How to recover from a ransomware attack | TechTarget (2024)

Table of Contents
1. Back up data constantly What is ransomware? How it works and how to remove it 2. Prepare and deploy a ransomware response plan 3. Use cybersecurity systems to disrupt the attack 4. Restore affected systems to normal function 5. Communicate with stakeholders 6. Improve the ransomware recovery plan

How an organization recovers in the days following a ransomware attack may affect its viability in the long run. An organization can quickly resume normal operations with a ransomware recovery plan in place.

Deploying a variety of cybersecurity tools and platforms, such as endpoint security, email security, next-generation firewalls and security awareness training, should reduce the risk of ransomware infiltration. If ransomware does infect an organization's system, however, the security team should immediately deploy a ransomware recovery plan.

The ransomware recovery plan should include how the organization prepares for attacks, how to handle an in-progress attack and what to do in the aftermath. Include the following steps in the plan:

  1. Back up data constantly.
  2. Prepare and deploy a ransomware incident response plan.
  3. Use cybersecurity systems to disrupt the attack.
  4. Restore affected systems to normal function.
  5. Communicate with stakeholders.
  6. Improve the ransomware recovery plan.
How to recover from a ransomware attack | TechTarget (1)

1. Back up data constantly

Organizations must back up all business-critical data as often as reasonably possible to reduce data loss. Data backups are a necessity to recover following a ransomware attack. Confirm through regular testing that the backups are viable and that restoring from backups works. To ensure data backups remain secure, organizations should have data protection capabilities in place.

This article is part of

What is ransomware? How it works and how to remove it

  • Which also includes:
  • The 10 biggest ransomware attacks in history
  • How to recover from a ransomware attack
  • How to prevent ransomware in 6 steps
See Also
Open Encrypted FilesHow To Remove Ransomware: Complete GuideWhat are the steps to recover from a ransomware attack?What ransomware is and how to prevent and remove it

Consider isolating at least one data backup from the internet. Virtual air gapping ensures data isn't directly reachable by systems in an organization's production environments. True air gapping is another option: The backup medium, or the whole backup system, is physically disconnected from the enterprise network -- creating a literal air gap between them. Air-gapped backups are not vulnerable to active corruption by ransomware. That said, organizations should still evaluate any data backups before deploying them to production environments.

2. Prepare and deploy a ransomware response plan

Every organization should have a general-purpose incident response plan (IRP) to guide their actions in the event of a cybersecurity incident. Some organizations develop a ransomware-specific incident response plan. A ransomware IRP details immediate measures for the security operations center (SOC), network operations center and system admins to take in response to a known or strongly suspected ransomware event.

Steps on a ransomware IRP include the following:

  1. Confirm the attack is ransomware.
  2. Gather the incident response team.
  3. Evaluate the incident.
  4. Contain the ransomware.
  5. Mitigate the ransomware.
  6. Perform a digital forensics investigation.

A ransomware IRP is only useful if it's deployed. Far too often, IRPs sit unused during incidents. The incident response team should also periodically evaluate the IRP's fit to current infrastructures, staff and processes.

See Also
How to Remove Ransomware | Ransomware Removal

Alongside reviewing the ransomware IRP, the incident response team should conduct regular drills and tabletop exercises to ensure everyone involved understands the plan, follows it and can improve upon the plan after trying to execute on it.

3. Use cybersecurity systems to disrupt the attack

Ransomware mitigation actions should be triggered once the SOC gets alerted to a ransomware attack. While part of the IRP, this step is important enough to be its own separate action in the ransomware recovery plan, too.

Cybersecurity systems should work to contain the ransomware and mitigate damage from it. The first move should be to tighten cybersecurity where relevant. Security teams should ensure the network automatically quarantines endpoints behaving suspiciously, lock down network segments and block command-and-control connections. Automate security mitigation and remediation methods as much as possible, so the security teams do not have to stop ransomware entirely manually.

4. Restore affected systems to normal function

Once security teams stop the ransomware attack and evaluate production systems' safety, it's time to get back up and running again. Some steps to resume business functions include the following:

  1. Deploy backup data.
  2. Wipe and restore endpoints.
  3. Delete and replace central system instances.
  4. Attempt data recovery, as necessary.
  5. Scan restored data for infections.

5. Communicate with stakeholders

While they restore data and resume normal business functions, organizations must communicate internally and, potentially, externally. The ransomware recovery plan should include when and how to reach out to decision-makers and potentially affected parties, which include employees, executive leadership, third-party vendors and customers.

The plan should define decision points so security teams know who to contact based on the scope and speed of the infection. The plan should specify who makes the decisions, how to reach those people and who their alternates are. Also include who to inform of each decision, how and when to inform them, and the expected business effects of decisions.

External communication includes reporting the attack to law enforcement. In the U.S., organizations can notify CISA, their local FBI field office, the Secret Service or the Internet Crime Complaint Center. The law enforcement agency can provide assistance, if requested.

6. Improve the ransomware recovery plan

Conduct an after-action report to conclude the disaster recovery process. This report should be a full, honest and blame-free review of everything done and not done in response to the ransomware incident.

Review what worked and what didn't in the IRP. Add anything missing and trim out extraneous processes that slowed response efforts. Use the revised recovery plan in the next round of drills or tabletop exercises and war games.

The military saying is, "No plan survives first contact with the enemy," but -- on the assumption that a perfect plan is not possible -- no plan should. Retrospective analysis of the incident response turns that truism from a bug into a feature.

It is not inevitable that every organization will experience a successful ransomware attack. It is inevitable that those that fail to plan for one will be at a serious disadvantage when faced with cybercriminals.

How to recover from a ransomware attack | TechTarget (2024)
Top Articles
Total digital payment transactions volume increases from 2,071 crore in FY 2017-18 to 13,462 crore in FY 2022-23 at a CAGR of 45 per cent: MoS Finance
South Korea: average Seoul housing prices by type 2024 | Statista
3 Tick Granite Osrs
New Slayer Boss - The Araxyte
Comcast Xfinity Outage in Kipton, Ohio
Tx Rrc Drilling Permit Query
The Best English Movie Theaters In Germany [Ultimate Guide]
Best Theia Builds (Talent | Skill Order | Pairing + Pets) In Call of Dragons - AllClash
Joe Gorga Zodiac Sign
My.doculivery.com/Crowncork
Catsweb Tx State
South Ms Farm Trader
Aita Autism
Craigslist/Phx
Was sind ACH-Routingnummern? | Stripe
Jscc Jweb
Tokioof
Amelia Bissoon Wedding
Wgu Admissions Login
Directions To O'reilly's Near Me
Gon Deer Forum
Dumb Money, la recensione: Paul Dano e quel film biografico sul caso GameStop
97226 Zip Code
Why Should We Hire You? - Professional Answers for 2024
Inbanithi Age
Bidrl.com Visalia
1636 Pokemon Fire Red U Squirrels Download
Phoenixdabarbie
Jersey Shore Subreddit
Gt7 Roadster Shop Rampage Engine Swap
Ryujinx Firmware 15
Earthy Fuel Crossword
October 19 Sunset
Ellafeet.official
Wega Kit Filtros Fiat Cronos Argo 1.8 E-torq + Aceite 5w30 5l
Craigslist Free Puppy
The Wichita Beacon from Wichita, Kansas
What Time Does Walmart Auto Center Open
Roto-Rooter Plumbing and Drain Service hiring General Manager in Cincinnati Metropolitan Area | LinkedIn
2 Pm Cdt
Seven Rotten Tomatoes
Pa Legion Baseball
Tgirls Philly
Strange World Showtimes Near Century Stadium 25 And Xd
Union Supply Direct Wisconsin
Mikayla Campinos Alive Or Dead
Game Like Tales Of Androgyny
Houston Primary Care Byron Ga
Bones And All Showtimes Near Emagine Canton
Coldestuknow
Latest Posts
ACH vs. Credit Cards
Agreement vs. contract: The differences
Article information

Author: Mr. See Jast

Last Updated:

Views: 6059

Rating: 4.4 / 5 (75 voted)

Reviews: 82% of readers found this page helpful

Author information

Name: Mr. See Jast

Birthday: 1999-07-30

Address: 8409 Megan Mountain, New Mathew, MT 44997-8193

Phone: +5023589614038

Job: Chief Executive

Hobby: Leather crafting, Flag Football, Candle making, Flying, Poi, Gunsmithing, Swimming

Introduction: My name is Mr. See Jast, I am a open, jolly, gorgeous, courageous, inexpensive, friendly, homely person who loves writing and wants to share my knowledge and understanding with you.