How to Recover From a Ransomware Attack
As ransomware continues to be an attractive means of moneymaking for threat actors, many businesses today will be facing the task of recovering following an attack.
The best way to protect your business from ransomware is, of course, to plan and prepare in advance.
However, it's estimated that only around half of businesses globally have a disaster recovery plan, with even fewer testing it on a regular basis. And in the UK, just 22% of UK businesses have a formal incident response plan in place.
So, if your business is among those caught out by attackers and restoring from a backup isn’t an option, here are some processes your IT team can follow to aid long-term recovery as the dust settles.
Calmness Equals Clarity
It may seem like a simple point, but it’s worth iterating - panic leads to mistakes. And during critical data loss incidents, mistakes can have lasting negative effects. This is why it’s important to do all you can to remain calm and instil calmness and clarity among your teams after detecting ransomware to ensure you’re making the right decisions at the right times.
Developing and testing a disaster recovery plan which factors in ransomware and other malware incidents can help your teams stay focused when the real thing occurs.
Isolate the Infection
The fewer systems that are infected, the faster your business can recover. As soon as a breach is detected, your team must take steps to isolate compromised devices. This may mean physically disconnecting them from the network to contain viral spread.
Work to Identify the Source
Following an incident, your cyber security specialists or supplier should attempt to identify the ransomware variant. There may already be a publicly available decryption key that will allow you to restore access to data. Researching the infection allows your team to better understand what they are dealing with and how best to approach the situation.
Consider Documentation and Evidence
Investigations into attacks may require as much evidence as possible. Don’t reboot infected machines until they’ve been properly imaged and copied to preserve virus signatures and other pointers. Preserving virus signatures could help identify the perpetrators.
Triage and Disinfect
Recovering from a ransomware attack relies on knowing what’s been affected and how extensively. You need a complete picture of any devices and networks impacted and how this has and could affect your operations.
Use this information to prioritise cleanup and recovery, focusing on high-impact systems first. Don’t forget to apply security updates and patches to all of your systems to reduce the risk of secondary infections.
Restore from Backups
Once you’re confident that your system is free from the virus, you can begin the process of recovery. Just make sure that you have fully tested your backups to confirm they’re not also infected. Again, use your triage report to prioritise high-value systems for recovery first.
Check Your Reporting Obligations
Once you know which data has been infected, affected or exposed, you’ll need to consider your legal obligations. For instance, in the UK if personal data has been exposed or exfiltrated, you have 72 hours to report the incident to the Information Commissioner’s Office.
Evolve your Processes for Continuous Improvement
Threat actors never stop refining their techniques, nor should your business. Analyse how effective your disaster recovery was. Ask your IT team for their feedback on the following.
- What worked well?
- What didn’t work?
- Which unexpected challenges did you encounter?
- How will we address those challenges next time?
- What do we need to do to improve our responses?
- What tools or skills do we need to enhance?
- How can we be more efficient and effective in our response?
Use these insights to refine your disaster recovery plans so you’re as prepared as you possibly can be for future ransomware attacks. This will also help you to allocate your IT security budget for best effect in the coming years.
Preparation is Better than Cleanup
In the last year, 59% of businesses experienced a ransomware attack, representing a fivefold increase in ransomware bills in the same period.
With a threat of this magnitude looming, it couldn’t be more important for your business to have safeguards in place and to know precisely what it needs to do to recover from a ransomware attack.
Most importantly, having verified and tested backups gives you options, even in the middle of the most serious ransomware attack.
Gain Advice on Protecting Your Backups from Ransomware
Find out more about mitigating ransomware threats watch our on-demand webinar for practical guidance on keeping your backups safe from ransomware.


Was Your Business Prepared for the CrowdStrike Incident?
What to do After a Ransomware Attack
