Ransomware Recovery: The Basics and 7 Critical Best Practices

What is Ransomware Recovery?

During a ransomware attack, threat actors prevent you from accessing your data by encrypting it. They demand payment in exchange for keys that enable you to decrypt the data. When a ransomware attack targets data needed for normal operations, organizations may not have access to critical information or systems needed for ongoing operations.

Ransomware recovery is a critical part of ransomware protection, which enables organizations to resume normal operations in the aftermath of a ransomware attack. It is a key component in a disaster recovery (DR) plan, which defines ways to recover from various data loss scenarios. Successful ransomware recovery can help organizations reduce the cost of downtime and minimize reputation damage and revenue losses.

In this article:

Key Elements of an Effective Ransomware Recovery Plan

An effective ransomware recovery plan ensures you can readily respond to an attack without paying any ransom.

Here are tasks you should include in your ransomware recovery plan:

  • Identify the ransomware malware trigger files—identify and remove ransomware malware trigger files deployed on your devices.
  • Determine the attack style—knowing the type of ransomware will help you decide what measures you need to take. There are two main types of ransomwares: encryption-based and screen-locking.
  • Disconnect all devices—to restrict the impact of ransomware and stop the attack from spreading, disconnect all vulnerable devices from your network.
  • See if a decryptor is available—the No More Ransom project, and several other online sources, provide decryptors for many types of ransomware. If a decryptor is available for your strain of ransomware, you can use it to restore your data.
  • Restore file systems—before restoring data from backup, perform an anti-malware scan on your backup systems to ensure they were not infected by ransomware as well. Otherwise, you risk re-infecting production systems when restoring data. After being sure that backups are clean, restore lost data from backups.

How to Restore Data After a Ransomware Attack

Here are several methods you can use to restore data following a ransomware attack:

Recovery type

Scenario

How it works

Bare metal restore

Threat actors encrypted the entire server.

Set up data backup that enables you to restore your computer system from its bare-metal state.

This recovery type should not involve reinstalling operating systems or manually configuring hardware.

Granular restore

Quickly restoring specific data.

Set up data backup that enables you to immediately restore specific data and recover the rest later.

The goal is to quickly enable the business to resume operations before all systems are recovered.

Instant rollbacks from VMs

Quickly resume operations.

Instant rollbacks enable you to restore data from virtual machines (VMs) in a matter of minutes.

The goal is to resume operations immediately even if the ransomware still exists in the environment.

Data center on-demand

Restore all data from a third-party server.

You can send a copy of your primary data to an offsite server hosted by a service provider.

This option lets you restore data from a different environment.

Each recovery option fits different scenarios, depending on the scope of the attack. You can choose the option that suits your needs and allows you to resume normal operations during and after a ransomware attack.

7 Ransomware Recovery Best Practices

Perform Backups of Critical Data

Most ransomware attacks aim to prevent victims from accessing critical data until they pay a ransom fee. You can mitigate this risk by backing up your critical data. If ransomware encrypts your data, you can use backups to restore your access without meeting the attacker's demands.

Here are key points to consider when backing up your critical data:

  • Store backups so attackers cannot access them via the network—keep the backup on an external device, or disconnect it, so a ransomware attack will not compromise it.
  • Remember to address the initial vulnerability—when you restore an entire system from backup, you return to a point where you probably still have the vulnerability the attackers exploited. Ensure your ransomware recovery procedures include identifying and remediating the attack's root cause.

Protect Backups from Ransomware

Backups are an important way to protect against ransomware, but if you don’t take the appropriate measures, ransomware attacks can reach your backups as well. If ransomware manages to encrypt backups, there may be no way to restore your data.

Follow these best practices to protect your backups against ransomware:

  • Maintain an offline backup—modern backup systems are connected to production systems and synchronized on a regular basis. Therefore, an important protective measure is to maintain an offline backup that is not directly connected to your network.
  • Use immutable storage—regular automated backups will continue to operate even though a ransomware process has infected your system. This could cause the new, encrypted files to replace your backups. To solve this problem, many storage solutions support a standard called Write-Once-Read-Many (WORM). This lets you store data in a format that is locked against modification.
  • Endpoint protection on backup servers—a backup server is a critical resource, which should be protected by modern endpoint protection solutions. These platforms can block known types of ransomwares and automatically detect abnormal behavior of system processes which may indicate an unknown ransomware strain. They can also prevent ransomware from spreading throughout the network.
  • Increase backup frequency—determine your recovery point objective (RPO) and set backup frequency accordingly. Consider the damage caused by losing all data since your most recent backup. For business-critical applications you may need to backup data multiple times per day, once per hour, or more frequently.

Related content: Read our guide to Cloud Backup Services

Recover Safely

Restoring data before neutralizing the ransomware might allow the attacker to compromise the system or data again. You should start recovering operations once you have neutralized the ransomware, meaning you may be required to recover data in isolation or using a new system. Also, ensure you recover to an isolated environment that the original ransomware cannot access.

Decrypt Data

In a ransomware attack, attackers encrypt data, and demand that you pay a ransom fee to decrypt and recover it. However, if a decryptor exists for the ransomware used in the attack, you can decrypt your existing data to make a full recovery.

You must conduct decryption in a secure environment. If you cannot neutralize the ransomware, you may need to decrypt your data in an isolated environment.

Prioritized Recovery

Create a plan that outlines which applications and lines of business you will prioritize. Ensure that foundational services needed for core functionality, including DHCP, Authentication, and DNS, are running and restored first. Recovered systems need these basic services to function effectively.

Use Automation

You can use automation to speed up recovery, however, you may not need automation for all scenarios. Here are examples of where automation can be useful:

  • NAS systems that have tens or hundreds of shares
  • Entire virtual environments with hundreds or thousands of VMs
  • Database servers with numerous databases
  • File sets across multiple servers that need to be recovered to the same point in time

Ransomware Recovery with NetApp Cloud Backup

NetApp understands ONTAP better than anyone else, which is why the best backup solution for ONTAP systems is NetApp Cloud Backup. Designed by NetApp specifically for ONTAP, Cloud Backup automatically creates block-level incremental forever backups. These copies are stored in object format and preserve all ONTAP’s storage efficiencies. Your backups are 100X faster to create, easy to restore, and much more reliable than with any other solution.

Cloud Backup simplifies the entire backup process. It’s intuitive, quick to deploy, and managed from the same console as the rest of the NetApp cloud ecosystem. Whether you’re looking for a less expensive way to store your backups, a faster, more capable technology than NDMP, or an easy way to enable a 3-2-1 strategy, Cloud Backup offers the best backup solution for ONTAP.

New call-to-action

NetApp Ransomware Protection Solution

NetApp Ransomware Protection is a comprehensive set of data-centric capabilities that allows youto protect your data estate with a Zero Trust approach from the inside out. It enables you to map and classify your data, detect abnormal user activity, manage access, and avoid costly downtime using rapid backup and restore. IT teams can apply these advanced defense mechanisms to strengthen cyber resiliency and make sure the most critical data stays protected.

New call-to-action

Semion Mazor, Product Marketing Manager

Product Marketing Manager