Ransomware Recovery: What You Need to Know

Did you know that only 65% of data is recovered during a ransomware attack according to Sophos’ State of Ransomware study? Today, we’re going to take a deep dive into some of the most commonly asked questions about recovering from ransomware and things that everyone should know before they are hit by it.

What is ransomware recovery?

Ransomware data recovery is the process followed to bring IT systems back online after a ransomware attack. Recovery can be simple, it can follow many of the existing disaster recovery processes you have today, provided your disaster recovery plans are well documented and thoroughly (and recently) tested.

In the data protection space there is a huge focus on recovery, especially recovering encrypted VMs from backup. While this is a big part of ransomware recovery, there are also wider impacts to the rest of your IT environment.

Forensic analysis is conducted as part of the cybersecurity incident response to determine how the ransomware got into the environment and what systems it has infected. At this point, steps can be then taken to eradicate the ransomware, remove the vulnerabilities that allowed the attackers in, and restore impacted systems.

Can ransomware be removed?

During the cybersecurity incident response process, steps will be taken to evaluate how the ransomware got into the environment and how systems have been impacted, beyond just the encryption of data.

While the ransomware software itself must be removed from encrypted machines, steps must also be taken to determine how the attackers got in and mitigate those attack vectors. Once a ransomware event happens, you will be able to ensure your antimalware systems have the proper definitions to detect the ransomware variant you have been impacted by.

Can systems impacted by ransomware be recovered?

The most pressing question from most IT organizations these days is, “Can I recover from ransomware?” Recovery is almost always possible. Unfortunately, many organizations don’t feel confident in the recovery process, which is why it’s important to take the steps to ensure your environment can recover from ransomware.

The first thing to do to protect your data from ransomware is to ensure you have a recent, successful backup. This backup becomes critical after machines have been encrypted. After encryption, you will need to restore to a previous backup.

Depending on how long the ransomware sat idle on your system, you will also want to scan the restored system to ensure you are not introducing the threat back into the environment.

What does recovery after a ransomware attack look like?

One of the most confusing aspects of ransomware is often what happens after an attack occurs. The first step is engaging your IT security team so they can begin their incident response process. This process can be a bit different from what most backup administrators are used to when it comes to restoring data.

Before you can recover from ransomware, there are a number of phases of the incident response plan that must be completed, such as Detection & Analysis, Containment, and then Eradication & Recovery. The HOW of ransomware recovery will depend on what is determined during the Detection & Analysis phase, so it is important to have multiple recovery strategies in place, and thoroughly tested.

Not familiar with Cybersecurity Incident Responses? Be sure to take a look at the Cybersecurity Incident & Vulnerability Response playbooks recently published by CISA.

What are the different types of ransomware attacks?

There are several different types of ransomware attacks, with the most classic one being data encryption. There are also double and triple extortion attacks. A double extortion attack is where ransomware not only encrypts your data but steals it. A triple extortion attack is where machines are encrypted and data is stolen. The malicious actors go a step further and look for data about an organization’s customers and suppliers, to then target them.

Does ransomware steal data?

The ransomware attack we often think about is data encryption. Another increasingly common type of ransomware attack is exfiltration. This is when the malicious actors in your environment steal data from you and threaten to release it unless you pay the ransom.

How does ransomware spread?

Ransomware can spread in many different ways. One of the most common ways ransomware spreads is through phishing e-mails. Once an attacker is inside your environment, the possibilities become limitless. Remember, a point of entry is the only thing an attacker needs to bring your environment to a grinding halt.

Which is the best solution to prevent your important files from attack by ransomware?

While many want to protect against ransomware, the truth of the matter is that you should expect to be impacted by it. There are a number of ransomware groups out there that are constantly searching for new ways to exploit environments to get in and deploy their ransomware. While a rock-solid IT security strategy can go a long way in protecting against ransomware, nothing can 100% prevent it from happening.

The best solution is a solid backup strategy, including immutable backups, so that your backups cannot be encrypted or deleted by malicious actors.

How many types of ransomware are there?

There are many different types of ransomware out there, and new types are emerging all the time. Some of the most popular types of ransomware in the news have been REvil, Conti, and DarkSide.

One thing to know about these different types of ransomware is that they operate just like any other IT organization. They have their own developers and are constantly refining their ransomware to be more dangerous to IT systems.

How long does it take to recover from ransomware?

When it comes to recovering from ransomware, there are many horror stories out there about how long it takes to recover (if organizations can recover at all). Regularly, you hear stories about it taking weeks and months to recover, but this just shouldn’t be the case.

Ransomware recovery is something that needs to be tested on a regular basis, just like a disaster recovery plan. In fact, your disaster recovery plan is a great place to start when it comes to recovering from ransomware, as long as it’s up to date and thoroughly tested.

After you’ve been testing your recovery, you can take steps to make it faster based on your business requirements, such as deploying additional infrastructures in your environment.

Ransomware recovery does not need to take an extended period of time, but testing your recovery processes is critical to meeting your RTO.

How long does ransomware encryption take?

Ransomware encryption speeds depend on the ransomware that has struck your environment. Remember, ransomware groups are constantly improving their software, trying to make things happen as fast as possible to cause as much damage before IT teams realize what is happening.

For example, REvil ransomware uses multithreaded processes to use all of the target’s resources to encrypt it.

Can you decrypt ransomware?

While ransomware groups say they can decrypt the attacked info if you pay the ransom, the fact of the matter is not all data is successfully decrypted. What’s more troubling is the integrity of the data after it has been decrypted — there is none. Even if you decrypt a server after a ransomware attack, it still needs to be restored from backup.

Will reinstalling Windows remove ransomware?

Simply reinstalling windows on an infected machine will not remove ransomware. Completely wiping a machine and reinstalling Windows will ensure a system no longer has ransomware on it, but you will lose all of your data if it was not backed up properly first.

Does ransomware steal personal data?

Ransomware attackers learn to spot vulnerabilities in an environment. This allows them to target the most impactful data they can find in an environment. Think things like personal data about employees and customers, financial information, and proprietary information. Remember, a ransomware group will do everything possible to make sure you pay the ransom.

When it comes to ransomware recovery, there are many things to think about. The most important thing is to make sure you are taking the steps to protect your environment today. This includes not only hardening your environment so the attackers can’t find a way in, but also cybersecurity user awareness training to make sure employees aren’t clicking suspicious links to let them in easily.

At the end of the day, the last line of defense is secure backups. In addition to having immutable backups that ransomware cannot encrypt or delete, it is important to test recovery. Testing recovery allows you to not only verify that your backups are working, but also that you can meet your RTOs in the case of an attack.

To learn more about how to protect your data from ransomware, be sure to take a look at Veeam’s ransomware prevention kit to get started today.



Free trial
Veeam Data Platform
We Keep Your Business Running