Ransomware and Disaster Recovery: Create a Plan for Your Data

Disasters come in many forms —floods, earthquakes, hurricanes and tornadoes — all with the power to destroy or seriously impact your organization’s data. And cybercrime disasters, such as ransomware can create disastrous results of their own. In today’s cybersecurity landscape, ransomware probably has a higher chance of hitting your organization than those unfortunate weather-related crises. And AI-generated phishing, along with double or even triple extortion tactics make this risk even higher.  

Whether man-made or Mother Nature-created, the negative impact of having your data knocked out can be reduced if your file transfer solution is secure. And unlike an unexpected twister, ransomware is a disaster you can realistically plan and regularly test for to more easily recover from the impact. Pairing a robust Managed File Transfer (MFT) solution with Disaster Recovery (DR) planning can deliver more uptime, compliance, as well as data protection — no matter the circumstances. 

Ransomware is a Disaster in Need of Recovery 

Ransomware is a cybercrime that occurs when bad actors encrypt information and hold it ransom with a demand for money—typically untraceable bitcoin. These hackers typically target organizations and extort payment via these tactics: 

• Lockout: Victims must pay to regain access to their systems after key files are encrypted. This is the original ransomware attack.
• Data theft extortion: In this scenario, hackers steal and threaten to release sensitive information such as health or financial data if a ransom is not paid.
• Denial of Service (DOS): Ransomware gangs also can launch DOS attacks designed to bring down a victim’s public websites. 

Ransomware is a Seriously Costly Disaster 

• According to the 2024 Ponemon Sullivan report, 88 percent of organizations experienced at least one ransomware attack in the past year.
• The report also notes an average of $146,685 was spent to contain and remediate the largest attack experienced.
• And 132 hours and nearly 18 staff or contractors were needed for containment.
• Notably, 58 percent of attacked organizations were forced to shut down their operations or had costly downtime. 

Start with a Plan to Prevent Ransomware 

1. Strengthen your endpoint and email security: Deploying anti-malware tools and solutions to detect phishing and malicious attachments is a strong starting point, as so many malware attacks start with an employee clicking an innocent-seeming link.
2. Ensure your key software and systems are updated regularly: Choose software for your organization that has strong security protocols and regular applications of security patches. Ideally, software featuring automated updates is best, as it helps reduce the risks of human error and any vulnerabilities can be addressed more rapidly.
3. Restrict access to sensitive data and admin privileges: Employ the principle of least privilege. If using a robust MFT solution like GoAnywhere MFT, admins can set access controls per organizational data security and privacy standards.  

In addition, keep file sharing services, servers and documents in your private/internal network to help prevent intrusion.  GoAnywhere’s MFT Gateway adds a crucial layer of security when exchanging data with trading partners by keeping servers and documents safely in your private/internal network. And no inbound ports need to be opened into your private network — essential for compliance with PCI DSS, HIPAA, HITECH, SOX, GLBA, and state privacy laws. Also:

• Educate and train employees on cyber risks: Provide employees with regular training to help them recognize suspicious links, phishing, or social engineering.
• Test your disaster recovery and data recovery processes: If, despite precautions, your organization is hit with a ransomware attack, putting a tested recovery plan into action that includes detection, containment, communication, and recovery steps can help you get back to business quickly.
• Do not store more data than is needed to perform business operations:  i.e. do not use MFT as your long-term storage solution. If you limit the data to only what you need, maybe a couple of months, you can substantially limit the attack vector. The rest of your data should be encrypted and properly archived.  

Create a Plan to Recover Your Data 

With the chance of a ransomware attack high, organizations entrusted with sensitive data such as healthcare information, government data, or financial information absolutely need to plan ahead for a worse-case scenario — and sooner rather than later. Every minute of downtime from a disaster can substantially impact your bottom line, public perception, customer trust, and employee resources. Mitigate these negative outcomes by creating and testing a disaster plan that actually recovers data. 

The data needs to be backed up regularly, perhaps daily to a separate location. This way, if the working set of data is compromised, there is always a backup that is ready to be restored. Yes, you may lose a day (or more depending on the frequency of your backups), but that is a small price to pay considering the alternatives.  

The data restore process is essentially the reverse of the backup, via a script or manual steps. In a staging or testing environment, delete or otherwise corrupt the working set of data to simulate a ransomware attack. Test that your restore process works by restoring the previously backed up data. 

A solid data recovery plan should also address how these two objectives can be met: 

• Recovery Time Objective (RTO): This is defined as the maximum amount of time that an application, system, or process such as file transfers, can be down without causing significant damage to the organization. It includes the time needed to restore the application and its data to be able to get back to business as usual after a significant incident occurs.
• Recovery Point Objective (RPO): This is the maximum amount of data loss an organization can incur within a time period relevant to its operations before significant harm (financial or reputational) occurs. It refers to the point in time to which data must be restored to resume normal operations following a man or nature-made disruptive event. 

Both RTO and RPO are critical metrics in disaster recovery planning. RTO focuses on the time to recover, while RPO focuses on the amount of data loss that can be tolerated. 

“Organizations using MFT solutions GoAnywhere MFTaaS (where the solution is managed as software as a service) benefit from daily backups, where the RPO is 24 hours. In addition, should a disaster occur, the RTO for getting data restored with the MFTaaS solution is typically within four hours of a disaster,” said Chris Bailey, Senior Product Manager, GoAnywhere MFT. 

With MFTaaS, files are backed up to a separate, secure cloud storage location daily. This location would not be affected by any ransomware attack on the primary storage. Therefore, in the event of a disaster, when the MFTaaS application is restored, the data will match that previous backup. 

SOC 2 Compliance Requires a Disaster Recovery Plan 

If your organization needs to meet SOC 2 (System and Organization Controls) compliance, implementing a DR plan is not negotiable; it is a requirement, as SOC compliance addresses disaster recovery and data resilience.  

SOC 2 requires organizations to: 

• Define, implement, and maintain processes to recover from system interruptions or failures.
• Document and test disaster recovery and business continuity plans regularly.
• Ensure restoration of systems within defined timeframes (RTO/RPO) that align with business requirements. 

In addition, under SOC 2, organizations must identify risks that could impact system availability—including ransomware and implement mitigating controls and recovery strategies, such as failover systems and alternate data centers or disaster recovery sites. 

Read More: Is Your Disaster Recovery Site Ready? 

Best Practices for Disaster Recovery per SOC 2 

• Establish a formal Disaster Recovery Plan and Business Continuity Plan.
• Define and regularly test RTO and RPO.
• Perform disaster recovery testing and document outcomes at least annually.
• Store redundant, offsite, and immutable backups.
• Train staff on roles should a disaster occur by simulating realistic scenarios. 

Data Recovery Best Practices Should Include Testing Plan 

Crisis planning for disaster recovery should include potentially simulating a ransomware disaster in a staging environment by encrypting files. Simulate uploading malware; do controlled data deletion; simulate a system lockout, etc. Then, you can run the restore process to be sure things return to their proper state. 

And most importantly, this plan should incorporate testing of the plan you developed to address any gaps discovered.  “It’s critical that if your organization implements an MFT solution for exchanging data, you have a disaster recovery plan in place to recover that data,” added Bailey. “Even if you choose a SaaS solution like GoAnywhere’s, which automatically backs data up and recovers it quickly in a disaster, you still need to test your entire plan.”  

Bailey adds, “If your file transfer solution is not a SaaS installation your plan should include identifying a disaster recovery location — a physical premise or cloud environment — that can serve as a fail-safe to get your organization back up and running quickly should the unexpected happen.” MFT systems architecture can be set up with these suggestions: 

• Cluster two or more servers for high availability
• Install systems in the private network
• Install associated DMZ gateways in the DMZ
• Do not open inbound ports to the private network
• Configure shared product and user files across each system/node in the cluster
• Provide a load balancer for incoming connections
• Cluster MFT servers to distribute project workloads evenly across each node in the cluster.