It’s your company’s worst nightmare: attackers managed to sneak ransomware onto your servers. Now, you’re locked out of every file unless you agree to pay whatever price they’re asking. As if the situation couldn’t get any worse, the attackers disappear without a trace and you can’t even pay their ransom to unlock your files. What do you do now?

Why Attackers Disappear

Many companies faced this when cyber crime organizations REvil and DarkSide disappeared overnight. The attackers held systems and terabytes of data hostage and demanded huge sums of money in exchange for the keys to unlock the files. With no one to pay, entertaining the idea of handing over the money was off the table.

Sometimes gangs crumble under pressure from law enforcement agencies, for example. In some cases, police or federal agencies take control of the attacker’s servers, effectively stopping them in their tracks. Alternately, police may have arrested the attackers, landing them in jail or prison. That could give law enforcement access to the attacker’s decryption keys, which they can then use to unlock victims’ files.

In other cases, the ransomware groups get scared and abandon their efforts, possibly from heightened media attention, or the fear they may be caught and criminally prosecuted. Others simply don’t have the ability to follow through and decrypt the data. Those groups hope victims will pay before they discover the ruse. Once your money is in their account, they disappear, leaving you without your cash or data.

The threat of getting caught, however, isn’t enough to scare off groups hoping to score big with ransomware attacks. They can — and in some cases do — start up again under a different name.

Don’t Pay Up

To be clear, paying the ransom is typically a bad idea, and we don’t recommend it. There isn’t any guarantee the attackers will decrypt your data. They may also have duplicated your files with plans to release everything online, in which case you just paid cyber criminals to leak your company’s sensitive data. In most cases, it’s better to deal with the situation as if the attackers disappeared. Of course, if they really are gone, you have no choice but to recover your data without their involvement.

What to Do When You Discover an Attack

Identifying the malware threat is critical to recovering. Once you know a breach has happened, isolate and remove all devices suspected of infection from the network. If someone catches the threat quickly enough, it may be possible to keep it from spreading to more devices or departments. ID Ransomware and Crypto Sheriff offer online tools to help identify ransomware threats. ID Ransomware can detect and identify threat profiles, whereas Crypto Sheriff offers some decryption tools.

Be sure to check every device with access to your network for the malware threat. In some cases, it may lay dormant for some time before activating and encrypting files. Catching every device that’s been compromised, regardless of whether or not it has an active payload, helps protect you from additional attacks.

At this stage, people often forget to check computers and mobile devices that get used outside, as well as directly or remotely connected to, your network. That can include personal devices, too.

What Role Does Law Enforcement Play?

It’s also important to notify law enforcement of the ransomware attack. Reports help the FBI identify and track cyber threats, and in some cases, the agency may have recovered digital keys to unlock encrypted files. The FBI’s Internet Crime Complaint Center website includes a form for reporting ransomware attacks.

Law enforcement can also help with forensic analysis to uncover just how the attackers breached your computers and servers. The evidence uncovered could help identify the method of attack, track down the attackers and possibly even lead to criminal prosecution.

Recovering From Ransomware Damage

You have a couple of choices when deleting the malware from your systems. First, try to remove the malware or wipe the affected devices and restore data from backups. Assuming you can wipe the ransomware from your network, you still need to deal with the encrypted files. If decryption tools can’t help, it’s time to restore your data from backups. Depending on how much you need to restore, the process can take days. So, prepare for some downtime.

Choosing to wipe and reformat devices cuts down the risk of missing infected files and hidden malware installers. It also means you’re essentially ‘starting from scratch’ with your recovery and setup process. Don’t restore software from backups in case the malware payload installer hid inside one of the apps you rely on. Instead, reinstall the software from trusted sources, like the installers provided by the vendor or downloads from the developer’s website.

How to Restore From Backups

Restoring data from backups is a little more tricky because you don’t want to risk reinstalling the malware that started the problem by mistake. Research your backups to find the earliest trace of the ransomware, which may be earlier than when its payload activated and started encrypting files. Look for file dates that coincide with the attack, as well as any other telltale signs that match patterns of the specific malware threat you’re dealing with.

Restore from backups that predate the malware’s first appearance, and that didn’t physically connect to your network if possible. Falling back to data that didn’t touch your impacted systems reduces the risk of accidentally reintroducing the threat. Offsite backups that didn’t connect to your network since the attack started are a good place to start.

Protecting Yourself From More Attacks

Recovering from a ransomware attack is expensive. Along with the cost of time spent to regain access to your data, there’s also the cost of lost business, lost customer trust, damaged employee morale and potentially seeing your proprietary or customer data dumped on the internet. Taking measures to avoid another attack is critical. As General H. Norman Schwarzkopf said during his 1991 Naval Academy graduation speech, “The more you sweat in peace, the less you bleed in war.”

Ongoing training for front-line workers all the way up to the C-suite can help make employees more aware of what to look for in phishing attacks and other schemes that open the door for attackers. Keeping applications and system software up to date cuts down on security threats. Staying on top of security software updates helps catch and stop attacks before they become a problem.

Routinely checking backups, and including off-site backups as part of your data protection strategy, keeps you ready for any data loss scenario. Periodically performing audits and tests to find potential security holes in your network and software is important, too.

Falling victim to a ransomware attack is time-consuming and expensive, and losing contact with the group targeting you makes the situation even more stressful. It doesn’t, however, mean you’re dead in the water. With some planning and good data backups, you can recover and move forward.

More from Incident Response

3 recommendations for adopting generative AI for cyber defense

3 min read - In the past eighteen months, generative AI (gen AI) has gone from being the source of jaw-dropping demos to a top strategic priority in nearly every industry. A majority of CEOs report feeling under pressure to invest in gen AI. Product teams are now scrambling to build gen AI into their solutions and services. The EU and US are beginning to put new regulatory frameworks in place to manage AI risks.Amid all this commotion, hackers and other cybercriminals are hardly…

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today