Ransomware Recovery Steps

Ransomware Recovery Steps

You’ve been hit, now what? Ransomware viruses have infected devices linked to your company’s network, do you know your next move?

The newest forms of ransomware to hit cyberspace are the malicious malware, Ryuk and Dharma. The malware uses brute force to gain access to your company’s Remote Desktop Protocols usually by an internal device. After forcing itself in, the ransomware hacker will begin downloading file extensions, such as .bip or.combo, onto the device and shut out the user until a ransom is paid. The first step of action is to remove all devices from the network. By terminating any connection, no additional data can be compromised, and infected devices stop there.

Responding to a ransom malware correctly is crucial in minimizing downtime and cost. Take the following steps in order to keep your network secure and remain in control.

The steps to recovery against a ransomware virus depend on your company’s backup solution. If your company has valid and complete backups, then no ransom needs to be paid, as long as all critical data was stored on the network. The following steps below should be taken if your company has proper backups in place:

Backups Installed, No Ransom to be Paid

  1. Reference Disaster Recovery plan *(if one is in place) – otherwise remove all devices from the network
  2. Identify and Quarantine infected devices/servers
  3. Rebuild/re-image infected devices

In order to be preventive against future malicious viruses, both an Incident Response and Disaster Recovery plan should be put in place. Partnering up with an MSP will help your company be proactive against fighting off cyberattacks.

No Backups, Ransom Paid

In the nightmare that your company did not have up-to-date backups, paying the ransom to the hacker is one of the only options in getting your crucial data back. By paying the ransoms, each device will receive a decryption tool. The tool needs to be run on that particular device in order to produce a valid scan key. Each scan key is then sent to the hacker. The hacker will then send a unique decryption key, which will provide you access to your encrypted data. Now there is no precise time frame, so your company will be experiencing downtime due to the multiple steps of a ransomware breach. Each step creates communication back and forth with the hacker adding downtime to your business. Companies make numerous mistakes when dealing with a cyber hacker who is holding their sensitive data hostage. Do not be one of those companies. After removing all devices from the network, follow the steps below to recover from a ransomware attack.

Ransomware Recovery Steps

  1. Break connection of systems
  2. Isolate infected devices *as best as possible
  3. Pay ransom & follow instructions from hacker
  4. Begin rebuilding network
  5. Decrypt files & implement a secure backup solution
  6. Reach out to an MSP to help rebuild and repair


If you are experiencing a ransomware breach or incident, please do not hesitate to reach out for help. Dealing with a hacker directly, typically incurs more downtime for your company. In order to minimize downtime and efficiently put a plan in motion, partner with experienced ransomware incident respondents.



Post a Comment