The first 7 steps to recovering from a ransomware attack

November 17th, 2020

If you have been affected by a ransomware attack, we have compiled some guidance to help you get started with your recovery process.  These steps are simple and quick and will get you going in the right direction until you have a professional team on your side to help you emerge confidently from the crisis.

Recovering from ransomware

1. Remove affected systems from the network

Affected systems usually want to infect other systems.  Before trying to recover data, restore from backups, or anything else, take the affected systems offline or on to their own segmented, isolated network.  Think: “quarantine them.”

2. What kind of ransomware is it?

You can use NoMoreRansom to determine what kind of ransomware was used.

Knowing the type of ransomware is very important for evaluating the potential scope of the infection, if there is likely collateral damage, if the attackers are sophisticated, and if the ransomware is broken and your data can be easily recovered (see #3).

3. Sometimes you can directly decrypt and recover your data

Not all ransomware is well designed, sometimes the encrypted files can just be decrypted without paying the ransom. NoMoreRansom lists many of the tools people have built for doing just that. However, even if you can do this, see #5 for a big caveat.

4. Restore from backup

If you have backups, now is the time to use them to restore your systems.   However, see next item.

5. Do not necessarily trust restored/decrypted machines.

Once a machine has been compromised, it is not easy to prove that it is “clean” again.  Some experts would argue that you never can. The best and safest way to recover a system is to completely wipe its hard drive(s), reinstall the operating system, make all updates to the operating system software, and then restore from a known-good backup (though there are still ways for malware to persist after that we well). Or, if your backups included full images of your systems, you can restore the device to a known-good image.

If you do less, i.e., simply decrypting files and/or cleaning your device with an anti-virus or anti-malware program, you are taking a risk.  Only a security professional actively working on your case and familiar with the attack and attackers may have a reasonable understanding of whether the device can be fully cleaned or not without fully resetting it.

6. Hire a professional

Chances are security forensics and malware recovery are not your specialty nor the specialty of anyone in your organization.  Hire an expert. Your cyber insurance (an essential IT budget line item) will probably pay for this.  It is the responsibility of this professional to:

  1. Discover how the attack got into your systems.
  2. Analyze the full extent of the compromise.
  3. Understand what actually happened. E.g., did the attackers exfiltrate your data in addition to encrypting it?
  4. Help you determine (and execute) the best recovery strategy for your situation.
  5. Help you plan for improvements to reduce the chances of this happening again.

7. Work on Crypto-malware Prevention & Mitigation strategies

Review LuxSci’s tips for ransomware prevention, seeing what you can leverage to lower your risk of another attack.