Ransomware Recovery

How to Recover from a Ransomware Attack

Protect against ransomware attacks with a robust ransomware recovery plan to minimize disruption and maintain business continuity.

The U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) ransomware site US-CERT defines ransomware as: “a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website.”

Ransomware attacks from cybercriminals have cost victims many millions of dollars, with one study suggesting the 2020 total cost could ultimately total $1.4 billion in the U.S. Victims of the largest attacks include organizations from every industry, government agencies, IT providers, and educational institutions. No organization is immune, but there are strategies to help ensure your organization is prepared.

 

The U.S. Cybersecurity and Infrastructure Security Agency’s (CISA)
RANSOMWARE PREPAREDNESS

Best Practices for Ransomware Attack Recovery

A ransomware attack is one of the worst-case recovery scenarios that organizations can face. An impacted company or agency will likely be dealing with widespread operational and logistical issues caused by the attack. Rubrik has helped a number of customers successfully recover from ransomware attacks. As a result, we developed a set of best practices to help plan for, identify and remediate ransomware attacks. Ransomware attack planning best practices consist of the following five basic steps: 

Preparation

Put yourself in the best position for success by preparing in advance for a ransomware attack.

Prevention

Use third party tools to prevent ransomware from entering and attacking systems. Catch ransomware attacks before they can do damage.

Detection

Apply tools, such as Rubrik Radar, to detect where ransomware has attacked to enable surgical remediation.

Assessment

During an assessment, decide what needs to be recovered first and when.

Recovery

Data can be recovered only after ransomware has been neutralized and blocked from reinfecting data.

Key Elements of an Effective Ransomware Recovery Plan

If your IT resources are breached by ransomware, you must be ready to address that attack immediately. A ransomware recovery plan should include the following tasks: 

Find the trigger file(s)

First things first: find and remove any trigger file(s) from all devices. 

Determine attack style

Identifying the specific ransomware type will help determine next steps. There are two principal forms of ransomware: screen-locking and encryption-based.

Disconnect all devices

To limit the effects of ransomware, disconnect every vulnerable device from your network in order to block the attack from spreading.

Understand the ransomware

Depending on the type of ransomware attack, data recovery can be possible using web-based software. You might also be able to decode the encrypted files using a ransomware encryption removal tool. Seek guidance from malware experts.

Restore file systems

Ideally, you will want to restore as much “lost” data as possible. That’s done using backed-up data, but be careful. Ransomware can have dwell times as long as six months, so malware might have been included in your archival backups. Before restoring, run an anti-malware package on all systems.

3 Ways to Prevent and Recover Ransomware Encrypted Files

If you are concerned about preventing and recovering from ransomware attacks we recommend the following:

Keep regular backups

Use a dedicated backup service like Rubrik Cloudvault that can quickly be restored

Use strong security measures

Enforce strict IT security policies with all full-time employees, contractors and vendors

Be aware of suspicious emails, links, and attachments

 Phishing is still one of the most popular ways for ransomware to be delivered. Be very wary of any emails or links that come from unknown senders

Rubrik’s Approach to Protecting Against Ransomware

Rubrik is not a ransomware prevention solution. Instead, it is a last line of defense for the detection and remediation of an attack. By using machine learning, Rubrik can detect when data has been changed by ransomware through the introspection of backups. Uninfected copies of that data can then be identified and used to surgically restore data following a ransomware attack. Otherwise, entire systems must be recovered resulting in the loss of good data that has not been infected.

Contending with a ransomware attack involves far more than paying or not paying a ransom. The real concern is protecting your critical data. Being prepared to deal with an attack and having a plan for recovery from an attack will help safeguard organizational continuity. 

Learn more about how Rubrik’s approach can help you protect against ransomware attacks.
 

Ransomware Attack