11 Tips to Recover From a Ransomware Attack on Your Organization | eWeek

Ransomware Recovery 101: You’ve Been Hit, Now What Do You Do?

1088_RansomewareRecovery
Apr 26, 2017
4 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More


Ransomware Recovery 101: You’ve Been Hit, Now What Do You Do?

Ransomware Recovery 101: You've Been Hit, Now What Do You Do?

Ransomware is coming to your neighborhood. Now a $1 billion-per-year industry, ransomware has quickly become one of IT and security pros’ biggest fears. According to a recent study by CyberEdge Group, more than 60 percent of organizations are likely to experience an attack. The scariest part? Most aren’t fully aware of the consequences—and how to appropriately recover. When data is being held hostage, there’s no way to keep up with business as usual. Whether it’s identifying what is missing, deciding whether or not to pay the ransom, or determining how to recover lost files, there are key recovery aspects that go unaddressed. This eWEEK slide show, using industry information from Paula Long, CEO and co-founder of DataGravity

,

offers tips that can help businesses plan for and implement a ransomware counterattack.


Stop the Intruder in His or Her Tracks

Stop the Intruder in His or Her Tracks

One of the biggest mistakes organizations make when hit with ransomware is making a decision about whether or not to pay the ransom before they’ve done any preliminary investigation. Before jumping into a recovery plan, the first step is to secure the crime scene and shut down users immediately.


Don’t Forget About Cross-Contamination

Don't Forget About Cross-Contamination

To ensure the issue isn’t propagated to other copies of the data, turn off snapshot schedules and double-check your stored snapshots to confirm that they’re not being deleted automatically. You may want to also turn off automated disaster recovery (DR) tools, especially if you aren’t doing synchronous replication. In the case of synchronous replication, the DR site is already contaminated. In snap-copy scenarios, there’s a chance things have propagated.


Advertisement

Determine What’s Been Compromised

Determine What's Been Compromised

Once you’ve stopped the spread of the attack, establish what data was impacted. Don’t forget to take inventory of audit logs and previous snapshots. Depending on who was infected and the timing of the attack, it is possible, at times, to unwind what happened.


Weigh the Costs

Weigh the Costs

Here’s where the math comes in. Do a cost analysis of the ransom versus the data. Is the cost of being out of business for hours, days or weeks worth more than the ransom? It’s important to remember, however, that there is a risk associated with paying up. There’s no guarantee that the data will be returned in its original state—if at all.


Weigh the Not-So-Obvious Costs, Too

Remember there’s more than just the financial consequences that come with downtime and paying the ransom itself. In addition to the legal costs, employee time and reputational damage, consider how IT operations are going to be affected. Acknowledge that there’s a chance the IT department (and many others) will not be able to continue to operate if the data becomes unavailable. 


Pay Up or Don’t Pay Up: Your Choice

Pay Up or Don't Pay Up: Your Choice

After analyzing the situation, it’s time to decide whether or not to pay the ransom. If you choose to pay up, keep in mind that there’s no promise that you’ll get your data back. Cross your fingers and hope everything works out. If it doesn’t, go to the next slide. If it does, move on to Slide 10.


Advertisement

Begin the Recovery Process

Begin the Recovery Process

If you choose to not pay the ransom, now the work begins. In determining whether to pay or not pay, you have scoped, at least at a high level, the extent of the damage. If the damage was isolated to a small set of users on dedicated resources, the recovery should be straightforward.


Don’t Overlook Shared infrastructure

Don't Overlook Shared infrastructure

However, if the issues made it into shared infrastructure, you need to figure out what was impacted. If you have some form of audit or network logs, you might be able to identify which shared resources were affected and may even be able to determine which files could have potentially been accessed.


Keep the Data You Have to Restore to the Absolute Minimum

Keep the Data You Have to Restore to the Absolute Minimum

Without access to the information you uncovered in Slide 8, you could find yourself rolling back to a time before the issue happened, and losing data that was still good. To avoid wasting time (and perfectly good data), invest in tools that can get you lists that can help you make smart restores. 


Avoid a ‘Groundhog Day’ Scenario With Backups

Avoid a 'Groundhog Day' Scenario With Backups

While frequent backups are often a good thing, turning to them for ransomware recovery isn’t always a wise idea. The more frequent they are, the more likely your backups will be infected with ransomware as well. It is important to remember that backups are read-only, so cleaning them up is going to be a challenge too.


Advertisement

Evaluate the Recovery Process

Evaluate the Recovery Process

Every organization has a different experience when responding to ransomware, and there will always be a learning curve. Determine what worked (and what didn’t) and take that into account to ensure that your organization is prepared for a future attack. 

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.