Skip to main content

Ransomware Recovery Timeline

Until you can assess exactly what data, operations, and applications are impacted, you have to shut down everything – the network, all applications, all operations, all network-based communications.
Exactly when communication between the IT team and C-Suite is most crucial, you’re cut off from normal methods of communicating. No company email, no chat, no shared file access, no VOIP phone. Most teams resort to texting via personal cell phones. Communications to and within other departments is by old-fashioned phone trees.
The IT team has to isolate networks, servers, individual applications to ascertain which are impacted and to isolate and protect those that aren’t. This involves meticulously running virus scans, system by system, application by application.
You need a clean and secure target for restoring backup data and applications. NFINIT immediately spun-up off-network compute and storage resources. Data and applications were recovered into the NFINIT environment where operations remained until the client was able to build and secure onsite servers.
Knowing what data and records are in the hands of bad actors determines next steps. Identifying that PII data, such as personnel records with social security numbers, was extracted requires notifying employees and putting actions in place to help them limit identify theft. Stolen e-commerce and credit card data requires notifying customers, making public statements, and communication with regulatory bodies. Company banking data being taken triggers whole different crisis workflows.
In-store POS and e-commerce were down from 1 – 5 days for the retail clients attacked. Some managed to complete sales the old fashioned way – with written orders – until systems were back. Even so, some had no or very limited access to inventory data for more than a week to know if they could fulfill orders.
Specialized forensic teams provided by or recommended by the insurer come in fast and early, and stick around for a long time. On average, these teams were involved for 2 months or more, racking up billable hours the whole time. Some, but generally not all, of this expense is covered by ransomware insurance. This depends on deductibles and coverage limits written into the policy.
Even three months after the attack, IT teams were stretched thin performing clean up and establishing an improved security posture. Re-establishing policies (patch management and testing, authorities/access), rebuilding networks, defining and implementing segmentation policies, redefining remote policy access and access for vendors.
In the retail customers attacked, we saw an unexpected effect of increased employee attrition. Burn out among IT professionals was high. Working through the attack, they honed in-demand skills that made them compelling recruiting targets. For others, disruption in sales impacted their ability to achieve bonus thresholds and catalyzed decisions to retire or pursue other opportunities. For store and customer service employees, confidence was rattled and existing dissatisfactions were amplified, also accelerating attrition decisions.

Hard Lessons Learned

Kevin Johnson, NFINIT VP of Product, has helped companies recover from ransomware attacks. Many, he found, weren’t as prepared as they thought they were. Find out where many are caught off guard in this blog.

Read the Blog

Are you prepared?

Let's Talk

Leave a Reply