How To Recover from a Ransomware Attack

Steps in a ransomware attack recovery include thorough forensic analysis, eradication of the infection, restoration of the network, and post-infection improvements.
Computer restoring from backup in ransomware attack

In a perfect world, all of the defenses you’ve put in place will successfully defend against a ransomware attack. Your employees won’t click on any malicious links, none of your credentials will be brute-forced, your RDP ports are secure, and you’ve implemented a zero-trust framework across your network. It is true that taking measures to prevent a ransomware attack will reduce your likelihood, however, there is still a chance that you’ll become a victim.

According to the FireEye Mandiant M-Trends 2021 report, the retail and hospitality industry was the second most targeted industry for cyber attacks in 2020. Post-pandemic, retail and hospitality companies remain a lucrative target, as their cyber teams work to protect the expanded attack surface created by digitalization and remote work. Therefore, having a comprehensive recovery plan in place is just as important as a prevention strategy in your ransomware resilience planning.

Here are some of the key steps to take for successful recovery from a ransomware attack.

Detection, Analysis, and Containment

You’ve confirmed that the detected threat is, in fact, ransomware. To understand how to recover, you have to understand the extent of the attack. The source of the infection should be located, and any known infected systems should be taken offline. If found early, it may be contained, particularly if you have network segmentation in place. However, it is also possible that the attacker has been taking their time, escalating their access, downloading data, and deleting backups, and your entire network and applications are compromised. Understanding the full extent of the attack and the access a threat actor has achieved is necessary to develop a comprehensive expulsion plan to remove the threat actor from the network.

If you have an in-house digital forensics team, they will step in and begin the process of locating the entry point of the infection, documenting the attack, and determining what assets have been affected. If you do not have these capabilities on staff, there are companies that you can reach out to for these services. The forensics team will begin to pull things like system logs, disk images, and backups of the infected files (if not also encrypted) to paint a complete picture of the attack so you can determine a course of action.

Evaluate Restoration Capabilities

Whether or not you pay the ransom will largely depend on how well you’ve backed up your data. True continuous data protection solutions will back up your data every single time a change is made, allowing for a complete recovery. This can be cost-prohibitive for small businesses and put a strain on your data resources, so your organization may instead have a near-continuous data protection system that will back up in intervals. As long as you have a reliable, continuous or almost continuous backup that is located separately from your compromised network, it is recommended that you not pay the ransom. According to the Sophos 2021 State of Ransomware Report, only 8% of organizations that paid got all of their data back. Paying the ransom will not guarantee recovery and will only add to the attack’s price tag, on top of the costs from business downtime and restoring your network functionality.

You may also consider an evaluation of the legal or ethical implications of paying the ransom. If the ransomware actor is attributed to a terrorist organization or is sanctioned by the government, payment could be legally problematic. Payment of the ransom supports attacks against victims in the future, such as your business partners; assess how much business will be disrupted by not paying the ransom. There are decryption tools available for some ransomware, but there is a good chance that you will not be able to decrypt your data, so restoring from a backup will likely be the best option.

Report the Attack

Even if you do not intend to pay the ransom, you should report the attack to your local law enforcement. If you’re in the United States, that can be your FBI field office. You can also report a ransomware attack through CISA’s website or the Internet Crime Complaint Center. It is likely you’re not the only victim. Reporting the attack helps paint an accurate picture of the scope of your attacker group’s activity and informs ransomware statistics as a whole. Contacting these organizations can also help you find the resources you need to properly recover from the attack and can help you determine how and if to engage with your attackers. These organizations will require specific information such as the type of ransomware, the ransom amount, and the impact of the attack.

Your business may have contractual obligations for reporting requirements with business partners. Ensure those in the business that manage supply chain and other related business operations are read-in.  Even without those obligations, sharing information such as IOC’s or TTP’s with business partners or peers in the industry can limit further disruptions to your business by preventing the spread of the attack to business partner networks.

Restore Your Networks

Your key stakeholders will be anxious to reduce downtime and get your systems back up and running as soon as possible. But before you do, you need to ensure that you are completely rid of the malware that caused the infection and that attackers do not have persistent access to the network. The worst possible outcome is to get back up and running only to have a repeat occurrence. Your eradication plan should address the root cause and search for any additional back door access the threat actor may have planted.

As part of your forensic evaluation, you should have identified when the infection occurred and what files it impacted. It is quite possible that the initial infection occurred weeks ago, and it has been slowly spreading to encrypt additional files as it escalated access. You need to restore from a trusted backup before the infection occurred to avoid reintroducing the malware into your system.

The problem that many organizations face is the choice between a complete restore from the backup before the malware, which may be old, resulting in loss of data, or restoring specific portions from their backup right before that portion of data was compromised. While this may result in less data loss, it is significantly more complicated.

Prevent a Recurrence

Once your systems are back up and running, you need to ensure that you’ve learned from the incident and prevent additional attacks. It is important during this process to strengthen your defenses and thoroughly test your security controls, test your processes, and continue searching for abnormal behavior. Your threat collections systems should be updated to account for the TTPs that were used and undetected in the attack. Perform a hotwash to identify ways to improve your incident detection and response plans.

Finally, join the ISAC for your sector. RH-ISAC provides retail and hospitality companies with resources for ransomware resilience, from threat intelligence that can prevent an attack to checklists and an incident response resource guide for ransomware recovery. Learn more about RH-ISAC membership.

Ransomware Resilience Planning Guide

Get actionable strategies to reduce your organization's ransomware risk.

More Recent Blog Posts

2024 RH-ISAC Cyber Intelligence Summit logo

Register for RH-ISAC Summit

Our biggest event of the year is coming up soon! Join RH-ISAC April 9-11 in Denver for our annual three-day conference featuring interactive, practitioner-led discussions, breakout sessions, and keynote presentations.