The time to address ransomware is before an attack occurs

Thank you for supporting our journalism. This article is available exclusively for our subscribers, who help fund our work at The Baltimore Sun.

This spring, Baltimore was rocked by its second ransomware attack in 14 months, and to date the projected recovery costs exceed $18 million. While I agree with the decision not to pay the ransom, the city could have recovered from this incident in far less time and for a lot less money.

The costs to recover from one of these attacks is far greater than the cost of the ransom. Best practices for ransomware recovery suggest a “blank slate” approach; this means the re-installation of the operating system and applications on every endpoint (PC). Unfortunately, most organizations are not prepared to do that on hundreds or thousands of endpoints. The traditional system recovery method is too slow and incomplete to be a viable solution in a crisis. As a result, it takes days or weeks to restore these systems at tremendous costs. In addition to the financial costs there is a cost in reputation that can impact an organization’s bottom line and relationships with clients and suppliers.


There is technology available that can recover systems from a ransomware attack in the time it takes to reboot, but it needs to be in place before the attack occurs. This technology restores exactly what was on the system prior to the attack so normal operations can resume immediately. The decision to invest in this technology is a lot like buying insurance, and organizations/governments are just as enthusiastic about buying insurance as the average consumer. Spending money to protect your systems against something that has never happened might seem like a waste of funds, but the cost of recovering all the systems on your network is always greater. The decision to invest in recovery protection must be compared to the worst-case scenario.

Security experts have long supported the concept of layered defenses against cyber-attacks. These layers might include technology that makes a breach more difficult to execute; new AI-based technology can now detect behaviors that indicate system probing or that a breach might be underway. While these technologies do a very good job, no one is guaranteeing they will catch everything.


In addition to layered defense, ransomware makes the case for layered recovery options. In today’s IT environment an organization must assume its network will be compromised, and it needs a robust recovery plan that allows it to rapidly restore the operating system and applications on all servers and endpoints so normal work can resume the same day as the attack. Once systems are restored to a “known good” state, data can be restored from onsite or offsite backups.

Every organization should also invest in cyber-training for its employees. A lot of ransomware enters the system when an employee opens an infected attachment. The bad actors have gotten very good at disguising these documents so they look legitimate. Training staff to identify and quarantine suspect documents can significantly reduce risk exposure. Enforcing frequent password changes can also thwart the possibility of stolen credentials being used to gain entry to a network. These are just some commonsense measures that might make the difference between avoiding a breach or being in recovery mode.

Baltimore is not alone. Last year Atlanta also refused to pay a ransom, and its recovery cost about $17 million. In March, Jackson County, Ga., paid a $400,000 ransom when their backups were compromised, and just last week, two small Florida cities reportedly paid ransoms in excess of $1 million. In both cases the ransom was deemed the more expedient solution to recovery. Thus far in 2019 over 25 municipal governments and school systems have reported ransomware attacks, and there are likely many that paid the ransom and just moved on.

Sean Gallagher, national security editor for Ars Technica, wrote last week that “organizations are still running their IT operations like its 1999.” Cyber-criminals know this, and they are exploiting the lack of planning and technology that would allow an organization to avoid an attack or recover quickly. We will continue to see these attacks until governments and corporations commit the financial resources needed to enable rapid system recovery and to secure data.

Robert E. Nolan ( CEO of Raxco Software, Inc., based in Gaithersburg.