ransomware recovery

What is ransomware recovery?

Ransomware recovery is the process of resuming operations following a cyberattack that demands payment in exchange for unlocking encrypted data.

Having good data backups and a solid disaster recovery plan (DRP) are the best ways for an organization to recover successfully from this type of attack. With ransomware so prevalent, experts urge businesses to assume that they will be hit with an attack, so protection and recovery are top of mind.

Ransomware, a subset of malware, typically gets into a system when a user opens an infected email attachment or website. Several major attacks have recently made headlines across the world, including the following:

  • WannaCry ransomware in May 2017 hit more than 100,000 organizations. The payment total was not high, considering the scale of the attack, but the downtime for organizations led to big losses.
  • Petya in June 2017 was first detected in Ukraine government systems before spreading to organizations around the world.
  • Bad Rabbit ransomware in October 2017 spread through Eastern Europe.
  • A ransomware attack on the city of Atlanta in March 2018 shut down several departments. The cost of the recovery effort was more than $5 million.
  • A ransomware as a service attack hit Colonial Pipeline in 2021, causing $4.4 million in losses and causing gas shortages and panic-buying in the Southeast U.S.

The Conti ransomware group attacked Costa Rican government institutions in 2022, impacting the Ministry of Finance, the Ministry of Science, Innovation, Technology and Telecommunications, as well as the Ministry of Labor and Social Security. To remain anonymous, attackers often demand payment in the form of virtual currency, such as bitcoin. The FBI does not recommend paying the ransom, as access to encrypted files might not be guaranteed and the victim then becomes known as an organization that will pay, opening itself up to the possibility of more attacks. Paying also encourages the business model. The government recommends immediately contacting authorities, such as a local FBI office.

Proper ransomware recovery is important because an attack can harm or even shut down a business. Even if an organization doesn't pay the ransom, the cost of downtime can be catastrophic, due to lost revenue and loss of reputation. As a result, it's critical to be able to recover quickly from a ransomware attack.

Planning for ransomware recovery is helpful for an organization not just for responding to attacks, but for disaster recovery (DR) as a whole. The planning stage enables an organization to look at where it may be vulnerable and in need.

Because ransomware constantly evolves, it's important for data protection vendors to stay one step ahead of attackers. For example, modern ransomware can attack data backups, in addition to primary workloads, so an organization must ensure that its secondary storage is protected as well.

Recovering from a ransomware attack

Ransomware recovery starts before an attack hits. Organizations following the 3-2-1 rule of backup are in a good position to recover. With this method, there are three copies of the data, on at least two different media types, with one copy offsite or offline.

For example, using tape storage for one of the backup copies provides an offsite and offline option. Storage that is not connected to a network is safe from ransomware. Though tape won't typically have as up-to-date backup data as disk or cloud storage, it does feature an air gap -- which provides isolation through lack of network or internet connectivity -- and ensures an organization can recover at least some of its workloads.

When an attack hits, IT should take over immediately while users stay off the network. In its simplest form, IT would wipe the affected systems, ensure the ransomware is no longer in the network and restore operations from the last known good backup. To get the organization up and running as quickly as possible, IT might want to restore only the most critical data and operations first, and then bring up less important workloads. The cloud is a good option for off-site backup, but it can take a long time to restore a large volume of data.

As part of its backup and DRPs, an organization should identify which workloads are most important to the survival of the business and make sure those are properly and safely backed up. Ideally, an organization will back up files frequently throughout the day, using such methods as data replication.

Testing is key to ransomware recovery. A test can be as simple as running through what each team member will do in the event of an attack. The most comprehensive option involves running a full-scale test of backups and failing over operations as if the attack actually happened.

Security testing is necessary as well. IT should ensure its security -- such as antivirus software -- is up-to-date. DR and security teams, if separate, should be on the same page regarding planning and recovery efforts.

Educating and training users in advance is optimal, but reminders immediately following an attack are also good while the issue is still fresh on everyone's minds. Employees should know not to open attachments or frequent websites they don't recognize as safe. They should also know to inform IT right away if they see something suspicious.

Major ransomware recovery tools and vendors

Data protection vendors have recently been adding features specific to ransomware recovery. Current products on the market include the following:

  • Acronis Cyber Protect uses machine learning to help prevent a ransomware virus from corrupting data. It attempts to detect suspicious application behavior before the corruption of files. Cyber Protect enables customers to roll back and recover from a point in time before a ransomware attack.
  • Asigra SaaSAssure protects software-as-a-service (SaaS) data from ransomware attacks with multi-factor authentication and encryption. Asigra also offers Tigris, a network-based security tool that runs bidirectional malware scans, checking all files for ransomware during backups, then again during the restore process.
  • Druva Data Security Cloud includes built-in automation for a faster recovery post-attack. The software also helps identify the last safe snapshot.
  • Iron Mountain's Iron Cloud Cyber Recovery isolates data, disconnecting it from a network. In the event of an attack, it provides a "cleanroom" to recover data and ensures that ransomware is out of the system.
  • Quorum has an appliance specifically designed to recover from ransomware. The Quorum onQ Ransomware Edition takes snapshots of servers and provides server-level recovery.
  • Unitrends backup appliances use Recovery Assurance, which conducts automated testing of a DRP to ensure there are no gaps. It also uses immutable backups to protect data from ransomware attacks.
  • Zerto's continuous data protection and journaling feature provides the ability to rewind to a point in time before a ransomware attack.

Features to look for in a tool

Backup and recovery vendors can help with ransomware-specific issues in several ways. This might include the following:

  • Offering tools that can increase the frequency of backups.
  • Increasing the length of backup retention to help an organization keep files for the long term.
  • Crossing over with security teams with data protection products that integrate with malware detection.
  • Providing backup software that can alert an administrator to unusual rates of change in data, a sign of possible ransomware.

IT should not rely on a backup product for ransomware recovery. A more comprehensive and proactive data protection platform is better. It's important to analyze exactly what a vendor offers, though, as simply saying that an organization can recover from ransomware with a given product is different from providing a tangible means of recovering.

This was last updated in May 2024

Continue Reading About ransomware recovery

Dig Deeper on Disaster recovery planning and management

Data Backup