Macrium company logo
A black and white image of a cleaning lady brushing a computer disk, set against a graphical background of shapes and colours to illustrate the title of the blog 'How to Recover From a Ransomware Attack'.

30 May 2024

How to Recover From a Ransomware Attack

As ransomware continues to be an attractive means of moneymaking for threat actors, many businesses today will be facing the task of recovering following an attack.

The best way to protect your business from ransomware is, of course, to plan and prepare in advance.

However, it's estimated that only around half of businesses globally have a disaster recovery plan, with even fewer testing it on a regular basis. And in the UK, just 22% of UK businesses have a formal incident response plan in place.

So, if your business is among those caught out by attackers and restoring from a backup isn’t an option, here are some processes your IT team can follow to aid long-term recovery as the dust settles.

Calmness Equals Clarity

It may seem like a simple point, but it’s worth iterating - panic leads to mistakes. And during critical data loss incidents, mistakes can have lasting negative effects. This is why it’s important to do all you can to remain calm and instil calmness and clarity among your teams after detecting ransomware to ensure you’re making the right decisions at the right times.

Developing and testing a disaster recovery plan which factors in ransomware and other malware incidents can help your teams stay focused when the real thing occurs.

Isolate the Infection

The fewer systems that are infected, the faster your business can recover. As soon as a breach is detected, your team must take steps to isolate compromised devices. Tthis may mean physically disconnecting them from the network to contain viral spread.

Work to Identify the Source

Following an incident, your cyber security specialists or supplier should attempt to identify the ransomware variant. There may already be a publicly available decryption key that will allow you to restore access to data. Researching the infection allows your team to better understand what they are dealing with and how best to approach the situation.

Consider Documentation and Evidence

Investigations into attacks may require as much evidence as possible. Don’t reboot infected machines until they’ve been properly imaged and copied to preserve virus signatures and other pointers. Preserving virus signatures could help identify the perpetrators.

Triage and Disinfect

Recovering from a ransomware attack relies on knowing what’s been affected and how extensively. You need a complete picture of any devices and networks impacted and how this has and could affect your operations.

Use this information to prioritise cleanup and recovery, focusing on high-impact systems first. Don’t forget to apply security updates and patches to all of your systems to reduce the risk of secondary infections.

Restore from Backups

Once you’re confident that your system is free from the virus, you can begin the process of recovery. Just make sure that you have fully tested your backups to confirm they’re not also infected. Again, use your triage report to prioritise high-value systems for recovery first.

Check Your Reporting Obligations

Once you know which data has been infected, affected or exposed, you’ll need to consider your legal obligations. For instance, in the UK if personal data has been exposed or exfiltrated, you have 72 hours to report the incident to the Information Commissioner’s Office.

Evolve your Processes for Continuous Improvement

Threat actors never stop refining their techniques, nor should your business. Analyse how effective your disaster recovery was. Ask your IT team for their feedback on the following.

  • What worked well?
  • What didn’t work?
  • Which unexpected challenges did you encounter?
  • How will we address those challenges next time?
  • What do we need to do to improve our responses?
  • What tools or skills do we need to enhance?
  • How can we be more efficient and effective in our response?

Use these insights to refine your disaster recovery plans so you’re as prepared as you possibly can be for future ransomware attacks. This will also help you to allocate your IT security budget for best effect in the coming years.

Preparation is Better than Cleanup

In the last year, 59% of businesses experienced a ransomware attack, representing a fivefold increase in ransomware bills in the same period.

With a threat of this magnitude looming, it couldn’t be more important for your business to have safeguards in place and to know precisely what it needs to do to recover from a ransomware attack.

Most importantly, having verified and tested backups gives you options, even in the middle of the most serious ransomware attack.

Gain Advice on Protecting Your Backups from Ransomware

Find out more about mitigating ransomware threats watch our on-demand webinar for practical guidance on keeping your backups safe from ransomware.

Watch the webinar

Next Post

What to do After a Ransomware Attack

A black and white photographic image of a hand about to hit a large emergency stop button, illustrating the title of the blog 'what to do after a ransomware attack'.