Philosophical phriday - recovering from ransomware takes HOW long?!

Recovering from a ransomware incident is costlier, more complicated and much slower that people commonly assume. "Just restore the backups and you're good to go, right?".

Spoiler alert: restoring networks and IT systems from backups is only a fraction of this. 

Here's a reasonably complete set of ransomware recovery activities that would normally led by general business and IT managers:

1. Wake up and smell the coffee! Deal with the unfolding crisis and a degree of confusion.
   
   
2. Invoke the crisis management process. Settle things down. Assemble the business incident management team.
   
   
3. Invoke the incident management process. Form the IT incident management team.
   
   
4. Contact insurers, law enforcement and security experts for guidance.
   
   
5. Handle the inevitable flurry of enquiries and complaints from IT users, stakeholders, the news media and others - possibly also the authorities if there are privacy and other compliance concerns.
   
   
6. Gather forensic evidence to understand exactly what happened, why and how, in sufficient detail to prevent reoccurence.
   
   
7. If appropriate, negotiate with the criminals and/or the insurers for a reasonable settlement, and somehow find the money and resources to cover the insurance excess plus all these other activities ...
   
   
8. Meanwhile, systematically check that the backups were sound, complete and uninfected, in an isolated/secure test environment (which would probably need to be set up first).
   
   
9. Track down and check every system/device on the network for infection, and for other known vulnerabilities.
   
   
10. Disinfect everything infected, thoroughly, or set it aside in a secure isolated quarantine area pending later (potentially much later!) resolution (fix, retire, replace ...).
    
    
11. Restore network devices and IT systems from known-clean backups.
    
    
12. Improve network security to prevent reinfection e.g. update firewalls and network security monitoring.
    
    
13. Improve the security of every system to prevent reinfection e.g. fully patch, reconfigure security and improve system security monitoring.
    
    
14. Gradually restore the recovered network and services to users, with security monitoring levels set to "paranoid" until things settle down.
    
    
15. Re-start IT-dependent/automated business processes that were put on-hold by the incident, and clear the accumulated backlog, plus resolve miscellaneous IT and business issues caused by the manual workarounds.
      
16. Determine what to do about the network devices and IT systems that could not be recovered and secured.
    
    
17. Learn the harsh lessons e.g. updating patching and security management policies, procedures, technical documentation etc.; boosting security awareness and malware blockers to reduce the chances of being reinfected; improving incident responses; using immutable backups ...
    
    
18. Report progress to senior management and other stakeholders throughout.
    
    
19. Plan, monitor and manage the entire process under stress, dealing with burnout and other issues.
    

Although I have numbered and shown them in sequence, some steps can safely and usefully be performed in parallel. Many are sub-processes with multiple detailed steps. All are context-dependent. Clearly there's a lot to do, enough to keep even a well-prepared organisation busy for months. 

The pressure to get it done can be intense and incessant. Even people who perform well under pressure are bound to be stretched, perhaps to breaking point. [Hinson tip: a blame culture is counterproductive.]

Meanwhile, what happens to all the business processes, people, suppliers and customers that depend on IT? Someone needs to manage them and their expectations empathetically while the eggs are unscrambled.

There is no backup for lost trust.

There are lessons here for us all.

PS  Recovering from ransomware may take longer and more resources than the business can actually afford: see  https://www.bleepingcomputer.com/news/security/vodka-maker-stoli-files-for-bankruptcy-in-us-after-ransomware-attack/   In other words, ransomware is an existential threat. If that realisation doesn't bring asleep-at-the-wheel execs to their senses, perhaps it's time to invest in a personal contingency plan.

PPS  For further study:

• ISACA ransomware preparedness briefing
• ISACA ransomware preparedness checklist covers pre-, para- and post-incident activities.  Strong on tech analysis/forensics, weaker on the rest.  No indication of timescale.  Barely mentions the business.
• CERT NZ primer on ransomware including a pre- and para-incident diagram showing the tech aspects - not much re the business though.
• Ransomware preparedness briefing from NIST - 2-pages, v brief. 
• NIST SP1800-11 (DRAFT) guides recovery from ransomware - again, covers the tech aspects.
• CISA ransomware guide - detailed with links to lots more info, primarily tech preventive controls, next to nothing on the recovery and business aspects.
• Spot a common weakness in these guidelines?