Ransomware Recovery: How to Recover Data After an Attack
By: NAKIVO Team
Given the data loss and downtime they cause, ransomware attacks are a dangerous threat for businesses. The estimated annual costs incurred by organizations is set to reach $20 billion in 2022. Unfortunately, the intensity of ransomware attacks is increasing year on year. Everyone is at risk. After it is installed on a computer, ransomware deletes or corrupts data by using strong encryption algorithms.
The malicious actors behind ransomware usually demand a sum on money (a ransom) to release data and make it available again. However, in addition to incentivizing criminals, these payouts don’t guarantee that you get full access to usable data. This blog post explains how to recover from a ransomware attack effectively while avoiding transactions with attackers.
What to Do after a Ransomware Attack
Despite the numerous preventive measures available, there is still a possibility that your organization may fall victim to a ransomware attack. The following practices can help you minimize the impact of a ransomware attack if and when it happens. Thus, if your machines have been infected with ransomware, follow these recommendations before recovering files from ransomware.
Disconnect the infected device. As soon as you detect that a machine is infected with malware, you must immediately disconnect the device from the network and external storage devices. This way, you can ensure that other machines and systems in your infrastructure do not get infected as well. This step allows you to save unaffected data and reduce the amount of work needed to recover files from ransomware.
After that, identify the number of machines that have actually been affected by the ransomware attack and look for suspicious activity in your infrastructure.
Identify the type of ransomware. Talk with the person who first detected the issue. Ask what they were doing prior to the incident, whether they had received emails with suspicious attachments, and which files they had recently downloaded. Identifying the type of ransomware provides valuable information that can be used to identify vulnerabilities in your data protection system and modify it accordingly.
Moreover, if you succeed in determining the ransomware type, you can know exactly how your files are affected (that is, whether they are encrypted or locked). Then you can understand the potential repercussions of not paying the ransom, and which strategy should be used to successfully recover from the ransomware attack.
- Report the issue. When conducting employee training, explain to your staff that it is important to notify the IT support team about any suspicious activity on their machines. This way, IT professionals can respond to the ransomware attack in time before any serious damage is done. After that, report the ransomware attack to the authorities (for example, the FBI if you’re in the United States) and provide them with all the necessary information about the incident. Reporting to the authorities can help prevent future attacks by the same ransomware actor(s).
- Do not pay the ransom. Law enforcement officials advise against complying with the attackers’ demands because it encourages even more ransomware attacks in the future. Hackers looking to make quick money will see you as an easy target for their future attacks. Moreover, in most cases, paying out the ransom doesn’t guarantee that the attackers will unlock or decrypt data as promised. Remember that you’re dealing with criminals who are only interested in profit.
- Identify the impact of the ransomware attack. You should determine how much data has been corrupted, how many machines have been infected as a result of the attack, and how long it will take to recover from the attack. Moreover, assess the criticality of the data made unavailable and determine whether it can be recovered without paying the ransom.
- Recover your system from ransomware. After removing ransomware from your computers, you can start the ransomware attack recovery.
How to Recover from a Ransomware Attack
There are multiple methods for data recovery after a ransomware attack. The effectiveness of these methods varies depending on the situation.
Using built-in tools in your operating system
If you use Windows 10, you can try using a Windows System Restore utility to recover system settings and program settings from a recovery point that was created automatically. Not all data can be restored with this method. Modern ransomware can disable System Restore and delete or corrupt Windows recovery points. In this case, this method is ineffective.
Use the ransomware decryption tool
If you have detected the type and version of the ransomware, try to find the decryptor tool provided by security researchers. Decryptor tools are not available for each ransomware version. It is also increasingly rare to find a decryption tool nowadays.
Use software for the recovery of deleted files
If ransomware has not overwritten files on the disk and filled the disk surface with zeroes or random data, there is a chance that you can recover some critical data. Scanning the disk surface requires a long time. The filenames after recovery can be lost, and their names can be like RECOVER0001.JPG, RECOVER0002.JPG, etc.
Recover data from a backup
The main point of this method is that you must prepare in advance and not wait until ransomware infects your machines. If you have not created a backup before the ransomware attack, this method won’t apply. You need to prepare in advance and back up data at regular intervals. Backup best practices recommend following the 3-2-1 backup rule and storing backups offsite and/or offline for recovery from a ransomware attack. You can use the cloud, tape and/or immutable backup storage for this purpose.
The best way to create backups is to use dedicated data protection solutions that support different types of workloads and infrastructures and allow you to implement the 3-2-1 backup rule.
One such solution is NAKIVO Backup & Replication. NAKIVO’s solution allows you to increase backup performance, ensure data recoverability, and improve ransomware recovery. The solution supports data protection for physical servers, virtual machines (VMware vSphere, Microsoft Hyper-V, Nutanix AHV), Amazon EC2 instances and Microsoft 365. With the solution, you can:
- Perform image-based, application-aware, incremental backup and replication.
- Easily create backup copies without engaging the source hosts or virtual machines (VMs).
- Store backups in a remote site, a public cloud or tape.
- Enable immutability for local Linux-based repositories or in the Amazon S3 cloud.
- Choose among a variety of flexible recovery options, including instant VM boot, granular recovery and P2V recovery of physical machines as VMware vSphere VMs.
- Create disaster recovery workflows by arranging various actions and conditions into an automated sequence.
How Long Does It Take to Recover from Ransomware?
The time needed to recover data after a ransomware attack depends on the amount of corrupted data on infected computers and the method used for ransomware recovery. When estimating the time needed for ransomware attack recovery, we mean data recovery and getting all systems back online with restored workloads.
The time to recover data and restore workloads can vary from days to months. Let’s look at the main factors that impact the recovery time.
- A system administrator’s experience. Skilled system administrators usually have multiple disaster recovery plans for different scenarios and know what to do in each situation. You should have a ransomware recovery plan to be prepared for ransomware attacks.
- Recovery using a decryption tool (if you find one for a specific ransomware version) may take a long time. If filenames have also been changed after encryption (like sLc6-fAl26m.nSeB2 instead of image001.jpg), it would take even more time to put them in the correct directories after recovery. You need to respect the correct file and directory structure, especially if these files are required for applications to work.
- Having data backup reduces the time needed for full recovery after ransomware attacks. The advantage of recovering files from a backup after a ransomware attack is that you recover structured data, including file and folder names with their correct path. You need to select a backup for the appropriate date/time and select the destination location where to recover data. Then just wait until the data is copied and recovered.
Moreover, backup solutions like NAKIVO Backup & Replication rely on image-based technology to capture VM and physical machines backups. This means that the backup captures the operating system and other files associated with the OS, such as application configuration files and system state, helping you save time on getting systems back up and running.
- Inadequate testing of a ransomware recovery plan can lead to longer data restore times than expected. For this reason, always try to test your recovery plan to ensure you can recover everything you need in the appropriate timeframe.
Note that when creating a disaster recovery strategy that includes a ransomware disaster recovery plan, you should take into account RTO and RPO metrics.
Ransomware recovery is a complex process that includes recovering data and restoring workloads. Cost and time depend on the amount of preparation that goes into the backup strategy and recovery from ransomware attacks. The main approach to mitigate issues caused by ransomware attacks is to follow preventive measures and back up data regularly. Follow the 3-2-1 backup rule, and use immutable backup storage and a reliable data protection solution that can automate tasks.