How to Recover From Ransomware (2024)

Here’s the scenario. You’re working on your computer and you notice that it seems slower. Or perhaps you can’t access document or media files that were previously available.

You might be getting error messages from Windows telling you that a file is of an “Unknown file type” or “Windows can’t open this file.”

How to Recover From Ransomware (2)

If you’re on a Mac, you might see the message “No associated application,” or “There is no application set to open the document.”

How to Recover From Ransomware (3)

Another possibility is that you’re completely locked out of your system. If you’re in an office, you might be looking around and seeing that other people are experiencing the same problem. Some are already locked out, and others are just now wondering what’s going on, just as you are.

Then you see a message confirming your fears.

How to Recover From Ransomware (4)

You’ve been infected with ransomware.

How to Recover From Ransomware (5)

You’ll have lots of company this year. The number of ransomware attacks on businesses tripled in the past year, jumping from one attack every two minutes in Q1 to one every 40 seconds by Q3.There were over four times more new ransomware variants in the first quarter of 2017 than in the first quarter of 2016, and damages from ransomware are expected to exceed $5 billion this year.

How to Recover From Ransomware (6)

This past summer, our local PBS and NPR station in San Francisco, KQED, was debilitated for weeks by a ransomware attack that forced them to go back to working the way they used to prior to computers. Five months have passed since the attack and they’re still recovering and trying to figure out how to prevent it from happening again.

Ransomware typically spreads via spam or phishing emails, but also through websites or drive-by downloads, to infect an endpoint and penetrate the network. Once in place, the ransomware then locks all files it can access using strong encryption. Finally, the malware demands a ransom (typically payable in bitcoins) to decrypt the files and restore full operations to the affected IT systems.

Encrypting ransomware or “cryptoware” is by far the most common recent variety of ransomware. Other types that might be encountered are:

  • Non-encrypting ransomware or lock screens (restricts access to files and data, but does not encrypt them)
  • Ransomware that encrypts the Master Boot Record (MBR) of a drive or Microsoft’s NTFS, which prevents victims’ computers from being booted up in a live OS environment
  • Leakware or extortionware (exfiltrates data that the attackers threaten to release if ransom is not paid)
  • Mobile Device Ransomware (infects cell-phones through “drive-by downloads” or fake apps)

The typical steps in a ransomware attack are:

How to Recover From Ransomware (7)

Ransomware attacks target firms of all sizes — 5% or more of businesses in the top 10 industry sectors have been attacked — and no no size business, from small-and-medium businesses to enterprises, are immune. Attacks are on the rise in every sector and in every size of business.

Recent attacks, such as WannaCry earlier this year, mainly affected systems outside of the United States. Hundreds of thousands of computers were infected from Taiwan to the United Kingdom, where it crippled the UK’s National Health Service (NHS).

The US has not been so lucky in other attacks, though. The US ranks the highest in the number of ransomware attacks, followed by Germany and then France. Windows computers are the main targets, but ransomware strains exist for Macintosh and Linux, as well.

The unfortunate truth is that ransomware has become so wide-spread that for most companies it is a certainty that they will be exposed to some degree to a ransomware or malware attack. The best they can do is to be prepared and understand the best ways to minimize the impact of ransomware.

“Ransomware is more about manipulating vulnerabilities in human psychology than the adversary’s technological sophistication.” — James Scott, Institute for Critical Infrastructure Technology

Phishing emails, malicious email attachments, and visiting compromised websites have been common vehicles of infection (we wrote about protecting against phishing recently), but other methods have become more common in past months. Weaknesses in Microsoft’s Server Message Block (SMB) and Remote Desktop Protocol (RDP) have allowed cryptoworms to spread. Desktop applications — in one case an accounting package — and even Microsoft Office (Microsoft’s Dynamic Data Exchange — DDE) have been the agents of infection.

Recent ransomware strains such as Petya, CryptoLocker, and WannaCry have incorporated worms to spread themselves across networks, earning the nickname, “cryptoworms.”

So, you’ve been attacked by ransomware. What should you do next?

How to Recover From Ransomware (8)

1 — Isolate the Infection

The rate and speed of ransomware detection is critical in combating fast moving attacks before they succeed in spreading across networks and encrypting vital data.

The first thing to do when a computer is suspected of being infected is to isolate it from other computers and storage devices. Disconnect it from the network (both wired and Wi-Fi) and from any external storage devices. Cryptoworms actively seek out connections and other computers, so you want to prevent that happening. You also don’t want the ransomware communicating across the network with its command and control center.

Be aware that there may be more than just one patient zero, meaning that the ransomware may have entered your organization or home through multiple computers, or may be dormant and not yet shown itself on some systems. Treat all connected and networked computers with suspicion and apply measures to ensure that all systems are not infected.

This Week in Tech ( did a videocast showing what happens when WannaCry is released on an isolated system and encrypts files and trys to spread itself to other computers. It’s a great lesson on how these types of cryptoworms operate.

2 — Identify the Infection

Most often the ransomware will identify itself when it asks for ransom. There are numerous sites that help you identify the ransomware, including ID Ransomware. The No More Ransomware! Project provides the Crypto Sheriff to help identify ransomware.

Identifying the ransomware will help you understand what type of ransomware you have, how it propagates, what types of files it encrypts, and maybe what your options are for removal and disinfection. It also will enable you to report the attack to the authorities, which is recommended.

How to Recover From Ransomware (9)
How to Recover From Ransomware (10)
How to Recover From Ransomware (11)

3 — Report to the Authorities

You’ll be doing everyone a favor by reporting all ransomware attacks to the authorities. The FBI urges ransomware victims to report ransomware incidents regardless of the outcome. Victim reporting provides law enforcement with a greater understanding of the threat, provides justification for ransomware investigations, and contributes relevant information to ongoing ransomware cases. Knowing more about victims and their experiences with ransomware will help the FBI to determine who is behind the attacks and how they are identifying or targeting victims.

You can file a report with the FBI at the Internet Crime Complaint Center.

There are other ways to report ransomware, as well.

4 — Determine Your Options

Your options when infected with ransomware are:

  1. Pay the ransom
  2. Try to remove the malware
  3. Wipe the system(s) and reinstall from scratch

It’s generally considered a bad idea to pay the ransom. Paying the ransom encourages more ransomware, and in many cases the unlocking of the encrypted files is not successful.

In a recent survey, more than three-quarters of respondents said their organization is not at all likely to pay the ransom in order to recover their data (77%). Only a small minority said they were willing to pay some ransom (3% of companies have already set up a Bitcoin account in preparation).

Even if you decide to pay, it’s very possible you won’t get back your data.

That leaves two other options: removing the malware and selectively restoring your system, or wiping everything and installing from scratch.

5 — Restore or Start Fresh

You have the choice of trying to remove the malware from your systems or wiping your systems and reinstalling from safe backups and clean OS and application sources.

Get Rid of the Infection

There are internet sites and software packages that claim to be able to remove ransomware from systems. The No More Ransom! Project is one. Other options can be found, as well.

Whether you can successfully and completely remove an infection is up for debate. A working decryptor doesn’t exist for every known ransomware, and unfortunately it’s true that the newer the ransomware, the more sophisticated it’s likely to be and the less time the good guys have had to develop a decryptor.

It’s Best to Wipe All Systems Completely

The surest way of being certain that malware or ransomware has been removed from a system is to do a complete wipe of all storage devices and reinstall everything from scratch. Formatting the hard disks in your system will ensure that no remnants of the malware remain.

If you’ve been following a sound backup strategy, you should have copies of all your documents, media, and important files right up to the time of the infection.

Be sure to determine the date of infection as well as you can from malware file dates, messages, and other information you have uncovered about how your particular malware operates. Consider that an infection might have been dormant in your system for a while before it activated and made significant changes to your system. Identifying and learning about the particular malware that attacked your systems will enable you to understand how that malware functions and what your best strategy should be for restoring your systems.

Select a backup or backups that was made prior to the date of the initial ransomware infection. A good backup program, such as Backblaze Backup, enables you to go back in time and specify the date prior to which you wish to restore files.

How to Recover From Ransomware (12)

If you’ve been following a good backup policy with both local and off-site backups, you should be able to use backup copies that you are sure were not connected to your network after the time of attack and hence protected from infection. Backup drives that were completely disconnected should be safe, as are files stored in the cloud, as with Backblaze Backup.

System Restores Are not the Best Strategy for Dealing with Ransomware and Malware

You might be tempted to use a System Restore point to get your system back up and running. System Restore is not a good solution for removing viruses or other malware. Since malicious software is typically buried within all kinds of places on a system, you can’t rely on System Restore being able to root out all parts of the malware. Also, System Restore does not save old copies of your personal files as part of its snapshot. It also will not delete or replace any of your personal files when you perform a restoration, so don’t count on System Restore as working like a backup. You should always have a good backup procedure in place for all your personal files.

Local backups can be encrypted by ransomware. If your backup solution is local and connected to a computer that gets hit with ransomware, the chances are good your backups will be encrypted along with the rest of your data.

With a good backup solution that is isolated from your local computers, you can easily obtain the files you need to get your system working again. You have the flexility to determine which files to restore, from which date you want to restore, and how to obtain the files you need to restore your system.

How to Recover From Ransomware (13)

You’ll need to reinstall your OS and software applications from the source media or the internet. If you’ve been managing your account and software credentials in a sound manner, you should be able to reactivate accounts for applications that require it. If you use a password manager, such as 1Password or LastPass, to store your account numbers, usernames, passwords, and other essential information, you can access that information through their web interface or mobile applications. You just need to be sure that you still know your master username and password to obtain access to these programs.

A ransomware attack can be devastating for a home or a business. Valuable and irreplaceable files can be lost and tens or even hundreds of hours of effort can be required to get rid of the infection and get systems working again.

“Ransomware is at an unprecedented level and requires international investigation.” — European police agency EuroPol

Ransomware attacks are on the rise, but you don’t have to be part of the statistics. With good planning and smart practices, you can prevent ransomware from affecting your systems.

Security experts suggest several precautionary measures for preventing a ransomware attack.

  1. Use anti-virus and anti-malware software or other security policies to block known payloads from launching.
  2. Make frequent, comprehensive backups of all important files and isolate them from local and open networks. Cybersecurity professionals view data backup and recovery (74% in a recent survey) by far as the most effective solution to respond to a successful ransomware attack.
  3. Keep offline backups of data stored in locations inaccessible from any potentially infected computer, such as disconnected external storage drives or the cloud, which prevents them from being accessed by the ransomware.
  4. Install the latest security updates issued by software vendors of your OS and applications. Remember to Patch Early and Patch Often to close known vulnerabilities in operating systems, browsers, and web plugins.
  5. Consider deploying security software to protect endpoints, email servers, and network systems from infection.
  6. Exercise cyber hygiene, such as using caution when opening email attachments and links.
  7. Segment your networks to keep critical computers isolated and to prevent the spread of malware in case of attack. Turn off unneeded network shares.
  8. Turn off admin rights for users who don’t require them. Give users the lowest system permissions they need to do their work.
  9. Restrict write permissions on file servers as much as possible.
  10. Educate yourself, your employees, and your family in best practices to keep malware out of your systems. Update everyone on the latest email phishing scams and human engineering aimed at turning victims into abettors.

It’s clear that the best way to respond to a ransomware attack is to avoid having one in the first place. Other than that, making sure your valuable data is backed up and unreachable by ransomware infection will ensure that your downtime and data loss will be minimal or none if you ever suffer an attack.

Have you endured a ransomware attack or have a strategy to avoid becoming a victim? Please let me know in the comments.

Category: Backing Up Tags: ransomware

How to Recover From Ransomware (2024)


How do you recover from a ransomware attack? ›

If you need to recover ransomware files, you can use dedicated ransomware backup solutions. You can use data recovery software to: Extract corrupted or deleted data from storage devices. Repair hard drive partitions or de-format drives.

Which of the following is the best way to recovery from a ransomware attack? ›

Back Up, Back Up, Back Up! Without a data backup, companies are often at a complete loss when a ransomware attack occurs. This frequently leads to paying the ransom (which doesn't guarantee file recovery). Backups are normally the quickest and most reliable way to recover.

What steps should you take if you get ransomware attacked? ›

Initial response
  • Isolate affected systems. Because the most common ransomware variants scan networks for vulnerabilities to propagate laterally, it's critical that affected systems are isolated as quickly as possible. ...
  • Photograph the ransom note. ...
  • Notify the security team. ...
  • Don't restart affected devices.
Jan 22, 2024

What is the solution for ransomware attack? ›

Security experts suggest several precautionary measures for preventing a ransomware attack.
  • Use antivirus and antimalware software or other security policies to block known payloads from launching.
  • Make frequent, comprehensive backups of all important files and isolate them from local and open networks.
Jun 20, 2024

Can you get out of ransomware? ›

Ransomware sometimes deletes itself after it has infected a system; other times, it stays on a device to infect other devices or files. Use antimalware/anti-ransomware. Most antimalware and anti-ransomware software can quarantine and remove the malicious software. Ask security professionals for help.

Can you reverse ransomware? ›

Depending on the type of ransomware attack, data recovery can be possible using web-based software. You might also be able to decode the encrypted files using a ransomware encryption removal tool.

What not to do during ransomware attack? ›

Don't: Pay the Ransom

Many new victims of ransomware attacks are interested in paying the ransom. They want to get the attack over with and move on with their business. However, this is a bad idea. First, there's no guarantee a hacker will let your systems go after you pay the ransom.

What is the first step against ransomware? ›

Respond to a ransomware attack
  • Step 1: Record important details. It is important to record important details about the ransomware attack to help you: ...
  • Step 2: Turn off the infected device. ...
  • Step 3: Disconnect your other devices. ...
  • Step 4: Change your important passwords.
Jul 14, 2023

What is the first response to ransomware attack? ›

When you suspect you were or are currently under a ransomware attack, establish secure communications with your incident response team immediately. They can perform the following response phases to disrupt the attack and mitigate the damage: Investigation and containment. Eradication and recovery.

What is your best defense against ransomware? ›

Backing up your data to an external hard drive or cloud server is one of the easiest risk mitigation practices. In the case of a ransomware attack, the user can wipe the computer clean and reinstall the backup files. Ideally, organizations should be backing up their most important data at least once per day.

Can formatting a PC remove ransomware? ›

Yes, a sure shot way to remove ransomware is to do a clean install by formatting the drive. If you have some important files, you can upload them to cloud or use a blank USB drive so that you can try decrypting those files when you finish reinstalling Windows. You can say the heart of the ransomware(or brain?)

What is the first step after a computer is infected with ransomware? ›

Disconnect from your Wi-Fi, unplug your ethernet cord, or do whatever else you need to do to disconnect your device from the web. If you're not in a place where you can resolve the issue immediately, turn off the device to ensure malicious code doesn't do further damage.

What is the best ransomware removal tool? ›

Malwarebytes: Best overall ransomware removal tool. Bitdefender: Best ransomware remediation tool. Trend Micro: Best for pricing and extra security capabilities. ESET PROTECT: Best for real-time endpoints visibility.

Is there a way to defeat ransomware? ›

Backing up important data is the single most effective way of recovering from a ransomware infection. There are some things to consider, however. Your backup files should be appropriately protected and stored offline or out-of-band so they can't be targeted by attackers.

What is the best mitigation technique for ransomware? ›

Reset credentials including passwords (especially for administrator and other system accounts) - but verify that you are not locking yourself out of systems that are needed for recovery. Safely wipe the infected devices and reinstall the OS. Before you restore from a backup, verify that it is free from any malware.

Is it possible to recover files from ransomware? ›

In such cases, it may not be possible to recover the files unless you pay the ransom and obtain the key. However, there are some ransomware strains that have been decrypted by security researchers or have flaws in their encryption implementation that allow for recovery without paying the ransom.

What is the aftermath of ransomware attack? ›

The Business Impact of a Ransomware Attack

Ransom payments which can reach hundreds of thousands of dollars in cryptocurrency, as well as other direct financial losses. Loss of productivity due to shutdown of critical business systems. Loss of files and data, which may represent hundreds of hours of work.

What happens once a ransomware attacks on your system? ›

Data Loss: Some ransomware attacks encrypt data as part of their extortion efforts. Often, this can result in data loss, even if the company pays the ransom and receives a decryptor. Data Breach: Ransomware groups are increasingly pivoting to double or triple extortion attacks.

What happens if you are attacked by ransomware? ›

Ransomware is a type of malicious software, or malware, that prevents you from accessing your computer files, systems, or networks and demands you pay a ransom for their return. Ransomware attacks can cause costly disruptions to operations and the loss of critical information and data.

Top Articles
Chứng chỉ quỹ ETF: Cơ hội sinh lời cho nhà đầu tư trẻ có tầm nhìn
Are Landlords Responsible For Pest Control In California? | Professional Pest Control Services Northern California | AAI Pest Control
Skyward Sinton
Food King El Paso Ads
Frederick County Craigslist
Wellcare Dual Align 129 (HMO D-SNP) - Hearing Aid Benefits |
What happens if I deposit a bounced check?
What is international trade and explain its types?
Learn How to Use X (formerly Twitter) in 15 Minutes or Less
Cvs Devoted Catalog
Employeeres Ual
Pollen Count Los Altos
Wordle auf Deutsch - Wordle mit Deutschen Wörtern Spielen
The Witcher 3 Wild Hunt: Map of important locations M19
2021 Lexus IS for sale - Richardson, TX - craigslist
Curtains - Cheap Ready Made Curtains - Deconovo UK
Cashtapp Atm Near Me
Leccion 4 Lesson Test
Katie Sigmond Hot Pics
Dragonvale Valor Dragon
Www Va Lottery Com Result
Boise Craigslist Cars And Trucks - By Owner
Amelia Chase Bank Murder
Black Lion Backpack And Glider Voucher
Orange Park Dog Racing Results
Bee And Willow Bar Cart
R&J Travel And Tours Calendar
When His Eyes Opened Chapter 2048
Nearest Ups Office To Me
Dr Adj Redist Cadv Prin Amex Charge
Craigslist Free Manhattan
Thelemagick Library - The New Comment to Liber AL vel Legis
9 oplossingen voor het laptoptouchpad dat niet werkt in Windows - TWCB (NL)
Wal-Mart 140 Supercenter Products
Clausen's Car Wash
Academic Calendar / Academics / Home
Ehome America Coupon Code
Woody Folsom Overflow Inventory
Cabarrus County School Calendar 2024
How to Install JDownloader 2 on Your Synology NAS
Spurs Basketball Reference
Meee Ruh
Otter Bustr
Laurel Hubbard’s Olympic dream dies under the world’s gaze
Bloons Tower Defense 1 Unblocked
Texas Lottery Daily 4 Winning Numbers
Latest Posts
Article information

Author: Rev. Porsche Oberbrunner

Last Updated:

Views: 6039

Rating: 4.2 / 5 (73 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Rev. Porsche Oberbrunner

Birthday: 1994-06-25

Address: Suite 153 582 Lubowitz Walks, Port Alfredoborough, IN 72879-2838

Phone: +128413562823324

Job: IT Strategist

Hobby: Video gaming, Basketball, Web surfing, Book restoration, Jogging, Shooting, Fishing

Introduction: My name is Rev. Porsche Oberbrunner, I am a zany, graceful, talented, witty, determined, shiny, enchanting person who loves writing and wants to share my knowledge and understanding with you.