- All
- IT Services
- Information Security
Powered by AI and the LinkedIn community
1
Isolate the infected devices
2
Identify the ransomware variant
3
Restore from backups
4
Report the incident
5
Strengthen your security
6
Here’s what else to consider
Ransomware is a type of malicious software that encrypts your files and demands a payment to restore access. It can cause significant damage to your data, reputation, and business operations. If you are a victim of a ransomware attack, you need to act quickly and follow these steps to recover from the incident.
Key takeaways from this article
-
Restore from backups:
Having a robust backup strategy can be a lifesaver. If you're hit by ransomware, restore your files from backups that are regularly tested and kept isolated from your network to prevent contamination.
-
Asset inventory management:
Knowing what assets you have and their data can guide your recovery plan. If an email started the issue, investigate related compromise indicators to trace and address the breach source.
This summary is powered by AI and these experts
- Nkurunziza Gad Cybersecurity Researcher
- Joaquín Molina Apasionado de la ciberseguridad
1 Isolate the infected devices
The first step is to disconnect the affected devices from the network and the internet. This will prevent the ransomware from spreading to other systems and encrypting more files. You should also disable any remote access services, such as VPN, RDP, or SSH, that could allow the attackers to access your network. If possible, take a snapshot or an image of the infected devices for forensic analysis.
Help others by sharing more (125 characters min.)
- Joaquín Molina Apasionado de la ciberseguridad
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Tener el inventario de activos disponibles para diseñar una lógica de actuación. Discernir entre qué elementos ofrecen qué información. Una vez que tenemos los elementos controlados, debemos realizar hipótesis en base a los indicadores iniciales. Por ejemplo, si detectamos que la fecha de inicio del ransomware corresponde con la recepción de un correo sospechoso, posiblemente el vector de ataque fuera el mail, y debemos iniciar la recolección de los indicadores de compromiso relacionados con este sistema.
Translated
LikeLike
Celebrate
Support
Love
Insightful
Funny
1
-
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Isolation facilitates forensic analysis of the infected device. The ransomware, its behavior and entry points can be examined to strengthen network security and prevent future attacks.Although, isolation is just one step in the larger process of recovering from a ransomware attack. It’s crucial to have a comprehensive incident response plan in place.Additionally, regularly backing up data, educating users about cybersecurity best practices, and implementing robust security measures are essential steps to minimize the impact of ransomware attacks and maintain the integrity of the systems.
LikeLike
Celebrate
Support
Love
Insightful
Funny
12
-
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
In addition to isolating the device, it's important to understand what services the were available to the affected users. Once the devices are isolated, it's important to perform post infection remediation by validating that the cloud services they used weren't also compromised, and take steps to provision access to those services after closing open sessions and resetting passwords.
LikeLike
Celebrate
Support
Love
Insightful
Funny
10
-
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Implement the isolation following your organization's incident response plan, document the isolation process, record which devices were isolated, the method used, and the timestamp, communicate with affected users, and explain the situation and the steps taken to contain the attack. Remember that speed is crucial; act quickly to isolate infected devices to minimize the attack's impact, and prioritize critical systems, focusing on isolating devices that hold critical data or support essential business functions.
LikeLike
Celebrate
Support
Love
Insightful
Funny
6
- E.J. Hilbert Cyber Security, Compliance and Privacy Professional
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Recovering from Ransomware begins before getting hit by ransomware. This means having immutable backups that can be used for restoration in 24-48 hours. You must have a recovery plan as if this is a system outage.Secondly, recovery means that YOU WILL LOSE DATA. Whether you recover from backup or you buy the decryption key, data will be lost. Understanding there will be a need to recreate or rebuild data is key. This is not an IT issue this is a business unit issue and there needs to be a process to identify what is missing, if its important and how to recreate it.Lastly, dont freak out. It sucks, you have been attacked, and it happened because of a mistake. Systems go down. If you are prepared for system outages you can survive.
LikeLike
Celebrate
Support
Love
Insightful
Funny
5
Load more contributions
2 Identify the ransomware variant
The next step is to identify the type and version of the ransomware that infected your devices. This will help you determine if there is a known decryption tool or a flaw in the encryption algorithm that could allow you to recover your files without paying the ransom. You can use online tools, such as ID Ransomware or No More Ransom, to upload a sample of the encrypted file or the ransom note and get information about the ransomware variant.
Help others by sharing more (125 characters min.)
- Nkurunziza Gad Cybersecurity Researcher
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
To recover from a ransomware attack, isolate infected systems, identify the ransomware for potential decryption tools, report the incident to authorities, restore from clean backups, patch vulnerabilities, scan and clean systems, change passwords, and enhance overall security measures.
LikeLike
Celebrate
Support
Love
Insightful
Funny
6
- Manan Vora Leading Security Architecture and Engineering in Tredence, MSc IT, CISSP, CISM, Security+, API Security Architect, Azure 2x, Forcepoint 3x, Fortinet 3x, PCI DSSv4.0 Implementor, ISO/IEC 27001:2022 LA, CCIO
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Identification of ransomware varient is a key step after the infection. In most of the cases an organization can recover from attack if decryption tool is available in public. This way an organization can save ransome and get information about ransomware varient.
LikeLike
Celebrate
See AlsoOpen Encrypted FilesHow To Remove Ransomware: Complete GuideWhat ransomware is and how to prevent and remove itHow to recover from a ransomware attack | TechTargetSupport
Love
Insightful
Funny
4
-
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
A non-technical route:Check cyber news articles regularly: To identify if similar companies are getting attacked and how they are responding.Take professional help rather than free online tools: Uploading confidential data into free online tools is risky. It is better to discuss the ransomware scenario with dedicated organizations over an agreement to determine appropriate next steps.Use government and legit organization websites to check: Government and legit websites dedicate their work towards people's safety. Use resources such as NIST for vulnerability details, OWASP, SANS etc for correct information. Do not use the first populated links of a browser as they are likely advertised and used for commercial purposes.
LikeLike
Celebrate
Support
Love
Insightful
Funny
4
- Gamal Helal Salama Senior Security Architect || CCIE Security #67701 || ISC² ID: 1192359 || Cisco FireJumper Elite #181 || EC-Council Certified Ethical Hacker - CEH
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Identifying the Ransomware variant is not essential only to get its decryption tool, but also to know the attack TTP; Tactics, Techniques, Procedures. But what if this is a new variant? In such case, drilling down into Analysis and Reverse Engineering process is essential to get more information about the adversary, the aims behind the attacks, and support you note down countermeasures to avoid it in the future.
LikeLike
Celebrate
Support
Love
Insightful
Funny
3
-
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Unlikely to find a decrypter but it will help you learn more about the TTPs of the operators and look for any further compromise.
LikeLike
Celebrate
Support
Love
Insightful
Funny
2
Load more contributions
3 Restore from backups
The best way to recover from a ransomware attack is to restore your files from a recent and reliable backup. You should have a backup strategy that follows the 3-2-1 rule: have at least three copies of your data, on two different media, and one offsite. You should also test your backups regularly and ensure that they are not accessible from the network or the internet. Before restoring your files, you should scan them for malware and verify their integrity.
Help others by sharing more (125 characters min.)
-
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
In my experience, it is better to move on to cloud-based Blob storage solutions to prevent data loss due to ransomware attacks. In an hypothetical scenario:1. Cloud storages provide object versioning. Use Cloud blob storage with versioning enabled for continuous backups. AWS S3 is one of the examples.2. Every machine with critical data has an agent to upload delta data to the secured S3 bucket where versioning is enabled. 3. When the system is infected, Anti-malware can provide the point in time when the infection has started. 4. Quarantine the system or build a new system and restore the last known S3 object version before system was impacted.This ensures the least MTTRecover with least data loss during the incident.
LikeLike
Celebrate
Support
Love
Insightful
Funny
14
-
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Be ready to have offline backups on hand and take those periodically.Make sure to have some backup systems airgapped as some threat actors will destroy backup solutions if they find them.
LikeLike
Celebrate
Support
Love
Insightful
Funny
5
-
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Using a backup is the safest way, but you can also -in case no backups are available- try decrypting the infected files and folders using decrypters available on platforms like the NoMoreRansom.org project. (Important: make sure the source of the decrypter is a legit one, otherwise you risk being a victim twice of hackers, by downloading a malware instead of a legit decrypter)?
LikeLike
Celebrate
Support
Love
Insightful
Funny
3
- Manan Vora Leading Security Architecture and Engineering in Tredence, MSc IT, CISSP, CISM, Security+, API Security Architect, Azure 2x, Forcepoint 3x, Fortinet 3x, PCI DSSv4.0 Implementor, ISO/IEC 27001:2022 LA, CCIO
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Best way to recover from ransomware is to have immutable backups (backups which can't be tampered). Backup policy should be in place where Administrator's are frequently testing the integrity of backups and ensuring that latest data backup is available.
LikeLike
Celebrate
Support
Love
Insightful
Funny
2
- Jose Maria Alvarez Bujanda Senior Security Specialist at Canada Life
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Identificar la variante de ransomware requiere analizar características y patrones en archivos cifrados. Usa herramientas en línea, examina el mensaje de rescate y colabora con comunidades de seguridad. La comprensión detallada es crucial para estrategias efectivas. Post-infección, la recuperación puede ser viable con herramientas de descifrado públicas, ahorrando el rescate y obteniendo información valiosa.
Translated
LikeLike
Celebrate
Support
Love
Insightful
Funny
2
Load more contributions
4 Report the incident
The fourth step is to report the ransomware attack to the relevant authorities and stakeholders. You should contact your local law enforcement agency, your cybersecurity insurance provider, and your legal counsel for guidance and assistance. You should also inform your customers, partners, and employees about the incident and the potential impact on their data and privacy. You should document the details of the attack, such as the date, time, source, and ransom amount, for evidence and compliance purposes.
Help others by sharing more (125 characters min.)
-
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Some important steps that get missed out:-Immediately engage a threat actor negotiation expert and a cyber forensics expert it you can afford and who are approved by your insurance company and in the approved list of providers by regulators-Create a detailed response plan in consultation with management, external and internal experts, insurance company. This should include notification protocols and timelines.-Assess what data is encrypted or exfiltrated -Assess risks to parties who's data is impacted and plan urgent notifications as necessary-Plan to assess and fix vulnerabilities and loopholes -Clean up devices that were potentially impacted-Plan for data recovery whilst assessing infections
LikeLike
Celebrate
Support
Love
Insightful
Funny
9
- Terrence Tatum, MS, CASP Information Security Compliance Specialist @ SAP NS2 | Cloud GRC | CCM | Cloud Security | Cyber Defender guarding critical assets with dynamic solutions🔒
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Having a lessons learned section of reporting could be the difference between the incident reoccurring in the future or being mitigated. Post-incident activities should be detailed in the Lessons Learned. This ensures IR playbooks are updated based on the correct RCA and mitigation efforts.
LikeLike
Celebrate
Support
Love
Insightful
Funny
5
- Matheus Batista Pimentel Information Security Officer | Microsoft Security Administrator | ITIL | DPO EXIN | APDADOS®
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
A comunicação às autoridades é muitas vezes uma obrigatoriedade legal, como por exemplo comunicar um incidente de violação de dados ocorrido no Brasil para a Associação Nacional de Privacidade de Dados (ANPD). Por lei, algumas informações são obrigatórias de serem informadas logo no primeiro comunicado, como natureza dos dados afetados, informações sobre pessoas afetadas, medidas que estão sendo tomadas para minimizar o impacto, riscos que os titulares podem correr, dentre outras informações.
Translated
LikeLike
Celebrate
Support
Love
Insightful
Funny
1
- Giang T. Regional Information Security Officer | CISM | CRISC
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Reporting a ransomware attack promptly to authorities and stakeholders is vital for a comprehensive response. Initiating contact with local law enforcement, cybersecurity insurance providers, and legal counsel is crucial for guidance and potential assistance. Transparent communication with customers, partners, and employees is equally essential, detailing the incident and its potential impact on data and privacy. Documenting crucial details, including the attack's date, time, source, and ransom amount, serves both as evidence and aids in compliance with regulations. This proactive engagement ensures a collaborative approach to mitigating the consequences of the ransomware attack and reinforces trust among affected parties.
LikeLike
Celebrate
Support
Love
Insightful
Funny
- Juan Camilo Botonero Rodriguez Cybersecurity and Cyberdefense Expert - C|CISO , CISSM , ECIH , CEH , ISO27001 , ISO 27032 , ITIL
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
This step is extremely relevant since if there is no community for the exchange of open information, such as lessons learned, IOCs and attack vectors, it will be difficult to prevent the infection of new malware in different organizations, which is why Organizations must be transparent in the communication of such information
LikeLike
Celebrate
Support
Love
Insightful
Funny
Load more contributions
5 Strengthen your security
The final step is to improve your security posture and prevent future ransomware attacks. You should update your operating systems, applications, and antivirus software with the latest patches and signatures. You should also implement security best practices, such as using strong passwords, enabling multi-factor authentication, and restricting user privileges. You should also educate your staff about the risks and signs of ransomware and how to avoid phishing emails and malicious attachments.
Ransomware attacks are a serious threat to your information security and business continuity. By following these steps, you can recover from a ransomware attack and minimize the damage and disruption. However, prevention is always better than cure, so you should always backup your data and protect your network from malicious actors.
Help others by sharing more (125 characters min.)
- Jose Maria Alvarez Bujanda Senior Security Specialist at Canada Life
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
La última fase implica fortalecer tu seguridad y prevenir futuros ataques de ransomware. Actualiza sistemas, aplicaciones y antivirus, implementa medidas como contraseñas robustas y autenticación multifactor, y capacita al personal sobre riesgos y señales de ransomware. Estos ataques amenazan gravemente la seguridad y continuidad empresarial. Aunque la recuperación es posible, la prevención es clave: realiza copias de seguridad y resguarda tu red contra amenazas maliciosas.
Translated
LikeLike
Celebrate
Support
Love
Insightful
Funny
5
-
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
You get back from a nice 2 weeks of PTO and the first message you receive is from an employee who says that one of the servers they run has a ransomware note on it. What do you?It's very very important, and I cannot stress this enough, that you DO NOT PANIC! Stay cool, calm, and collected. Go through your companies incident response plan and make sure you inform your leadership team. Do not leave any of your leadership team out of the conversation. They are all stakeholders and whether they want to know or not, they need to at least be informed.After following your company's incident response plan and making sure leadership is up to date, it is time to review your plan and make sure it is still up to par. If not, make the changes.
LikeLike
Celebrate
Support
Love
Insightful
Funny
3
- Timothy Poppleton Project/ Change/ Infrastructure Management, PMO, Technical Author
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Strengthening your security to most people means having effective patch management, monitoring, backup, firewall and anti-virus protection. These are all important preventative measures.You should also use more pro-active tools. For example use tools that are stored on users workstations. These could collect and report details on the impact of the security incident. As well as isolate the impacted workstation to contain the spread in the incident. Being already present on the workstation will speed up the investigation and so hopefully resolution of the incident.
LikeLike
Celebrate
Support
Love
Insightful
Funny
2
- Sonam R.
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Strength the security is leveling up the game! Right said “An ounce of prevention is worth an pound of cure” so taking correct measures to prevent against ransomeware including backups, updated softwares, installation of antivirus, email protection.
LikeLike
Celebrate
Support
Love
Insightful
Funny
2
- Udochi O. Senior Service Engineer, Azure Edge + Platform | Technologist
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
To strengthen your security, means to have the most up-to-date patches and fixes for any vulnerabilities on your system. It’s very important to be proactive rather than reactive in these cases. Patching should be done on a consistent basis and should also consist of reboots and hardening of accounts.
LikeLike
Celebrate
Support
Love
Insightful
Funny
2
Load more contributions
6 Here’s what else to consider
This is a space to share examples, stories, or insights that don’t fit into any of the previous sections. What else would you like to add?
Help others by sharing more (125 characters min.)
- Shyam Sundar Ramaswami (He/Him/Batman) Three-Time TEDx speaker | Cyber Security Architect , Research and Memory Forensics @ GE HealthCare | Author | International Cyber Security Speaker | Professor | Ex-Cisco | Digital Detective
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Ransomware attacks undoubtedly dents an organisation’s reputation, security posture and identity which in turn creates a strong turbulence in the social media . Threat hunting plays a pivotal role in such cases. The constant look out of mutated samples , means and modes of entry coupled with employee awareness will help you in protecting the organisation.However, doing the above alone is not a silver bullet for any organisation. The untangling of knowns and unknowns in a ransomware attack is a key phase . With the right set of hunting mechanisms and MITRE tricks you can spot the odd one out to minimise the blast radius.Coming out in public and reporting the attack is the key. This helps in raising awareness on such attacks.
LikeLike
Celebrate
Support
Love
Insightful
Funny
12
- Pradeep Karasala (PK) Valuepreneur | Chief Solution Advisor @ GRCXperts | SecureB4
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Change passwords and other login information for any accounts or services that may have been compromised by the ransomware.Use strong and unique passwords and enable multi-factor authentication where possible.
LikeLike
Celebrate
Support
Love
Insightful
Funny
10
- Richard Waine Head of SecOps at easyJet
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Responding to a ransomware attack starts way before the attack (ideally!) Build out your playbook, test it, test it again. Don't just do tabletop exercises, do drills to check Security Analysts know which tools to use and how to use them. Use you EDR to contain/isolate. Build a containment plan, how do you isolate a device? Network segment? Data centre? Work with other teams to plan who does what. Understand your critical systems, protect those so you know what you can sacrifice. Check your threat intel, who's most likely to target you? How would they do it (MITRE)? If the worst happens make sure you can stand-up a security incident response team, use your suppliers, get an IR contract. Report the threat to management so they're aware
LikeLike
Celebrate
Support
Love
Insightful
Funny
9
-
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
There is a lot of valuable advice already, so my pinch of salt goes to not to forget one really important thing NEXT: #RestoreConfidence. Seize momentum, build opportunity from caos. In my opinion the 3 main points should be:1) Lessons learned. The organization needs someone good at fixing problems, not in finding culprits. Be humble, #communicate what happened, what's needed what was learned. You can even #SellTheGoodStuff shown: commitment, urgency sense, attitude...2) What are you going to do to prevent this from happening again. Remember it is NOT to create a to-do list, its about the big picture.3) What will be different if it ever happens again.https://www.linkedin.com/pulse/tuve-ransomware-y-ahora-qu%C3%A9-alejandro-caro/
LikeLike
Celebrate
Support
Love
Insightful
Funny
5
- Deonel R. Chief Security Officer CSO | CISO
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Es importante definir el nivel de madurez actual y el tiempo de respuesta relacionado, que controles se tienen en relación a la aplicación de parches y atención de vulnerabilidades, es algo que debe de tomarse muy enserio, y del compromiso del equipo de Tecnologías en conjunto con el de Seguridad para la atención y respuesta oportuna, lo cual aplica a los demás controles relacionados. El ser proactivos es totalmente valido, pero esto es algo que puede alcanzarse a través del enfoque al cumplimiento, monitoreo de eventos y al endurecimiento de las herramientas de seguridad (no es suficiente tenerlas instaladas), y concientización enfocada en una cultura de ciberseguridad.
Translated
LikeLike
Celebrate
Support
Love
Insightful
Funny
4
Load more contributions
Information Security
Information Security
+ Follow
Rate this article
We created this article with the help of AI. What do you think of it?
It’s great It’s not so great
Thanks for your feedback
Your feedback is private. Like or react to bring the conversation to your network.
Tell us more
Tell us why you didn’t like this article.
If you think something in this article goes against our Professional Community Policies, please let us know.
We appreciate you letting us know. Though we’re unable to respond directly, your feedback helps us improve this experience for everyone.
If you think this goes against our Professional Community Policies, please let us know.
More articles on Information Security
No more previous content
- Non-technical clients resist security updates. Can you persuade them to prioritize protection?
- Here's how you can assess the effectiveness of your incident response procedures in Information Security.
- You're tasked with maintaining security measures. How can you prevent system performance disruptions?
- Here's how you can address resistance from your boss on new security technologies. 1 contribution
- Your team is hesitant about new security measures. How can you overcome their resistance effectively?
No more next content
Explore Other Skills
- IT Strategy
- System Administration
- Technical Support
- Cybersecurity
- IT Management
- Software Project Management
- IT Consulting
- IT Operations
- Data Management
- Information Technology
More relevant reading
- Network Security What do you do if you're hit by a ransomware and your EDR is failing?
- Information Technology What are the most important steps to recover from a ransomware attack?
- IT Services How can you train your staff to respond to ransomware?
- Security Awareness How can you build a ransomware-aware team?