Ransomware response (backup and restore)

Topic: Backups recovery

When ransomware encrypts or destroys data, isolate affected systems, determine scope, and restore from a backup that is known to be clean and immutable. Do not pay the ransom without legal and executive decision; focus on recovery from backups. Use this when building a ransomware response plan or during an incident.

Intent: How-to

Quick answer

  • Isolate: disconnect affected systems from the network to stop spread. Identify which systems and data are encrypted or destroyed; do not reconnect until you have a clean restore path.
  • Restore from backup that is offline or immutable (not writable by the same credentials that run production). Verify backup is from before the infection; scan restored data if possible before bringing systems back.
  • Do not pay the ransom without legal and leadership approval; payment does not guarantee decryption and funds further crime. Restore from backup; patch and harden; improve backup isolation and access control for the future.

Prerequisites

Steps

  1. Isolate and assess

    Disconnect affected hosts from the network (unplug or segment). Identify encrypted or deleted data and the likely time of compromise. Determine which backup is from before that time and is not on a system the attacker could have encrypted.

  2. Restore from clean backup

    Restore from backup that is stored offline or in an immutable store (not deletable by production credentials). Restore to clean systems (rebuilt or new). Scan restored data for malware if tools exist; then bring systems back online in a controlled order.

  3. Do not pay without approval

    Paying the ransom is a business and legal decision; do not pay without executive and legal approval. Assume payment may not result in decryption; prioritize restore from backup and improving defenses.

  4. Harden and improve

    Patch and harden restored systems; change all credentials; review backup access so backup storage cannot be encrypted by the same threat. Add immutable or offline backup copies; test restore.

Summary

Isolate affected systems; restore from a clean, immutable or offline backup; do not pay without approval. Harden and improve backup isolation and access. Use this when planning or executing ransomware response.

Prerequisites

Steps

Step 1: Isolate and assess

Disconnect affected systems; identify scope and time of compromise; identify a backup that is clean and from before the incident.

Step 2: Restore from clean backup

Restore from offline or immutable backup to clean systems; scan if possible; bring systems back in a controlled order.

Step 3: Do not pay without approval

Treat payment as a business and legal decision; prioritize recovery from backup.

Step 4: Harden and improve

Patch and change credentials; improve backup isolation and access control; add immutable copies and test restore.

Verification

Affected systems are isolated; restore is from a known-clean backup; runbook and backup design reduce the chance backup is encrypted in a future incident.

Troubleshooting

Backup also encrypted — Use a backup that was offline or in a separate account with different credentials; fix design for next time. No clean backup — Restore from the oldest backup and accept data loss; consider professional recovery services for critical data.

Next steps

Continue to