Incident Tech

Contact Us
           
Contact Us
Blog

Ransomware Prevention for IT Operations & Maintenance: Minimizing Damage through Restorable Design and BCP

2026/02/24
Kota Kagami

1. Ransomware is Not Just Someone Else’s Problem: Lessons from Major Corporate Incidents

In recent years, major companies such as KADOKAWA, ASKUL, and Asahi Breweries have suffered significant ransomware attacks, leading to business contraction or complete shutdowns. These incidents have been widely reported by major media outlets like Yahoo! News. Given that these attacks span across all industries, many professionals now feel a heightened sense of urgency.

Ransomware is often viewed through a technical lens, focusing on the encryption of asset data. However, from the perspective of IT Service Managers and Operations teams, it presents two critical failures:

  1. Failure to Restore: Inability to bring systems back online.
  2. Failure of Business Continuity: Inability to maintain essential operations.

System downtime represents the ultimate opportunity loss. Because it is the scenario most to be avoided, the value of “Restorable Operational Design” is once again in the spotlight.

2. Increasing News Coverage vs. Flat Infection Rates? The Reality in Japan

While high-profile media coverage makes it seem as though ransomware infections are skyrocketing, data from the National Police Agency suggests that the number of reported cases has remained relatively flat over the past few years.

However, a crucial caveat for this data is that it only includes cases where a formal damage report was filed. It does not account for the numerous incidents that occurred but were never publicly disclosed or reported to the authorities.

3. The Three Walls Facing the Frontlines: Governance, Culture, and Individual Dependency

3-1. Lack of Governance as the “Entry Point” for Intrusion

NIST’s “Ransomware Risk Management: A Cybersecurity Framework Profile” identifies five key processes where governance must be applied:

  1. Identify
  2. Protect
  3. Detect
  4. Respond
  5. Recover

Effective ransomware response requires all five processes to be functional. While most attention is usually paid to “Protect” (preventing infection), IT Operations teams should also clearly define:

  • Identify: Regular virus scans and asset tracking.
  • Detect: Identifying when ransomware begins to spread within the system.
  • Respond & Recover: Defining how to maintain business and restore data once an infection occurs.

3-2. The “No Change = Stability” Culture is the Greatest Risk

In IT operations, particularly with legacy systems, there is a strong bias that “not changing anything equals stability.” Applying patches is often seen as a burden involving complex impact assessments and testing.

However, ITIL 4 emphasizes “Continuous Change Management” alongside “Value Creation” and “Service Continuity.” Even if your system has no external connections, the risk of infection is never zero. Threats can enter via:

  • Infected USB drives or files brought into dev/maintenance environments.
  • Intrusions via remote maintenance VPNs.
  • Exceptionally opened firewalls for temporary tasks.

Those in core operational positions have the most influence over field design and consensus-building. Leaders must advocate for process improvement to determine the organization’s future preventive maturity.

4. More Important than Tech: The Essence of Ransomware Defense is the Operational Process

Ransomware exploits people and processes at the point of entry and through the chain of infection. Issues arise from process design flaws: opening email attachments, USB connections, mismanagement of contractor accounts, or bypassing approval flows.

The ultimate prevention is for the Operations department to create a state where “anyone can restore the system from any failure.” Key points include:

(1) Is the Backup Always Restorable?

What matters is the “Restoration Process,” not a technical comparison of tools or encryption methods. The essential question is: “Is backup work standardized, and are server restoration verifications performed daily/monthly as a routine?” You must verify where the recovery point is and conduct drills to validate the accuracy of your procedures.

(2) Configuration and Version Management

The Configuration Management Database (CMDB) is the heart of IT asset management. You must know what software/hardware is in use and what versions they are. Its value lies in whether anyone can search it immediately during an incident and whether it is used for change approvals.

(3) Restoration Procedures

You must prepare procedures for failure scenarios. To investigate failures, you need to know exactly where logs are located. To avoid dependency on senior staff, the system should clarify what error return values mean and which logs to check. While you cannot prepare for every scenario, having a few major failure recovery scripts significantly speeds up restoration.

5. BCP to Minimize Damage: Practical Steps to Keep the Business Running

For Operations teams, a Business Continuity Plan (BCP) should not be viewed as a technical manual, but as a framework for daily operations resilient to failure. The goal is “operational design that doesn’t stop business and organizational maturity that can restore.”

Key points for BCP formulation:

  • Define lead times for business recovery.
  • Inventory operational assets (configurations/backups).
  • Make restoration drills a routine part of operations.

6. Preventive Measures You Can Start Tomorrow

Ultimately, the most important thing is “operations that notice a problem before it becomes a failure.” While failures cannot be eliminated, the probability of catching signs early can be increased.

  • Track “Changes” in Data: Monitor logs and metrics for anomalies.
  • Build a Culture of Early Action: Do not ignore small signs.
  • Feedback Loops: Use incident post-mortems to improve the workflow and prevent recurrence.
  • Eliminate Silos: Record and share knowledge so it is accessible to the whole team.

7. Conclusion

Ransomware may look like a “technical problem,” but its essence lies in whether you have built restorable operations and a functional BCP into your daily routine. As seen in major corporate cases, the extent of the damage is determined more by operational process maturity than by the attack itself.

The goal is to build a state where anyone can restore the system using the same steps. Backups have no value unless they can be restored. Ultimately, IT Operations must strive to be an “organization that notices before a failure occurs and recovers immediately if it does.”

8. References

  1. KADOKAWA|公式トピックス
     KADOKAWA. 「『○○』に関するお知らせ」 KADOKAWA Topics.
     https://www.kadokawa.co.jp/topics/12088/
  2. Yahoo!ニュース
     Yahoo!ニュース. 「(記事タイトル)」 Yahoo!ニュース.
     https://news.yahoo.co.jp/articles/62460524499fa8f152e7569f864cc9fc1203b741
  3. ITmedia NEWS
     ITmedia NEWS. 「(記事タイトル)」 ITmedia.
     https://www.itmedia.co.jp/news/articles/2512/10/news092.html
  4. 東京都警視庁 サイバー犯罪対策
     東京都警視庁. 「ランサムウェア脅威と被害防止のために」 警視庁サイバー安全ナビ.
     https://www.keishicho.metro.tokyo.lg.jp/kurashi/cyber/joho/ransomware_threat.html
  5. IntelliLink セキュリティコラム
     インテリリンク. 「(記事タイトル)」 IntelliLink セキュリティコラム.
     https://www.intellilink.co.jp/column/security/2024/091700.aspx
  6. NIST IR 8374: NIST ロードマップ
     Ross, R. et al. (2022). NIST IR 8374: An Introduction to Cybersecurity Framework Implementation.
     National Institute of Standards and Technology.
     https://nvlpubs.nist.gov/nistpubs/ir/2022/NIST.IR.8374.pdf
  7. NIST CSWP 29: プラクティスガイド
     National Institute of Standards and Technology. NIST CSWP 29: Implementing the Cybersecurity Framework.
     https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf
記事一覧を見る