Ransomware happens. And it’s getting worse—with data breach incidents in 2021 up 68% from 2020 (which had been called the “worst year ever” for data breaches). It’s common sense to expect that—despite the absolute best defenses—your business will get hit with ransomware at some point. Wondering what to do if you get ransomware? The best ransomware recovery solution is diligent planning. Where to start after an attack? Check out our tips below to get your business (and your data) back. Keep in mind that good planning starts before an attack and many of these checklist items require you to start now by putting measures in place to be prepared for what to do after a ransomware attack.

Steps to take after a cyber attack

  • Secure your backups. Hopefully, you’re using continuous data protection to minimize the loss of your mission-critical and sensitive data. Whether your backups are automatic or manual, once a data breach has been discovered, ensure those backups have not also been compromised and that they remain secure by disconnecting them from the network. If you aren’t backing up your data on a regular basis, get started today!
  • Isolate infected devices. Once ransomware shows up, it spreads quickly. As soon as ransomware is detected, disconnect any infected devices and systems as soon as you possibly can. Stopping the spread quickly can reduce the damage.
  • Identify the ransomware. If you’re hit, there’s a good chance that it isn’t an isolated incident. There are online databases of ransomware and decryption keys. Taking a screenshot of the ransom note and uploading it and any other identifying information may provide you with a decryption key or give you an indication of what you may be dealing with to help your recovery efforts. 
  • Analyze the damage. A key piece of knowledge to ensure a complete recovery is the ability to know exactly what damage has been done. Assess and analyze what systems and data have been affected and to what extent. What is recoverable? What is lost? What is offline and for how long?  
  • Implement your recovery plan. Part of your disaster recovery plan should address data exfiltration and ransomware. Included in that plan should be well-thought-out Recovery Point Objectives (RPOs) and Recovery Time Objectives (RTOs). These determine your backup strategy and recovery plans.   
  • Communicate. Everyone needs to be on the same page when it comes to a cyber attack. Ensure your disaster recovery plan includes communications. How will you notify your customers and others the breach may have affected? How will you notify your affected staff and ensure that any directions or instructions for severing devices from the network get out to those who need to take immediate action? How will those fixing the breach keep in contact with other stakeholders?
  • Report. Work with law enforcement if you’re affected by ransomware. You may be part of a broader attack that they’re already working on or the beginning of a new attack. They may have the information necessary to assist you (or you may be able to provide information that can help others). In addition, all ransomware incidents in the United States should be reported to the FBI’s Internet Crime Complaint Center (IC3). 
  • Reset all passwords. Password reset and update policies are a great idea to begin with, and all your employees should be updating their passwords on a regular basis (to passwords they’ve never used before). However, after a ransomware attack, ensure that everyone changes their passwords immediately.
  • Debrief and assess the attack and your response. You were attacked; you responded; you recovered. How did it go? Debriefing is incredibly important, and hindsight is always 20/20. Are there additional policies and safeguards you can implement to make you less vulnerable to future attacks? How was your communication? Were you able to stop the spread? Were your RPOs and RTOs correct? What went well? What could have gone better? Get together with everyone involved and answer those questions to get a sense of how to prepare for the future. 
  • Revise your recovery plan. Debriefing is great, but if those notes sit and gather dust somewhere, the debrief is worthless. Turn all the information you gleaned from debriefing and turn it into actionable items. Update your policies, procedures, and training. Cyber criminals are constantly adjusting and updating to find new attack methods—you should constantly be adjusting and updating to ensure the best possible protection and recovery from the latest ransomware trends. 

A swift and easy recovery is the goal. Don’t let a ransomware attack cost you irreparable time, money, reputation, and loyalty. Bringing in experts to plan for an attack can help you mitigate the risks of an attack as well as ensure a swift recovery when one occurs. Rubrik can help you before, during, and after an attack with solutions that protect, analyze, detect, and recover. Still have questions? Check out some answers to frequently asked questions about ransomware what-to-dos.


Can ransomware be removed?

Sometimes. It all depends on the type of ransomware that has infected your system. Some ransomware decryptors are available online for well-known ransomware. But new ransomware shows up all the time. Your best bet is to immediately isolate the devices and systems from your network until you can determine the type of ransomware and if it’s removable. In the meantime, be sure you have a strong backup and recovery plans.

Can files be recovered after a ransomware attack?

It’s never advised to pay the ransom to cybercriminals. They may return or decrypt your files if you do pay the ransom, but it’s not guaranteed, and they may keep copies of sensitive data for further blackmail. Paying a ransom to get back your data is not your only solution. A strong recovery plan should include a robust and immutable backup plan that allows you to recover the data without giving in to the criminals’ demands. 

How long does it take to recover from a ransomware attack?

The better your plan, the quicker the recovery! According to the IST Ransomware Task Force, average downtime can be 21 days, with full recovery taking 287 days. These times will vary vastly based on your preparation and the type of ransomware. Applying stringent backup solutions, detection measures, and ransomware recovery plans will minimize business disruption and keep you on track.