Cyber Security

Steps to recover from a Ransomware Attack


Ransomware is considered to be the most threatening cybersecurity risk for organizations. Last year more than 50 percent of all businesses were hit by a ransomware attack costing an estimated $11.5 billion.

Many consumer companies such as Canon, Garmin, Konica Minolta and Carnival, have fallen victim to major ransomware attacks recently resulting in the payment of millions of dollars as ransom for decryption keys.

Regaining access to the encrypted information is more important than paying the ransom demand. Let us take a look at some of the effective measures that can be taken for ransomware recovery.

Identifying the infection 

The most challenging and crucial step for recovering from a ransomware attack is the initial awareness that something is wrong. The sooner you detect a ransomware attack, the less data may be affected. It affects how much time it will take to recover your environment.

It is very difficult to detect a ransomware. By the time you see a ransom note, it might have already imposed damage across the entire environment. It is necessary to have a cybersecurity solution that are able to identify unusual behavior, such as abnormal file sharing. It will help to quickly isolate a ransomware infection and prevent it from spreading further.

One of the most effective means of detecting a ransomware attack is the abnormal file behavior detection. Another method to detect a ransomware attack is to use a “signature-based” approach but it requires the ransomware to be known. If the code is available, software can be trained to look for that code. However, it is not recommended as nowadays almost all the sophisticated attacks use new, previously unknown forms of ransomware. So, an AI/ML based approach is recommended that checks for behaviors such as rapid, successive encryption of files and determine the occurrence of an attack.

Ransomware usually infects companies by means of a phishing email attack or an email with a malicious attachment. So, if the organizations are not properly equipped to handle such emails, ransomware can easily enter into the organizations.

Contain the damage

Once you detect an active infection, the ransomware process can be isolated from getting spread. If this is a cloud environment, these attacks must have come from a remote file sync or other process driven by a third-party application or browser plug-in running the ransomware encryption process. By isolating the source of the ransomware attack, the infection can be contained, thereby reducing the damage.

The process can be effective when it is automated. Usually attacks happen after-hours, so when an infection is identified, the automation can stop the attack by removing the executable file or extension and isolate the infected files from the rest of the environment.

Another way by which an organization can contain the damage is by purchasing cyber liability insurance that can help relieve some of the financial burden of restoring your data.

Cyber liability insurance is a specialty insurance line that can protect businesses (and the individuals providing services from those businesses) from internet-based risks (like ransomware attacks) and risks related to information technology infrastructure, information privacy, information governance liability, and other related activities.

Restore impacted data

In certain cases, even after detecting the ransomware on time and containing quickly, there will still be a subset of data that needs to be restored. So, good backup of your data is necessary. Recovering from backup allows you to be in control of getting your business data back.

It is best to adopt the 3-2-1 backup rule which consists of the following guidelines:

  • Keep 3 copies of any important file, one primary and two backups
  • Keep the file on 2 different media types
  • Maintain 1 copy offsite
Inform the authorities

Organizations fall under major compliance regulations which includes PCI-DSS, HIPAA, GDPR etc, which requires that organizations must notify the regulatory agencies of the breach. The organizations have to notify the breach immediately and the FBI’s Internet Crime Complaint Center should be the first organization to be alerted followed by local law enforcement.

Test your access

After restoring the data, access to the data and any affected business-critical systems have to be tested in order to make sure that the recovery of the data and services have been successful. This will help to remediate any remaining issues before turning the entire system back over to production.

In the case of ransomware and getting access to critical files, there are two options available which are restoring your data from backup or paying the ransom. Making ransom payment is risky as there is no surety that the ransomware operators will provide you access to the data after getting the money.

So, it is always better to have a secure backup and detection system in place to avoid any damage to your business. Making some investment for a solution now is far secure than making a large donation to the hackers later.

Image Credits : The Cyber Security Place

Remesh Ramachandran
Security Researcher & Consultant for the Government, Enthusiast, Malware Analyst, Penetration Tester He has been a successful participant in various bug bounty programs and discovered security flaws on major websites. He occasionally performs training and security assessments for various government, non-government and educational organizations.

Ransomware attack at German hospital leads to death of patient

Previous article

Firefox bug lets attackers hijack nearby mobile browsers via WiFi

Next article

You may also like


Leave a reply

Your email address will not be published. Required fields are marked *