Ransomware Recovery: Key Steps Every Firm Should Know

Ransomware is one of the biggest threats facing any business, and a successful attack can cost a company dearly. Last year saw new records set, with over $1 billion in ransomware payments handed over to criminals. This is before the associated costs such as lost business and reputation, ransomware recovery and long-term mitigation are taken into account.

In fact, the average cost of a ransomware data breach reached $4.91 million in 2024, according to IBM’s latest Cost of a Data Breach survey – and this rises to $5.21 million when there is a data exfiltration attack included.

It’s clear that to avoid these costs, ransomware prevention is better than cure. But this isn’t always possible. Even the best-prepared businesses may sooner or later fall victim to an attack, whether due to human error, zero-day vulnerabilities or fileless attacks that evade their defenses. In these cases, it’s vital to know what to do to recover quickly.

A fast response could be the difference between a manageable incident and disruption that threatens the future viability of the company. So what do businesses need to know in order to enact a successful ransomware recovery?

The first step for any firm is to ensure it has a full understanding of what has happened, what data has been compromised and the consequences of failing to respond effectively.

A key first step is establishing what type of ransomware the firm is infected with. This will help dictate the overall recovery process, as some types of ransomware may be far more disruptive than others. The key categories to be aware of are:

• Crypto ransomware – The most traditional type of ransomware, this works by encrypting key files, making them unusable unless businesses pay for the decryption key.
• Locker ransomware – Similar to crypto but more wide-ranging, this can encrypt essential system files on devices, making them completely unusable.
• Scareware – More of a social engineering attack, this aims to panic users into paying up. It may or may not actually encrypt files, but can still be very disruptive.
• Double extortion ransomware – The most popular and dangerous type of ransomware today, this also uses data exfiltration to steal confidential business information, which may then be used in further extortion. It’s sometimes called ‘doxware’ as it often threatens to publicly reveal private data unless businesses pay. 

The biggest question for many firms once a ransom demand has been made is whether or not to pay. It can be tempting to give in if businesses need to get systems back up and running quickly and minimize any downtime, but firms should think very carefully before doing this.

One of the main negatives of paying a ransom is that it marks an organization out as a worthwhile target. Once criminal gangs know that a firm is willing to pay up, this greatly increases the chances it will be targeted again. Indeed, one study found 80 percent of businesses that paid a ransom were attacked a second time. Future ransomware attacks often demand more money than initial incidents as criminals know firms are willing to pay.

There is also the fact that paying up does not guarantee you’ll get all your data back. Figures from Statista show that in 2023, more than a quarter of victims did not recover all their data. This can leave you both out of pocket and still facing the costs of disruption, so it’s a gamble that is often not worth taking.

Law enforcement groups strongly advise against paying ransoms. Aside from the issues above, the UK’s National Cyber Security Centre warns that this helps fund criminal groups. Meanwhile, the US Department of the Treasury has warned that paying ransoms to such entities may be unlawful if they are subject to sanctions.

Once a ransomware attack has been discovered – either through effective system monitoring or when a demand for payment is received – it’s important firms act quickly to contain the incident, prevent infections from spreading and enact contingency plans.

The first step must be to ensure all infected systems are isolated from the rest of the network to prevent the ransomware spreading. However, this involves more than simply switching them off.

While it can be tempting to simply shut down systems, this should be avoided unless absolutely necessary. This is because doing so may destroy any critical evidence held on the device’s memory that could be useful when investigating the incident.

Instead, it’s important to ensure all devices are fully disconnected from the network – including both wired and wireless connections. This is vital in preventing any further data exfiltration. It’s also crucial that any routine maintenance or backup tasks are paused immediately, as this can also hinder an analysis into what happened.

Turning to backups to recover lost or encrypted data is a critical part of any ransomware recovery plan. To achieve this, it’s important firms are able to classify their data and make sure snapshots of their most critical files are taken as often as possible. However, hackers are well aware of how backup data can be used to avoid paying ransoms, so often take steps to combat this strategy, such as by targeting these solutions directly. 

Therefore, you need to act carefully to ensure these files aren’t also compromised, as well as fully remove any malware from your systems before you restore any backups to avoid them immediately being targeted.

Another essential step involves ensuring relevant parties are informed about the breach. This is something many firms may be reluctant to do as they will worry about the potential reputational damage. However, reporting is often now mandatory, so the costs of not doing so can be high.

Entities that need to be informed include data protection regulators, affected employees and customers, cyber insurance providers and law enforcement.

Notifying law enforcement early isn’t just best practice. According to IBM, businesses that did this were able to lower the total cost of their breach by over $1 million, as well as reducing the time taken to fully identify and contain the incident.

The best way to ensure that you aren’t subject to repeated attacks is not to pay up. Hackers will be less motivated to try again if they encounter resistance, whereas getting paid will only provide more incentives. However, firms should also be taking steps to identify how they fell victim and address any weak spots in their systems, and then fix these as part of their ransomware prevention strategy.

This should involve a full forensic audit and review of systems to identify what went wrong. Was the breach due to an unpatched system? A configuration error? A social engineering attack?

For smaller firms, this may involve bringing in outside specialists, which can prove expensive. However, if firms have comprehensive cyber insurance coverage with provisions for ransomware, they may be able to claim back many of the direct expenses involved in these activities.

The vast majority of data breaches can be traced back to a human error at some point, such as falling for a phishing email or a misconfiguration of an application. Therefore, the chances are that most businesses will benefit from a more robust employee training program to help individuals spot some of the common entry points for ransomware, such as phishing and other social engineering attacks.

Looking closely at the anti-ransomware defenses firms have in place is also essential. By studying the attack vector, organizations can determine how they were breached and where any gaps in their solutions lie. It’s important to remember that a good data security strategy requires a defense-in-depth approach and there’s no single tool that can guard against all attacks. 

It is therefore vital firms have a comprehensive suite of tools including the following:

• Firewalls
• Email security
• Security information and event management tools
• Access controls
• Multifactor authentication
• Data encryption
• Endpoint protection

If any of these are currently missing from a business’ IT systems, this must be rectified immediately.

The biggest ransomware threats facing businesses today come from double extortion attacks. Once data is in the hands of cybercriminals, there is little that can be done. 

To avoid this issue, it’s vital that firms take steps to stop data exfiltration before it occurs. With the right ADX tools, companies will be able to use artificial intelligence to identify what normal activity looks like and automatically block any unusual behavior that can indicate a hacker attempting to send data back to its command and control center.

This ensures that even if hackers do gain access to systems, they won’t be able to steal the critical data they need to run a double extortion ransomware attack. By adding these solutions to every device on the network, firms can ensure they have a solid last line of defense that removes the need to enact a last-resort ransomware recovery plan.