted, and business enablement tools provide an opening for hackers. All in all, ransomware still needs to be the top priority for MSPs and the services they provide to SMBs.
With that said, it’s important to note that ransomware by itself is just a way that hackers monetize the access they’ve gained. If they cannot gain access to internal systems or have so many layers of security that their ROI is upside down, a hacker will most likely retreat. If you’re thinking, “great, cybersecurity tools here I come!” not too fast. Also noteworthy is that human error remains the number one cause of data loss and is often the open door through which hackers enter. These two realities require MSPs to implement data protection solutions and prepare for an inevitable ransomware attack.
Preparation is Key, but Ransomware Recovery Is Complicated
Ransomware recovery is not guaranteed because you have a specific solution, a specific cyber insurance policy, or a plan – it’s only possible if you have all these components and more. Recovery requires your entire cybersecurity ecosystem to come together quickly and efficiently in a step-by-step process familiar to your recovery team. It’s not easy, it’s not simple, and nothing is guaranteed, but it can save your business and your clients’ businesses from complete shut-down.
Here are the three vital components for a complete ransomware recovery guide that can also be used in other data loss incidents and natural disasters.
#1: Business Continuity and Disaster Recovery Product
A BCDR product is the easiest layer to implement in a multi-layer security approach. Unfortunately, too many MSPs believe this is the only thing necessary to keep the bad guys out. Sure, if you choose a comprehensive solution, built specifically for MSPs and SMB end-users, and it’s regularly updated and upgraded to address new cyber threats – it can do a lot – but it’s still just one layer of a larger strategy.
Why BCDR instead of backups? Because backups are dead. Today’s cybersecurity threats, growing attacks, dispersed workers, and state regulations have put the backup-only approach to data protection to bed. Hackers knew how much we relied on backups for recovery, so they started targeting them in ransomware attacks. While hackers may have killed backups, business continuity and disaster recovery solutions are going a couple of steps further.
For example, Axcient x360Recover for BCDR comes equipped with a number of proprietary features to protect MSPs and their SMB clients from ransomware while providing rapid and reliable recovery in the event of a disaster. Additional features include:
- One solution for multiple use cases with Direct-to-Cloud – endpoint backup, no-hardware BDR, full-service BDR, and public or private cloud to protect various client environments.
- Patented Chain-Free backups significantly reduce restore complexity for near-instant recovery – no chains to manage, no base image requirements, no consolidation, and no staging space.
- AirGap anti-ransomware and data loss technology separates backup deletion requests from the actual deletion mechanics to prevent malicious or accidental deletion. “Honeypots” or fake signals trick hackers into believing they’ve successfully deleted data – but lucky for Axcient partners, it’s stored fully intact and available in a safety archive.
#2: Cyber Liability Insurance
Insurance in the MSP space is relatively new, but it’s become more critical in response to expensive ransomware recovery costs. Cyber liability insurance financially protects businesses after a cyberattack or other incident where company and/or client data is lost. Typically, your first call should be to your insurance carrier after discovering a ransomware attack. They will provide a Breach Attorney to guide you through the recovery process from a legal perspective, including, but not limited to the following:
- Regulatory fines
- Media liability
- Breach management expenses
- Cyber extortion and ransomware
- Social engineering
- Reputation loss
- Business interruption
- Breach response and communications
#3: Incident Response Plan
This is the meat and potatoes of your ransomware recovery guide because it encompasses everything necessary for a smooth recovery in one pre-determined, step-by-step manual. Often based on the NIST Cybersecurity Framework, it takes MSPs through the following stages of a data loss event: identify, protect, detect, respond, and recover. Although every MSP’s IR plan will vary, these are some must-haves that will make responding to a ransomware attack much more straightforward so that you can focus on recovery.
- Incident response team: Name and provide updated contact information for everyone involved in incident response, their role, and how they will complete their duties. Assume that internal systems will be compromised and access to email and phone won’t be available.
- Breach notification hierarchy: Determine the external stakeholders that need to be notified of the incident, starting with your insurance carrier and including your BCDR vendor, legal counsel, compromised clients, and state and regulatory agencies depending on breach notification laws in your location and industry.
- Internal and external messaging: Your Breach Attorney will provide legalese for incident notification and updates – but speaking like a lawyer to your clients, instead of in the familiar tone they’re used to, can cause panic. Strike a balance between what you’re required to say and what clients expect from you to maintain relationships and support worried clients.
- Risk analysis and prioritization: If multiple clients are attacked and your MSP is attacked, you need a risk analysis and prioritization framework to streamline recovery efforts. Consider clients in highly regulated industries that may incur penalties for long periods of downtime or clients that may be inclined to litigate – and start there.
- Decision implications: Be prepared to justify any and all decisions you make once the dust has settled. No matter what you do, there will be consequences – good or bad – for how you react. Consider the implications of each option within your guide to make it easier for you to respond under pressure.
Utilize these resources to build your IR Plan:
- 5 Critical Pieces of a Good Security Playbook
- Incident Response Checklist
- Huntress and Axcient: Planning for the Next Ransomware Attack
Disaster Recovery Planning and Testing
Another critical piece of an MSPs ransomware recovery guide is the disaster recovery plan. Unlike the IR plan, which focuses on navigating recovery from a business standpoint, the disaster recovery plan, or DR plan, ensures that all critical data, IT systems, and networks can be recovered. The information necessary for DR planning ensures that businesses are operational and will avoid costly and disruptive downtime in the event of a disaster. While the focus of this post is ransomware recovery, a DR plan protects infrastructure from anything that could cause an outage – from technical glitches and system failures to accidental human error, power outages, and of course, ransomware and other cyberattacks.
Central to DR planning is DR testing. DR testing puts your BCDR solution and the DR plan into action in a safe space to make sure it works. Undoubtedly, DR testing will always reveal opportunities to update and improve your DR plan no matter how well it goes. DR testing is critical to any business, but MSPs can use it with clients to showcase the value of their solution, encourage them to create IR and DR plans of their own, open the door for cross-sell opportunities, or highlight weak spots in their current levels of protection.
And check out Axcient x360Recover for DR testing made easy with Virtual Office. Axcient partners can perform regular full-office recovery tests to ensure backups are always available and demonstrate instant recovery of production servers and workstations in the Axcient Cloud.
Practice Makes Perfect – Every Quarter!
Ransomware recovery requires continuous optimization to ensure survival. Table reads, practice drills, rehearsals, and wrap-around discussions among technicians and operational departments are required at least quarterly to keep up with everything in your ransomware recovery guide. Some regularly changing aspects you need to be aware of each quarter include the following:
- Contact information and role changes for both internal teams and external stakeholders.
- Updates to solutions, software, tools, and other systems that may impact access, recovery capabilities, and SLAs.
- Evolving cybersecurity threats, vulnerabilities, phishing scams, and other tactics that may require employee training, additional layers of security, or changes to response and recovery.
- Changes in cyber liability insurance carriers, policies, and required procedures are necessary for claims payment.
- New breach notification requirements, state laws, and other regulatory oversight impacting the who, what, when, where, and how of communicating data loss incidents.
- Revisions based on the outcomes of previous drills, lessons learned, and opportunities for improvement.
Are You Ready to Recover from Ransomware?
Hopefully, this post has provided the outline and resources necessary to move forward with an all-inclusive ransomware recovery guide that includes a best-in-class BCDR solution, cyber liability insurance, an IR plan, DR plan, DR testing, and quarterly planning. As a 100% MSP-only solutions provider, Axcient is here to help, whether you’re a partner or not.
- Access more resources – blogs, case studies, whitepapers, and product information.
- Attend an upcoming event to hear from channel experts on the latest and greatest in MSP security.
- Schedule a 1:1 product demo to see Axcient in action.
About the Author:
Cory Hinz // Sales Engineer Manager, Axcient
Cory Hinz is experienced and passionate about technologies and sales engineering with a demonstrated history of working in the information technology and managed services (MSP) industry. Cory’s professional skills include solutions engineering, network architecture, data center, software as a service (SaaS), and training. He has a strong business culture focus, and a professional mindset, and is constantly looking for better ways to improve the business-to-vendor relationship while being the catalyst between the Product and Revenue teams.
More Great Stuff From Our Blog:
Check out some other interesting pieces from our blog: Check out Part One of our Sales and Marketing Quick Guide for MSPs: Lunch and Learns, Part Two of our Sales and Marketing Quick Guide for MSPs: LinkedIn, Learn how DRaaS Opens New Opportunities for Managed Services Providers, plus- we dove into how chain-based backup works and why chain-free is the way to be, we reviewed AutoVerify Automated Backup Integrity Testing in direct-to-cloud BDR, a discussion on the best way to be choosy in the Do’s and Don’ts of Choosing the Right Clients for MSP Growth, and learn how you can ditch pricey on-site appliances with Local Cache for Direct-to-Cloud BCDR.