How to Recover From a Ransomware Attack

The best way to recover from a ransomware attack is to execute a carefully practiced incident response plan. So easy to say, so difficult to do correctly.

In fact, many organizations have no plan at all. Instead, they not only have to conduct recovery steps with no planning or preparation, they also need to figure out those steps under immense pressure.

With or without a written plan, the steps are the same, but a written plan enables a security team to be much better prepared. A security team that practices a plan gains even more benefits because they can respond to attacks faster, with fewer mistakes, and with better results.

Steps to Recover From a Ransomware Attack

Ransomware response and recovery can broken down into four steps:

  1. Isolate, Assess, Call for Help
  2. Recover What Can Be Recovered
  3. Post-Attack Tasks
  4. Create or Revise the Ransomware Incident Response Plan

We’ll cover those steps in-depth below, but for those in need of a quick guide, here are the basic:

  • Isolate, Assess, Call for Help:
    • Call professionals and stakeholders:
      1. Call yours cybersecurity insurance provider. They often require specific steps and vendors that supersede any other steps on this list or even the preferences of the victim organization.
      2. Call expert ransomware response professionals. Most organizations do not have incident response or forensic staff and will need to call in expertise to stop the attack and recover systems and data.
      3. Call executives, attorneys, and law enforcement that may need to authorize or document the next steps.
    • Stop the attack:
      1. Break the access of the attackers to the device under attack.
      2. Stop the processes executing the ransomware (if still active).
    • Determine the type of attack to determine the options for recovery.
  • Recover what can be recovered, replace what cannot be recovered.
  • Apply lessons-learned and block future attacks.
  • Revise (or create) the ransomware incident response plan.

1. Isolate, Assess, Call for Help

The initial incident response requires the team to perform several tasks nearly simultaneously. Not only must the attack be contained and assessed, the team might also need to let stakeholders, executives, authorities, and insurance companies know about the attack.

Is the attack small enough that we do not need to file a cyber insurance claim? If we are lucky, we have a single machine or limited number of users affected by a simple ransomware attack that is not spreading or backed by aggressive attackers. This limited attack will not need to involve executives or other stakeholders because of the limited damage to the organization.

However, in the case of a broad, sophisticated or Advanced Persistent Threat (APT) attack, we may need to call in professional incident response and forensic teams to determine the full extent of the attack. 

Keep in mind that cybersecurity insurers may strictly determine what next steps are permitted in order to qualify for reimbursement. In the event of a larger attack that might lead to a claim, the insurance company might need to be one of the first calls.

Assuming no instructions to the contrary from insurers, the first step is to contain the damage. Cut off network and internet access for the affected computer, server, or office. If necessary, the organization can shut down all networks for the organization to stop the spread.

Shutting down all networks is an extreme step that dramatically affects the organization and should not be taken lightly. Also keep in mind that isolating either specific devices or the organization as a whole will prevent remote access so responding IT teams will need to go onsite – which will increase time and money required for the recovery.

Next, assess the situation. Some ransomware attacks automatically launch when someone clicks a phishing link and will be more simple to remediate.

Other attacks only launch after attackers have significantly penetrated the environment, accessed many different systems, downloaded company information, and deleted backups. In the latter case, the advanced persistent threat (APT) nature of the attack will not be stopped by isolating affected devices and more advanced methods will be required to eliminate the threat.

Also see: Best Backup Solutions for Ransomware Protection

2. Recover What Can Be Recovered

Once the active attacks are contained, the team can then turn to recovery of the systems and the data. Some simple ransomware cases can be handled by in-house teams because of their limited scope and damage.

Larger attacks involve exponentially more complexity and variance, and unwinding an APT attack will require deep forensic investigation of the systems, logs, and possibly even the backups. Most organizations need to reach out to service providers to obtain suitable experts for this type of recovery.

The high variance of ransomware attacks and response easily exceeds what we can cover in an article, so we will limit the rest of this article’s focus to a limited, manageable scope involving automated ransomware striking only a handful of endpoint computers. This example will still provide an overview of the basic steps of ransomware recovery at a high level without going into the more technical details involved in broader threat hunting processes necessary for sophisticated attacks.

Also read: How One Company Survived a Ransomware Attack Without Paying the Ransom

How Long Does it Take to Recover from Ransomware?

Short answer: It depends. The high variance of the types of attacks and the characteristics of the environment prevent an easy estimate of ransomware recovery time.

However, the variable for recovery time consist of:

  • Available Backups: The more often and the better protected the backups will be, the faster the recovery of the data can be performed. System backups can also speed up recovery time.
  • Ransomware Attack Sophistication: Complex, long-term attacks might open persistent back doors on unaffected systems or even in backups. The more sophisticated the attack, the longer it takes to unroot them from the systems.
  • Extent of the Damage: The more systems affected, the more time it takes to recover. Also, the more deeply the ransomware affects each system, the longer the recovery will take. If only data is affected, reloading data can be simple (although time consuming). If the ransomware infects the operating system and the registry, then the system software may need to be entirely reloaded. If the ransomware infects memory on the motherboard, recovery may not be possible and the entire system, including hardware, may need to be replaced.
  • Incident Response Team: The quality (skill, experience, familiarity with ransomware incident response, etc.) of a team can affect the speed of stopping the attack and the recovery time. The size of the team also matters for extensive attacks involving a high number of devices.
  • Recovery Tools: Some ransomware recovery tools can speed up the recovery process, but it depends upon the type of ransomware attack.
  • Outside Influence: Recovery can be straightforward, but cybersecurity insurance providers and law enforcement may require evidence to be gathered, which can delay recovery processes. Internal payment and approval processes can also take time away from recovery if these processes are not approved in advance. Lastly, active attackers can further disrupt recovery if they continue to have access to the network or use Distributed Denial of Service (DDoS) attacks to further disrupt the organization.

Simple Ransomware Recovery

Ransomware typically announces its presence by locking up the victim’s computer with a message screen with the ransom instructions. This will provide information regarding the type of ransomware infecting the computer and provide some guidance regarding the next steps.

If we are lucky, our ransomware may have decryption tools available through public sources or through anti-ransomware tools that may be purchased. These tools may make it possible to remove the ransomware and fully restore the system and files.

Unfortunately, as covered in How to Decrypt Ransomware Encrypted Files, the recovery of ransomware encrypted files has a low success rate. This is not only because of poor encryption or unavailable decryption algorithms, but also because some attacks corrupt or delete files — or threaten to publicly release sensitive data — and the ransomware notice is a misdirection of their actual intent.

Some organizations may be tempted to pay a ransom. Organizations that depend upon uptime such as hospitals, law enforcement, or emergency services have mandates to be available and responsive that go beyond simple financial considerations. Deaths associated with ransomware are rare, but at least one death is directly associated with a ransomware attack and roughly 25% of healthcare providers noted an increase in mortality rates following ransomware attacks.

Unfortunately, there are three big reasons not to pay a ransom.

  1. The FBI discourages payment. If we need law enforcement cooperation later, it may not help to have gone against their published advice.
  2. We could violate U.S. Treasury Sanctions. The Office of Foreign Assets Control (OFAC) issued an advisory reminding companies that payments to entities under sanction may trigger significant penalties. Some ransomware actors operate within sanctioned countries (Iran, North Korea, etc.) and others have been sanctioned as separate entities (terrorists, organized crime, etc.).
  3. It doesn’t work. Sophos conducted a survey and found that of victims who paid the ransom:
    1. 4% paid and received no decryption keys
    2. 8% paid and were able to fully recover
    3. 92% of those who paid did not fully recover their systems.

Full recovery of our systems will test the quality and thoroughness of our backup processes. We will need to go back far enough to locate data and OS system backups free of malware, but the further back we need to go, the more work product that could be lost. Our preparation prior to the attack will be critical to our data recovery success.

Hopefully, backups can be accessed through System Restore. If we know the date of the infection, we can roll back the computer to a system restore point prior to the infection, which should automatically remove the ransomware, clean the registry, and restore the operating system.

If we are unlucky, a sophisticated ransomware attack encrypted or deleted any backup files and system restore points. In this case, we may need to completely wipe the system and reinstall all software.

While it is possible to manually restore systems instead of wiping them, this time-consuming process requires a deep understanding of Windows Registry to carefully examine it to remove any lingering infections. Generally, this option consumes too much time to be practical and will be much more expensive than wiping the computers.

Once the system has been cleaned, we still have to restore the data itself from backup. Keep in mind that some backups may be of corrupted data so incident response teams may need to go through multiple backups until they find clean data. Any changes made since the last clean backup will probably be lost.

Further reading on ransomware protection and recovery:

3. Post-Attack Tasks

Whether we can restore our systems ourselves or if we must hire incident response specialists, fully recovering our systems from an attack only marks the start of the process. We will also need to:

  • Deal with other ransomware attack issues
  • Report to regulators and stakeholders
  • Apply lessons learned

Other Ransomware Attack Issues

Many ransomware gangs have adopted the tactic of exporting sensitive data prior to triggering the ransomware attack and extorting the victim company with the threat of publicly releasing their data. If exfiltration has occurred, what types of data was stolen?

Depending upon the type of data affected, a full forensic investigation of the attack may need to be performed to gather evidence for criminal prosecution or to defend the organization from civil and regulatory action. Complex attacks involving more than one ransomware attacker or more than one exfiltration will increase the time and headaches involved in resolving the issues.

Report to Regulators and Stakeholders

The theft of regulated data protected by law will trigger reporting requirements regarding the full extent of personal information, credit card data, healthcare information, or other protected data accessed, breached, or publicly released. Once the type of breached data is known, legal counsel will determine what types of internal and external reports may be required.

IT teams also need to work with legal counsel and executives to determine the required internal reports and the timing and content of information released to authorities, affected parties, or the public. Even if not required by law, breached customer data may trigger contractual and moral obligations to report the extent of the breach to the affected parties.

Apply Lessons Learned

Once the recovery is complete and required reports are delivered, our incident response teams need to perform a post mortem analysis. The method of attack must be reviewed to determine how to prevent such attacks in the future.

Often this will be referred to as a Lessons Learned report and it should cover:

  • What security was bypassed to allow the ransomware attack, such as email screening or firewall security
  • What adjustments have been made or could be made to existing security
  • What additional security controls must be added or what new security tools may need to be installed.

Some organizations may not have the budget or time to immediately address all issues, so unaddressed issues will also need to be evaluated for risk to the organization. For example, it may not be practical to prevent phishing attacks from leading to future ransomware attacks, but the organization may decide to encrypt more data or block email access from critical systems to limit the future risk to the organization.

Additionally, the team will want to analyze their response to the attack to determine if improvements need to be made to the incident response plan (or to create an incident response plan). Common issues encountered in this process are incorrect phone numbers, obsolete IP addresses, or broken recovery processes.

4. Create or Revise the Ransomware Incident Response Plan

Preparation remains the key to successful ransomware recovery. An organization must:

  • Prepare a good backup policy and procedure
  • Prepare a good good incident response policy and procedure
  • Install layered ransomware security
  • Test security and policies for effectiveness

Policies to Protect Against Ransomware

Some IT professionals dismiss policies as words on paper that protect nothing. The validity of that complaint depends upon the organization. Organizations that use the policies to enact procedures and to set the tone of the organization will enjoy more benefits from policies than organizations that just go through the motions for compliance check boxes.

Backup policies should include the type of backup (full data, changed data, full system), frequency (daily, monthly, quarterly), retention period (60 days, six months, etc.), and the location of the backup (on the device, in connected network repositories, offline, etc.). Best practices recommend three backups with at least one backup offsite and offline to prevent an attacker’s access.

For an incident response plan or policy, we must be honest about our valuable assets, our security capabilities, and our team’s ability to respond to an incident. The key is functionality. A robust plan that cannot be executed by our team is worthless.

The plan does not require sophistication or even technical ability. It could simply be a list of different types of incidents (power outage, ransomware attack, etc.) and important numbers to call for each type of incident such as incident response experts, an attorney, key executives, insurance contacts, and so on.

Some attorneys will recommend specific processes that require their involvement. These recommendations hope to extend the protection of privilege to the work product and communication of the process so that it cannot be introduced as evidence in future lawsuits.

The incident response plan may also need to involve the CFO. Purchasing limitations that may normally require extended processes with multiple signatures may need to be bypassed with pre-approved budgets and vendors that would be triggered in the event of an attack.

Ideally, any cybersecurity insurance policy requirements should also be determined and added to the incident response plan. The more accurate the information, the smoother the process will be executed and the less risk of mistakes during an incident.

All policies should be reviewed periodically as well as after an event to revise or update the policies as needed.

Ransomware Security

When installing layered security we need to focus on the most likely target and the most likely attack paths.

We must cover the basics. A zero-trust architecture with continuous authorization might be the preferred option for some, but a traditional security framework can provide adequate security for many.

The classic approach of a modern firewall, robust network security, and advanced endpoint security would be reasonable. We should encrypt data at rest. We should use multi-factor authentication.

Budgets and IT capabilities may limit how much security we can afford to deploy, but not all security costs a fortune. Many of us ignore the embedded options and features of our current operating systems and software that can significantly reduce the effectiveness of attacks.

This is particularly true of server protection, where, as Symantec Endpoint Security VP and General Manager Adam Bromwich notes, “traditionally IT has not turned on all the protection technologies available to them. They have become a weak point that attackers are exploiting.”

“Lay of the land” attacks that exploit legitimate tools, such as PowerShell, WMI and PsExec, add to that insecurity. Symantec has added behavioral blocking around such tools and sandboxing, and the Broadcom company’s new Adaptive Protection tool shuts down processes that aren’t in use, further hardening systems and disrupting the attack chain.

“By the time you can react to an EDR alert, it is too late,” Bromwich told eSecurity Planet.

Planning and Testing

Testing involves periodic checks of our security, processes, and procedures.

First, we must verify that our security has been correctly installed and is functioning. Internal assessments are okay, but can miss critical issues our team did not consider.

Paying for third-party assessments and penetration tests can provide fresh thinking and a level of assurance for stakeholders such as customers, the board of directors, and the cybersecurity insurance company. Penetration tests and vulnerability scans may also be required to comply with various regulations (PCI DSS, etc.).

Our processes and procedures will often be planned in advance, but may overlook critical data or steps. Tabletop exercises and drills to go through the processes and procedures ensure our staff confidently can smoothly execute them should a ransomware attack or other incident occur.

It can also be wise to ensure that all employees in the company receive and understand the incident response policy. Intermedia surveyed employees and estimated that 59% personally paid to recover from ransomware rather than admit to becoming a victim. However, our IT teams need to make sure that the malware has been removed from the system and we can only do that if we are informed about the attack.

Read next: Ransomware Prevention: How to Protect Against Ransomware

Chad Kime
Chad Kime
Chad Kime combines his Electrical Engineering and MBA degrees to translate between technical language and common English. After managing over 200 foreign language eDiscovery projects, Chad values practicality over idealism. He has written on cybersecurity, risk, compliance, network security hardware, endpoint monitoring software, anime DVDs, industrial hard drive equipment, and legal forensic services.

Top Products

Related articles