5 Steps for Recovering from Ransomware Attacks


Readiness and proactive measures minimize business risks

Develop a ransomware mindset

To successfully resolve problems within your business, you must first truly understand them and develop relevant response strategies. Battling ransomware is no different. Unlike familiar problems with known elements and “rules of engagement,” the new threats fit better under an “infinite game” category. The players are unknown and the whole game is impossible to win. The mindset becomes simply about staying in the game as long as possible. This approach requires a new proactive perspective for countering and surviving ransomware attacks, as traditional point security solutions are ineffective.

Better late than never

Today, most enterprises continue to be in a reactive mode. About 29% of employees recently surveyed said they did not know what ransomware was before their employers were victimized by it. Despite that, ransomware attacks push enterprises to take cybersecurity seriously. Nearly 87% of companies enacted stricter security protocols post-attack. Similarly, 90% of firms provided security training to employees, and 67% increased cybersecurity spending.1 Strengthening defenses following an attack could help keep attackers away. Unfortunately, about 80% of firms experienced a second attack after paying off the first one.2

Ransomware-as-a-Service is a business

Most people see cyber attackers as just bad criminal actors. While that is true, ransomware attackers view their activities as businesses. The major ransomware groups offer their tools as a service to franchisees, who pay the code owners a cut of their revenue. During negotiations with a hacker, the victim’s representative asked for a guarantee to get the keys to unlock her client’s data. The hacker said, “if we don’t follow through, then no one would do business with us in the future.” Another hacker told a negotiator that he “meant no harm.” Then he added, “We are in this together, and both want the best for our client.” A third hacker who provided decryption keys to a victim sent a “customer service” note asking, “Tell me how it is going?” No one should be fooled by the attitude of the hackers or count on their sympathy. Learning how they view their malicious activities is vital for building appropriate defenses.3

Handling a system breach

Once an organization discovers or learns of a breach, everyone must spring into action. Here are a few steps that are necessary to overcome the crisis:

  1. Inform your CEO and the board of directors of the situation. Ransomware attacks are not IT problems but business events requiring informed senior leadership decisions. Also, contact your cyber insurance policyholder if you have one. Finally, notify the relevant law enforcement authorities.
  2. If you do not have incident response (IR) teams on retainer, then immediately hire teams that can provide the urgent assistance that you need:
    • A legal team ensures that your customers’ rights are adequately protected and that actions are appropriate. Legal advisors could also clarify if your cyber insurance covers paying the ransom.
    • Expert engineering and IT support team to examine your system and advise about potential solutions moving forward.
    • A cybersecurity expert team can conduct a forensic evaluation that identifies the scope of the breach and recommend potential solutions. The experts can also determine how the attackers entered the system and what resources they accessed.
    • A ransomware IR team with negotiators can resolve monetary demands and execute actions within the law. Sometimes, you might be dealing with parties that US laws ban making payments to or use sanctioned digital wallets. IR teams can also negotiate lower ransom payments.
  3. Decide about ransom payment quickly. This decision is the most painful one, but business leaders are now aware of the importance of making it without hesitation. Cyber insurance that covers ransom payment is an essential business expense that comes in handy when attacked. About 49% of companies paid the ransom, and 93% tightened budgets due to the payments.4 A recent survey by IDC found that 13% of organizations reported experiencing ransomware attacks or breaches and not paying a ransom.5
  4. Start afresh. Resist the temptation to rebuild the breached network because one can’t ensure that the network is clean and free of malware.
  5. Utilize validated backup. Enterprises that keep an air-gapped data backup can restore quickly. It is prudent to have multiple isolated copies of your data built using write-once capability. Utilize applications that support snapshot and let you go back to a specific point in time closest to the start of the incident and perform a complete data restoration.

Minimizing ransomware’s impact

Enterprises can minimize the potential ransomware threats by adopting proactive security postures. They can also reduce the impact of successful breaches by having a well-thought-out response plan that all concerned parties are familiar with, understand their roles and are ready to execute.

  1. 1, 4: Keeper “2021 Ransomware Impact Report.”
  2. 2: Cybereason 2021. “Ransomware: The True Cost to Business.”
  3. 3: WSJ PRO Cybersecurity Research 2020. “Preparing for Ransomware.”
  4. 5: IDC August 12, 2021. “IDC Survey Finds More Than One Third of Organizations Worldwide Have Experienced a Ransomware Attack or Breach.”