What are the steps to recover from a ransomware attack? (2024)

Key takeaways from this article

• Restore from backups:

  Having a robust backup strategy can be a lifesaver. If you're hit by ransomware, restore your files from backups that are regularly tested and kept isolated from your network to prevent contamination.

• Asset inventory management:

  Knowing what assets you have and their data can guide your recovery plan. If an email started the issue, investigate related compromise indicators to trace and address the breach source.

This summary is powered by AI and these experts

• Nkurunziza Gad Cybersecurity Researcher
• Joaquín Molina Apasionado de la ciberseguridad

• Joaquín Molina Apasionado de la ciberseguridad

  • Report contribution
  Tener el inventario de activos disponibles para diseñar una lógica de actuación. Discernir entre qué elementos ofrecen qué información. Una vez que tenemos los elementos controlados, debemos realizar hipótesis en base a los indicadores iniciales. Por ejemplo, si detectamos que la fecha de inicio del ransomware corresponde con la recepción de un correo sospechoso, posiblemente el vector de ataque fuera el mail, y debemos iniciar la recolección de los indicadores de compromiso relacionados con este sistema.

  Translated

  Like

  1

• • Report contribution
  Isolation facilitates forensic analysis of the infected device. The ransomware, its behavior and entry points can be examined to strengthen network security and prevent future attacks.Although, isolation is just one step in the larger process of recovering from a ransomware attack. It’s crucial to have a comprehensive incident response plan in place.Additionally, regularly backing up data, educating users about cybersecurity best practices, and implementing robust security measures are essential steps to minimize the impact of ransomware attacks and maintain the integrity of the systems.

  Like

  12

• • Report contribution
  In addition to isolating the device, it's important to understand what services the were available to the affected users. Once the devices are isolated, it's important to perform post infection remediation by validating that the cloud services they used weren't also compromised, and take steps to provision access to those services after closing open sessions and resetting passwords.

  Like

  10

• • Report contribution
  Implement the isolation following your organization's incident response plan, document the isolation process, record which devices were isolated, the method used, and the timestamp, communicate with affected users, and explain the situation and the steps taken to contain the attack. Remember that speed is crucial; act quickly to isolate infected devices to minimize the attack's impact, and prioritize critical systems, focusing on isolating devices that hold critical data or support essential business functions.

  Like

  6

• E.J. Hilbert Cyber Security, Compliance and Privacy Professional

  • Report contribution
  Recovering from Ransomware begins before getting hit by ransomware. This means having immutable backups that can be used for restoration in 24-48 hours. You must have a recovery plan as if this is a system outage.Secondly, recovery means that YOU WILL LOSE DATA. Whether you recover from backup or you buy the decryption key, data will be lost. Understanding there will be a need to recreate or rebuild data is key. This is not an IT issue this is a business unit issue and there needs to be a process to identify what is missing, if its important and how to recreate it.Lastly, dont freak out. It sucks, you have been attacked, and it happened because of a mistake. Systems go down. If you are prepared for system outages you can survive.

  Like

  5

• Nkurunziza Gad Cybersecurity Researcher

  • Report contribution
  To recover from a ransomware attack, isolate infected systems, identify the ransomware for potential decryption tools, report the incident to authorities, restore from clean backups, patch vulnerabilities, scan and clean systems, change passwords, and enhance overall security measures.

  Like

  6

• Manan Vora Leading Security Architecture and Engineering in Tredence, MSc IT, CISSP, CISM, Security+, API Security Architect, Azure 2x, Forcepoint 3x, Fortinet 3x, PCI DSSv4.0 Implementor, ISO/IEC 27001:2022 LA, CCIO

  • Report contribution
  Identification of ransomware varient is a key step after the infection. In most of the cases an organization can recover from attack if decryption tool is available in public. This way an organization can save ransome and get information about ransomware varient.

  Like

  4

• • Report contribution
  A non-technical route:Check cyber news articles regularly: To identify if similar companies are getting attacked and how they are responding.Take professional help rather than free online tools: Uploading confidential data into free online tools is risky. It is better to discuss the ransomware scenario with dedicated organizations over an agreement to determine appropriate next steps.Use government and legit organization websites to check: Government and legit websites dedicate their work towards people's safety. Use resources such as NIST for vulnerability details, OWASP, SANS etc for correct information. Do not use the first populated links of a browser as they are likely advertised and used for commercial purposes.

  Like

  4

• Gamal Helal Salama Senior Security Architect || CCIE Security #67701 || ISC² ID: 1192359 || Cisco FireJumper Elite #181 || EC-Council Certified Ethical Hacker - CEH

  • Report contribution
  Identifying the Ransomware variant is not essential only to get its decryption tool, but also to know the attack TTP; Tactics, Techniques, Procedures. But what if this is a new variant? In such case, drilling down into Analysis and Reverse Engineering process is essential to get more information about the adversary, the aims behind the attacks, and support you note down countermeasures to avoid it in the future.

  Like

  3

• • Report contribution
  Unlikely to find a decrypter but it will help you learn more about the TTPs of the operators and look for any further compromise.

  Like

  2

• • Report contribution
  In my experience, it is better to move on to cloud-based Blob storage solutions to prevent data loss due to ransomware attacks. In an hypothetical scenario:1. Cloud storages provide object versioning. Use Cloud blob storage with versioning enabled for continuous backups. AWS S3 is one of the examples.2. Every machine with critical data has an agent to upload delta data to the secured S3 bucket where versioning is enabled. 3. When the system is infected, Anti-malware can provide the point in time when the infection has started. 4. Quarantine the system or build a new system and restore the last known S3 object version before system was impacted.This ensures the least MTTRecover with least data loss during the incident.

  Like

  14

• • Report contribution
  Be ready to have offline backups on hand and take those periodically.Make sure to have some backup systems airgapped as some threat actors will destroy backup solutions if they find them.

  Like

  5

• • Report contribution
  Using a backup is the safest way, but you can also -in case no backups are available- try decrypting the infected files and folders using decrypters available on platforms like the NoMoreRansom.org project. (Important: make sure the source of the decrypter is a legit one, otherwise you risk being a victim twice of hackers, by downloading a malware instead of a legit decrypter)?

  Like

  3

• Manan Vora Leading Security Architecture and Engineering in Tredence, MSc IT, CISSP, CISM, Security+, API Security Architect, Azure 2x, Forcepoint 3x, Fortinet 3x, PCI DSSv4.0 Implementor, ISO/IEC 27001:2022 LA, CCIO

  • Report contribution
  Best way to recover from ransomware is to have immutable backups (backups which can't be tampered). Backup policy should be in place where Administrator's are frequently testing the integrity of backups and ensuring that latest data backup is available.

  Like

  2

• Jose Maria Alvarez Bujanda Senior Security Specialist at Canada Life

  • Report contribution
  Identificar la variante de ransomware requiere analizar características y patrones en archivos cifrados. Usa herramientas en línea, examina el mensaje de rescate y colabora con comunidades de seguridad. La comprensión detallada es crucial para estrategias efectivas. Post-infección, la recuperación puede ser viable con herramientas de descifrado públicas, ahorrando el rescate y obteniendo información valiosa.

  Translated

  Like

  2

• • Report contribution
  Some important steps that get missed out:-Immediately engage a threat actor negotiation expert and a cyber forensics expert it you can afford and who are approved by your insurance company and in the approved list of providers by regulators-Create a detailed response plan in consultation with management, external and internal experts, insurance company. This should include notification protocols and timelines.-Assess what data is encrypted or exfiltrated -Assess risks to parties who's data is impacted and plan urgent notifications as necessary-Plan to assess and fix vulnerabilities and loopholes -Clean up devices that were potentially impacted-Plan for data recovery whilst assessing infections

  Like

  9

• Terrence Tatum, MS, CASP Information Security Compliance Specialist @ SAP NS2 | Cloud GRC | CCM | Cloud Security | Cyber Defender guarding critical assets with dynamic solutions🔒

  • Report contribution
  Having a lessons learned section of reporting could be the difference between the incident reoccurring in the future or being mitigated. Post-incident activities should be detailed in the Lessons Learned. This ensures IR playbooks are updated based on the correct RCA and mitigation efforts.

  Like

  5

• Matheus Batista Pimentel Information Security Officer | Microsoft Security Administrator | ITIL | DPO EXIN | APDADOS®

  • Report contribution
  A comunicação às autoridades é muitas vezes uma obrigatoriedade legal, como por exemplo comunicar um incidente de violação de dados ocorrido no Brasil para a Associação Nacional de Privacidade de Dados (ANPD). Por lei, algumas informações são obrigatórias de serem informadas logo no primeiro comunicado, como natureza dos dados afetados, informações sobre pessoas afetadas, medidas que estão sendo tomadas para minimizar o impacto, riscos que os titulares podem correr, dentre outras informações.

  Translated

  Like

  1

• Giang T. Regional Information Security Officer | CISM | CRISC

  • Report contribution
  Reporting a ransomware attack promptly to authorities and stakeholders is vital for a comprehensive response. Initiating contact with local law enforcement, cybersecurity insurance providers, and legal counsel is crucial for guidance and potential assistance. Transparent communication with customers, partners, and employees is equally essential, detailing the incident and its potential impact on data and privacy. Documenting crucial details, including the attack's date, time, source, and ransom amount, serves both as evidence and aids in compliance with regulations. This proactive engagement ensures a collaborative approach to mitigating the consequences of the ransomware attack and reinforces trust among affected parties.

  Like
• Juan Camilo Botonero Rodriguez Cybersecurity and Cyberdefense Expert - C|CISO , CISSM , ECIH , CEH , ISO27001 , ISO 27032 , ITIL

  • Report contribution
  This step is extremely relevant since if there is no community for the exchange of open information, such as lessons learned, IOCs and attack vectors, it will be difficult to prevent the infection of new malware in different organizations, which is why Organizations must be transparent in the communication of such information

  Like

• Jose Maria Alvarez Bujanda Senior Security Specialist at Canada Life

  • Report contribution
  La última fase implica fortalecer tu seguridad y prevenir futuros ataques de ransomware. Actualiza sistemas, aplicaciones y antivirus, implementa medidas como contraseñas robustas y autenticación multifactor, y capacita al personal sobre riesgos y señales de ransomware. Estos ataques amenazan gravemente la seguridad y continuidad empresarial. Aunque la recuperación es posible, la prevención es clave: realiza copias de seguridad y resguarda tu red contra amenazas maliciosas.

  Translated

  Like

  5

• • Report contribution
  You get back from a nice 2 weeks of PTO and the first message you receive is from an employee who says that one of the servers they run has a ransomware note on it. What do you?It's very very important, and I cannot stress this enough, that you DO NOT PANIC! Stay cool, calm, and collected. Go through your companies incident response plan and make sure you inform your leadership team. Do not leave any of your leadership team out of the conversation. They are all stakeholders and whether they want to know or not, they need to at least be informed.After following your company's incident response plan and making sure leadership is up to date, it is time to review your plan and make sure it is still up to par. If not, make the changes.

  Like

  3

• Timothy Poppleton Project/ Change/ Infrastructure Management, PMO, Technical Author

  • Report contribution
  Strengthening your security to most people means having effective patch management, monitoring, backup, firewall and anti-virus protection. These are all important preventative measures.You should also use more pro-active tools. For example use tools that are stored on users workstations. These could collect and report details on the impact of the security incident. As well as isolate the impacted workstation to contain the spread in the incident. Being already present on the workstation will speed up the investigation and so hopefully resolution of the incident.

  Like

  2

• Sonam R.

  • Report contribution
  Strength the security is leveling up the game! Right said “An ounce of prevention is worth an pound of cure” so taking correct measures to prevent against ransomeware including backups, updated softwares, installation of antivirus, email protection.

  Like

  2

• Udochi O. Senior Service Engineer, Azure Edge + Platform | Technologist

  • Report contribution
  To strengthen your security, means to have the most up-to-date patches and fixes for any vulnerabilities on your system. It’s very important to be proactive rather than reactive in these cases. Patching should be done on a consistent basis and should also consist of reboots and hardening of accounts.

  Like

  2

• Shyam Sundar Ramaswami (He/Him/Batman) Three-Time TEDx speaker | Cyber Security Architect , Research and Memory Forensics @ GE HealthCare | Author | International Cyber Security Speaker | Professor | Ex-Cisco | Digital Detective

  • Report contribution
  Ransomware attacks undoubtedly dents an organisation’s reputation, security posture and identity which in turn creates a strong turbulence in the social media . Threat hunting plays a pivotal role in such cases. The constant look out of mutated samples , means and modes of entry coupled with employee awareness will help you in protecting the organisation.However, doing the above alone is not a silver bullet for any organisation. The untangling of knowns and unknowns in a ransomware attack is a key phase . With the right set of hunting mechanisms and MITRE tricks you can spot the odd one out to minimise the blast radius.Coming out in public and reporting the attack is the key. This helps in raising awareness on such attacks.

  Like

  12

• Pradeep Karasala (PK) Valuepreneur | Chief Solution Advisor @ GRCXperts | SecureB4

  • Report contribution
  Change passwords and other login information for any accounts or services that may have been compromised by the ransomware.Use strong and unique passwords and enable multi-factor authentication where possible.

  Like

  10

• Richard Waine Head of SecOps at easyJet

  • Report contribution
  Responding to a ransomware attack starts way before the attack (ideally!) Build out your playbook, test it, test it again. Don't just do tabletop exercises, do drills to check Security Analysts know which tools to use and how to use them. Use you EDR to contain/isolate. Build a containment plan, how do you isolate a device? Network segment? Data centre? Work with other teams to plan who does what. Understand your critical systems, protect those so you know what you can sacrifice. Check your threat intel, who's most likely to target you? How would they do it (MITRE)? If the worst happens make sure you can stand-up a security incident response team, use your suppliers, get an IR contract. Report the threat to management so they're aware

  Like

  9

• • Report contribution
  There is a lot of valuable advice already, so my pinch of salt goes to not to forget one really important thing NEXT: #RestoreConfidence. Seize momentum, build opportunity from caos. In my opinion the 3 main points should be:1) Lessons learned. The organization needs someone good at fixing problems, not in finding culprits. Be humble, #communicate what happened, what's needed what was learned. You can even #SellTheGoodStuff shown: commitment, urgency sense, attitude...2) What are you going to do to prevent this from happening again. Remember it is NOT to create a to-do list, its about the big picture.3) What will be different if it ever happens again.https://www.linkedin.com/pulse/tuve-ransomware-y-ahora-qu%C3%A9-alejandro-caro/

  Like

  5

• Deonel R. Chief Security Officer CSO | CISO

  • Report contribution
  Es importante definir el nivel de madurez actual y el tiempo de respuesta relacionado, que controles se tienen en relación a la aplicación de parches y atención de vulnerabilidades, es algo que debe de tomarse muy enserio, y del compromiso del equipo de Tecnologías en conjunto con el de Seguridad para la atención y respuesta oportuna, lo cual aplica a los demás controles relacionados. El ser proactivos es totalmente valido, pero esto es algo que puede alcanzarse a través del enfoque al cumplimiento, monitoreo de eventos y al endurecimiento de las herramientas de seguridad (no es suficiente tenerlas instaladas), y concientización enfocada en una cultura de ciberseguridad.

  Translated

  Like

  4