How to recover from a ransomware attack
Protect against ransomware attacks with a robust ransomware recovery plan to minimize disruption and maintain business continuity.
The U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) ransomware site US-CERT defines ransomware as: “a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website.”
Ransomware attacks from cybercriminals have cost victims many millions of dollars, with one study suggesting the 2020 total cost could ultimately total $1.4 billion in the U.S. Victims of the largest attacks include organizations from every industry, government agencies, IT providers, and educational institutions. No organization is immune, but there are strategies to help ensure your organization is prepared.
Best practices for ransomware attack recovery
A ransomware attack is one of the worst-case recovery scenarios that organizations can face. An impacted company or agency will likely be dealing with widespread operational and logistical issues caused by the attack. Rubrik has helped a number of customers successfully recover from ransomware attacks. As a result, we developed a set of best practices to help plan for, identify and remediate ransomware attacks. Ransomware attack planning best practices consist of the following five basic steps:
Put yourself in the best position for success by preparing in advance for a ransomware attack.
Use third party tools to prevent ransomware from entering and attacking systems. Catch ransomware attacks before they can do damage.
Apply tools, such as Rubrik Radar, to detect where ransomware has attacked to enable surgical remediation.
During an assessment, decide what needs to be recovered first and when.
Data can be recovered only after ransomware has been neutralized and blocked from reinfecting data.
Key elements of an effective ransomware recovery plan
If your IT resources are breached by ransomware, you must be ready to address that attack immediately. A ransomware recovery plan should include the following tasks:
Find the trigger file(s)
First things first: find and remove any trigger file(s) from all devices.
Determine attack style
Identifying the specific ransomware type will help determine next steps. There are two principal forms of ransomware: screen-locking and encryption-based.
Disconnect all devices
To limit the effects of ransomware, disconnect every vulnerable device from your network in order to block the attack from spreading.
Understand the ransomware
Depending on the type of ransomware attack, data recovery can be possible using web-based software. You might also be able to decode the encrypted files using a ransomware encryption removal tool. Seek guidance from malware experts.
Restore file systems
Ideally, you will want to restore as much “lost” data as possible. That’s done using backed-up data, but be careful. Ransomware can have dwell times as long as six months, so malware might have been included in your archival backups. Before restoring, run an anti-malware package on all systems.
3 ways to prevent ransomware encrypted files
If you are concerned about preventing and recovering from ransomware attacks we recommend the following:
Keep regular backups
Use a dedicated backup service like Rubrik Cloudvault that can quickly be restored
Use strong security measures
Enforce strict IT security policies with all full-time employees, contractors and vendors
Be aware of suspicious emails, links, and attachments
Phishing is still one of the most popular ways for ransomware to be delivered. Be very wary of any emails or links that come from unknown senders
3 ways to recover from ransomware
If your company has been hit with ransomware, it's important to act quickly and have a plan in place for recovery. Here are three things you can do to help get your business back on track:
Deploy immutable backups - Immutable backups will be your company's best line of defense against ransomware. By having a complete, unalterable backup of your data, you can be confident that you can always revert back to a clean, uninfected copy in the event of an attack.
Enforce strong security measures - Enforcing strict IT security policies will help to prevent ransomware from being able to infect your files and spread throughout your corporate network.
Deploy dedicated backups for high value services - IT services like Microsoft 365, AWS, Azure, and Google Cloud are critical to business operations. Having a dedicated backup solution in place for these services will help ensure that you can quickly and easily recover in the event of an attack.
Frequently Asked Questions :
Ready to get started?
Get a personalized demo of the Rubrik Zero Trust Data Security platform.