If the unthinkable has happened, you may now be wondering what to do during a ransomware attack. In another blog post, we talked about four strategies for identifying and stopping common ransomware behavior. If it’s too late for defense, in this issue we’ll review the strategies you can use to recover from a ransomware attack.

Without the right mitigation and future-proofing, an attack will most certainly happen again. The steps you take in the wake of ransomware incidents are crucial for your business continuity and even for the fate of your company.

If you’re frantically Googling “how to recover files from ransomware” or “what to do if you get ransomware,” you’ve come to the right place. From trying to decrypt the files, to contacting law enforcement, here are five tips and best practices for what to do when ransomware strikes.

1. Restore from Backup

Maintaining regular backup systems, files, and applications is the best way to mitigate ransomware incidents. It’s essential that these backups are stored in a separate location that the malware cannot reach, such as an offline system or cloud storage. Otherwise, many clever ransomware designers have found ways to discover a file's backups—and encrypt them, too.

Even if your IT environment becomes the victim of a ransomware attack, you can simply restore from backup and regain access in a matter of hours. While losing hours or days of work is less than ideal, it far surpasses the alternative of permanently losing access to your files and endpoints.

2. Try Recovering the Files

If you don’t have backups on hand, the next best option is to try to decrypt the files and systems that you’ve lost access to. Unfortunately, the question of how to recover files from ransomware can be quite hit-or-miss, depending on the ransomware strain.

Certain variants of ransomware have been “cracked,” allowing users to decrypt an encrypted file. With others, however, there’s no such luck. Websites such as Kaspersky’s No Ransom offer free ransomware decryption tools for specific ransomware strains, so it’s worth checking to see if yours is on the list.

3. Paying the Ransom Is an Option, But Not Advised

Without backups and no decryption key available, the next action you might consider after being hit by ransomware is paying the ransom. The ransom note will usually specify the amount required to regain access to your files, as well as where to send it (usually via a cryptocurrency such as Bitcoin).

Not only does paying the ransom encourage the attackers, but it may also not even be worth it. According to a 2021 study, just 29% of ransomware victims were able to restore all of their encrypted files and systems, while 50% lost at least some files even after payment.

4. Contact the Authorities

As you recover from a ransomware attack, contacting law enforcement agencies—from your local police department all the way up to the FBI—is a wise decision. It may even be a legal obligation, depending on the relevant laws and regulations that govern your organization, or a requirement on the part of your insurance company.

Reporting the incident to the authorities is particularly important if it impacts a large number of people, involves significant data loss, or affects industries such as healthcare, infrastructure, government, or national security. When making a report to law enforcement, be prepared with the salient facts of the incident: the date of the attack, the ransomware variant (usually visible in the ransom note), the method of infection (if known), the size of the ransom, the address where the attackers are requesting payment, etc.

5. Protect Against Future Cyber Attacks

Last but not least, guarding against future malware attacks is a crucial step for recovering from ransomware. If you want to protect your organization from the same fate again, follow the guidance below:

• Shore up your incident response plans for responding to, and remedying a malware attack. Use techniques such as tabletop exercises to simulate your ransomware response and identify points of improvement.
• Understand the most common points of entry for ransomware. Phishing emails and Microsoft’s Remote Desktop Protocol, which allows IT administrators to access a computer remotely, are the most frequent ransomware attack vectors.
• Install the latest security upgrades and patches. Out-of-date systems are a tempting target for ransomware attackers who know exactly which vulnerabilities they can exploit.

How to Get Started with Ransomware Defense

Knowing what to do during a ransomware attack is critical so that your business can get back on track as soon as possible. Even more important than what to do if you get ransomware, however, is understanding how to defend against ransomware infection in the first place.

That’s precisely where we come in. UncommonX has created its patented, comprehensive MDR/XDR (extended detection and response) platform, and its 24/7 SOC to help clients with everything from protecting against cyber threats — including ransomware — to reacting and recovering after an IT security incident. Our 24/7 SOC team can serve as an extension of your in-house IT team to help with monitoring and mitigation.

Want to see how our MDR/XDR can help defend against ransomware and other cyberattacks? Get in touch with our team of experts today to discuss your business goals and requirements and to see a demo of our MDR/XDR solution.