How to Recover from a Ransomware Attack
It’s every business owner’s worst nightmare: one day you discover that every one of your files, on every single device connected to your organization’s network, has been scrambled. Your business’s financial data, its customer records, its order and fulfillment history, and your intellectual property—everything from the design of the corporate logo to proprietary formulas used in manufacturing processes and documentation of standards and settings—all this has been encrypted. You can’t access the information, and you don’t know what it’ll take to recover it.
This is what it’s like to experience a ransomware attack, an especially damaging form of cybercrime that’s more prevalent today than ever before.
Ransomware attacks are to blame for a growing number of business disruptions and financial losses worldwide. According to the FBI’s Internet Crime Complaint Center (IC3), more than 2,000 business owners and government officials found themselves victimized by ransomware in 2019. Most likely, this number represents only the tip of the iceberg. Because many victims do not report cyber criminal attacks to law enforcement officials, the true figure is almost certainly much higher. One insurer disclosed that its clients had seen a 131 percent increase in ransomware attacks over the previous year, while a survey of managed service providers (MSPs) found that downtime caused by ransomware activity had increased by over 200 percent. Global ransomware costs are estimated to exceed $12 billion per year, with one business now being targeted every 11 seconds.
As is the case with many types of IT emergencies, the better prepared you are to face ransomware attacks, the less harm they can do to your business. Although today’s cybercriminals are shrewd, persistent, and increasingly sophisticated, organizations with well-tested backups and robust disaster recovery plans can avoid extended downtime or devastating data losses. What’s more, leaders who have engaged in advance planning will have a stronger sense of agency and control in times of crisis—and thus will experience less stress—than those who did not.
Being attacked by cybercriminals can be devastating, and ransomware victims must make a number of complex decisions in the immediate aftermath of the attack. It’s important to act rationally and with your business’s best interests in mind. It may be necessary to seek assistance from an IT professional with specific experience in ransomware recovery. This individual can counsel and guide you through the steps it will take to restore your IT systems to health and reduce your future risks.
Here are the three main steps to take in ransomware recovery.
#1: Without exception, turn everything off.
Power down all computers, servers, storage devices, and any other hardware that’s connected to the corporate network. Disconnect every device from the Internet and your internal network, including those that aren’t showing any signs of infection.
Keep in mind that some particularly aggressive strains of ransomware will attempt to establish a command and control (C&C) center within your IT environment. This is a computer or server that will appear to be uninfected, but will contain hidden malware that will report back to the criminals’ remote server, letting them spy on your remediation attempts.
#2: Identify the exact strain of ransomware that’s responsible for the attack.
Many thousands of different strains of ransomware are circulating today, and they employ different methods of encrypting data. Some will steal data before encrypting files. Others don’t encrypt data at all, but instead block users from logging into their own computers. Some will already have corrupted many devices across your network before they make their presence known, and some will specifically target backups or cloud storage.
It’s critical that you identify which type of malware you’re dealing with. You’ll need to know:
- what type of ransomware it is, and how it behaves.
- which cybercriminal group is responsible for the attack.
- where they are located.
- what their “track record” is like—i.e., it’s pointless to attempt to pay a ransom if the perpetrators have already exfiltrated your data or have a reputation for failing to restore victims’ files successfully.
If you don’t have one on staff, you’ll want to call in an information security professional with encyclopedic knowledge of today’s most prevalent ransomware strains. He or she will have the necessary expertise to be able to quickly identify which type of ransomware is responsible for the attack.
Do not attempt to restore from backups or reconnect to the Internet until you have an understanding of how the ransomware that’s involved typically works.
#3: To pay or not to pay? Take a deep breath and evaluate what’s at stake before making financial decisions.
We don’t usually advocate paying the ransom, but as long as it doesn’t put you at any additional risk, it’s probably worthwhile to find out what your attackers are asking for. Be sure to set up a separate, secure, anonymized email account that you’ll use only to communicate with the criminals. Never contact them from your own personal email address.
While it does serve the criminals’ business model to provide you with a working decryption key if you pay up, keep in mind that merely decrypting the data is no guarantee that it will again be useable. If file names and folder structures are altered, even completely unencrypted data may be of little value to your business.
Also consider whether or not the damages you’ve incurred will be covered by any insurance that you currently hold. In some cases, judges have ruled that the effects of cybercrime are to be considered property loss, and have required insurers to compensate for their costs. This is uncommon, however. If you have a specific cyber risk insurance policy, damages due to ransomware attacks are more likely to be covered. You may have to demonstrate that you’ve done due diligence to prevent cybercrime, though: insurers may want to see evidence that you’ve adhered to security best practices, that you’re in compliance with relevant regulatory standards, or that you’ve evaluated your defenses through penetration testing.
Although you’ll undoubtedly face pressure from employees across the business to get systems up and running again as soon as possible, you’ll need to be thoughtful and thorough as you evaluate options and decide on the best way to achieve this aim. If you didn’t pay the ransom, the cybercriminals responsible for the attack will keep your name on a blacklist, and you’re more likely to be targeted again. In fact, experiencing a repeat of the incident is almost inevitable if you haven’t remediated the vulnerability that was exploited in the original attack.
In cases where the attackers were successful because they took advantage of a vulnerability in outdated systems that can no longer be patched because the systems are no longer supported by their vendor, it may make sense to replace aging hardware and legacy software with entirely new systems. Hourly labor charges for professional ransomware remediation services can add up, so this is sometimes the fastest—and thus most cost-effective—option.
Ransomware attacks have the potential to devastate any small or mid-sized organization. If you find yourself in this situation, you’ll face a complex decision-making process involving multiple dynamics and variables. Having a trustworthy and experienced professional by your side to coach you through the steps and decisions involved in recovery can help your business get back on its feet as quickly as possible.
Want to learn more about accelerating your recovery from ransomware attacks and resolving similar issues faster? Read our new eBook, “The Definitive Guide to Recovering from IT System Outages” today.