Ransomware: Recovering after an attack

Ransomware attacks have existed for decades and their perpetrators keep advancing in their abilities. By evading detection, encrypting user files, and coercing unsuspecting victims into paying ransoms, ransomware attackers have threatened the survival of many businesses. The first half of 2022 recorded a total of 236.1 million ransomware attacks across the globe.

The most popular types of ransomware attacks are crypto and locker ransomware. The crypto ransomware encrypts a user's data making it inaccessible until the individual pays the ransom, usually in bitcoin. On the other hand, locker ransomware works by blocking the user's access to the computer system and will not give access until an amount is paid. Despite the security measures businesses put in place, ransomware threats are still on the increase which is why businesses must have a ransomware recovery plan to minimize catastrophic effects.

Developing your Ransomware Recovery Strategy

Prevention is better than cure. Hence, the most efficient ransomware recovery strategy is to protect systems from attacks. To do this, you need to prevent malware from being installed. That means, you should anticipate how it can find its way into your system and what data will be its primary target. Putting these measures in place will help you focus your protections where they should be and back up important data before an attack. It is easier to start with safeguarding your data and then develop a highly effective ransomware recovery strategy from there.

Some prevention strategies you can employ include:

1. Create an inventory for your data to determine how they should be stored. The categories can range from valuable to critical, private, etc. Once you’ve organized your data, you can determine how they’ll be protected and initiate a backup plan for the files.

2. Identify and categorize end-points or vulnerabilities. This helps you determine where a ransomware attack may come from. When you do, protect high-priority end-points first.

3. Create a ransomware data recovery plan for all your important assets and data. By placing priority first on critical assets or data, you should be able to either recover or rebuild all assets essentially from a master backup or image folder.

4. Save at least a copy of your data off-site or offline. Doing so will ensure that you can still restore your data after Ransomware encrypts on-site backup data. Also, you must secure the copied data the same way you would the original copy.

Recovery after an Attack

If you have already suffered a ransomware attack, all is not lost. There are some ways you can recover without paying your attacker. In this section, we will take a deep dive into tactics you can use to gain access to your files and system without paying a ransom.

Learn more below:

1. First, don’t pay the ransom. In the past, paying the ransom would have worked, but these cybercriminals have evolved, so you may pay and still not recover your encrypted files. And worse, paying makes you a prime target for a follow-up attack.

2. Disconnect the infected computer from the network and any other connected external storage device. Proceed to unplug the end-to-end cable and any external hard drives. Turn on the airplane mode for laptops, disconnect from WiFi, and turn off your computer.

3. Report the ransomware attack to law enforcement agencies like the local police department or the FBI's Internet Crime Complaint Center. These agencies may be able to assist, and your insurance carrier might require that you report such crimes. Reporting may help you catch the culprits; and if you paid the ransom, you may get it back.

4. Double-check all your computer servers connected to your network for any signs of encryption, like adjusted data files. And if you are still in doubt, disconnect the computers from your network and scan them with anti-ransomware solutions to clear out any ransomware. Don't connect the systems back just yet until you’re certain it’s all clear.

5. Don't try to recover the encrypted data from the affected system. Even if you can find a decryption package that can recover it, the malware will find a way to hide in your system. Instead, destroy the old hard disks and install new hard disks.

6. Restore your systems and data from off-site backup files. You would need to reinstall your applications if you didn't store a system image. Also, ensure you scan your backups because it's possible for some of the malware to impact your most recent backup files. If you find ransomware in your current backups, move to another earlier backup and scan that one. When you're sure the files are safe, restore the files using the earlier, uninfected backup. Remember to restore everything, not just data. Also, regain your connections that were part of your business transactions.

7. Check all your data to see if any of them became exfiltrated. Usually, the ransomware note will say your data has been exfiltrated and will be sold on the dark web, except you make an extra payment. To confirm this claim, check your firewall for any signs of data exfiltration, which typically looks like large file transfers sent to an unusual place. If data was indeed stolen, you'd have to note that in your data breach report. If you can find an address relating to the stolen data, you'll also need to provide that information to law enforcement.

8. Carry out an after-action study to determine how the ransomware breach happened so you can take better preventive measures in the future. Then, train your staff in cybersecurity best practices for your establishment. People often cause ransomware attacks when they open an infected email, visit an infected site, click a scam link, etc.

Ensure you triple-check to be sure your local and cloud backups are working perfectly before restoring your systems for those backups. Though there are recovery measures you can undertake to recover data, it is always better to have a plan to prevent the attack from happening in the first place. For the safety of your business, ensure you carry out all the necessary tests and drills to improve your cyber resilience and make your cyber defense systems strong enough to withstand any ransomware attacks in the future.

Image credit: AndreyPopov/depositphotos.com

Peter Davidson works as a senior business associate helping brands and start ups to make efficient business decisions and plan proper business strategies. He is a big gadget freak who loves to share his views on latest technologies and applications.