The U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) ransomware site US-CERT defines ransomware as: “a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website.”

Ransomware attacks from cybercriminals have cost victims many millions of dollars, with one study suggesting the 2020 total cost could ultimately total $1.4 billion in the U.S. Victims of the largest attacks include organizations from every industry, government agencies, IT providers, and educational institutions. No organization is immune, but there are strategies to help ensure your organization is prepared.


Best Practices for Ransomware Attack Recovery

A ransomware attack is one of the worst-case recovery scenarios that organizations can face. An impacted company or agency will likely be dealing with widespread operational and logistical issues caused by the attack. Rubrik has helped a number of customers successfully recover from ransomware attacks. As a result, we developed a set of best practices to help plan for, identify and remediate ransomware attacks. Ransomware attack planning best practices consist of the following five basic steps:  

  • Preparation—Put yourself in the best position for success by preparing in advance for a ransomware attack.
  • Prevention—Use third party tools to prevent ransomware from entering and attacking systems. Catch ransomware attacks before they can do damage.
  • Detection—Apply tools, such as Rubrik Radar, to detect where ransomware has attacked to enable surgical remediation.
  • Assessment—During an assessment, decide what needs to be recovered first and when.
  • Recovery—Data can be recovered only after ransomware has been neutralized and blocked from reinfecting data.

Key Elements of an Effective Ransomware Recovery Plan

If your IT resources are breached by ransomware, you must be ready to address that attack immediately. A ransomware recovery plan should include the following tasks:

  • Find the trigger file(s)—First things first: find and remove any trigger file(s) from all devices. 
  • Determine attack style—Identifying the specific ransomware type will help determine next steps. There are two principal forms of ransomware: screen-locking and encryption-based.
  • Disconnect all devices—To limit the effects of ransomware, disconnect every vulnerable device from your network in order to block the attack from spreading.
  • Understand the ransomware—Depending on the type of ransomware attack, data recovery can be possible using web-based software. You might also be able to decode the encrypted files using a ransomware encryption removal tool. Seek guidance from malware experts.
  • Restore file systems—Ideally, you will want to restore as much “lost” data as possible. That’s done using backed-up data, but be careful. Ransomware can have dwell times as long as six months, so malware might have been included in your archival backups. Before restoring, run an anti-malware package on all systems.

Rubrik’s Approach to Protecting Against Ransomware

Rubrik is not a ransomware prevention solution. Instead, it is a last line of defense for the detection and remediation of an attack. By using machine learning, Rubrik can detect when data has been changed by ransomware through the introspection of backups. Uninfected copies of that data can then be identified and used to surgically restore data following a ransomware attack. Otherwise, entire systems must be recovered resulting in the loss of good data that has not been infected.

Contending with a ransomware attack involves far more than paying or not paying a ransom. The real concern is protecting your critical data. Being prepared to deal with an attack and having a plan for recovery from an attack will help safeguard organizational continuity. 

Learn more about how Rubrik’s approach can help you protect against ransomware attacks.