10 Tips for Recovery From Ransomware Attacks

A ransomware incident can blindside an organization’s IT teams. Use these tips to ensure successful recovery from ransomware infections.

Karen D. Schwartz, Contributor

March 2, 2022

6 Min Read
10 Tips for Recovery From Ransomware Attacks
Getty Images

Ransomware attacks are among the disasters that businesses dread the most. Insidious, expensive, and reputation-crushing, ransomware can put organizations out of business for days, or even longer.

A recent report from Cybersecurity Insiders and Bitglass found that IT and security leaders regard ransomware as an “extreme” threat and expect the threat to worsen. While tools and processes can help mitigate the risks, it’s probably inevitable that most organizations will suffer a ransomware attack one day.

Here are 10 best practices for recovery from ransomware attacks, according to experts.

1. Unplug equipment right away

Once you discover you’ve been hacked, unplug everything immediately.

“I know it’s hard to actually push that red button, but it’s critical,” said Jeff Harbert, director of technical services programs at Commvault. “If encryption and ransomware hit one site, it can traverse your network and hit other systems.”

Ski Kacoroski, a systems administrator at Northshore School District in Washington state, said his team of 25 IT pros learned this lesson the hard way. Kacoroski’s team services 40 locations, 5,000 employees, and 23,000 students.

On a Saturday morning, Kacoroski said, a team member discovered that a database server wasn’t working. “When I came in, the first thing I did was check the server and turn it off, but what I should have done is pulled the plug on the entire data center,” Kacoroski explained. “But I took an hour to figure out what was going on before shutting everything down. I didn’t understand that if one server is hit in the data center, you have to assume that everything has been hit.”

2. Recover to a secure sandbox, and keep everything offline until you’re sure it’s clean

Following an attack, Harbert suggests evaluating the systems using a three-color approach:

  • Red consists of the corrupted or infected network, files, or other systems;

  • Yellow is where you plan to perform the recovery and cleanse everything; and

  • Green is where you move things once they have been cleansed. 

3. Expect Surprises 

WhenKacoroski’s team initiated recovery from its ransomware event, the team encountered plenty of surprises.

For example, the food services system, which facilitates 30,000 meals per day and generates government reports for low-income lunch reimbursement, flew under the radar for a long time, Kacoroski said. It was an old system, but it worked so well that nobody gave it a second thought. After the ransomware attack, however, the IT team discovered that the system’s data was kept on employee workstations, and everything was lost.

Omdia principal analyst Tanner Johnson discusses ransomware risks for businesses.

4. Prioritize ransomware recovery efforts

While every department will want its systems up right away, it’s important to know in advance the order in which things should be recovered.

For Northshore School District, that meant first restoring the student record and payroll systems, along with Active Directory, Kacoroski said.

5. Pay attention to backups

Hackers today intentionally target backups, which they use to move around inside networks. That means that organizations must ensure that backup systems have critical security defenses. In addition, they must ensure that settings and authorizations are properly configured.

Ever since Northshore School District’s ransomware incident, which involved losing access to Active Directory, Kacoroski said he has been a fan of using multiple backup techniques and airgaps. Today, the IT team runs to Active Directory controllers locally and in Microsoft Azure. The local backup is fully air-gapped and locked, meaning backups can’t be deleted until a designated expiration time.

6. Revisit ransomware protections frequently

The installation of tools doesn’t mean that your protection measures are sufficient. Ransomware threats continue to evolve.

That’s why Steven Hannah, chief architect at Meridian IT, a managed services provider (MSP) that helps organizations protect their data, recommends annual health checks. “It’s important to go over how an organization is recovering data, how the recovery has been working, what’s being backed up, and what’s changed,” Hannah said.

Having the help of a third party to do regular health checks isn’t a bad idea, Hannah added. Third-party firms such as MSPs may identify problems missed by internal staff.

7. Don’t be afraid to ask for help

With a small IT team, Kacoroski said he isn’t above asking for help when he needs it. With only two system administrators on staff, there simply wasn’t enough hands on deck during Northshore School District’s recovery from ransomware. Because the school district already had a working relationship with a local hosting vendor, Kacoroski asked the vendor for assistance. The vendor provided six systems administrators to help.

8. Don’t skimp on the tools

It’s generally hard to determine which tools you should own, so it’s understandable that budget-conscious IT teams hold back from acquiring certain technologies. During a ransomware event, however, you’ll recognize the importance of having the right security tools in place.

In NorthshoreSchool District’s case, the IT team had been hesitant about buying an expensive network intrusion detection tool. After its recovery from ransomware, the team didn’t think twice about implementing the security technology. In addition to deploying a security monitoring system from SIEMonster, the team replaced Microsoft Defender with MalwareBytes endpoint protection to safeguard Windows workstations, Kacoroski said.

9. Consider moving more resources to the cloud

Prior to the ransomware attack, Northshore School District used cloud computing for only application services, Kacoroski noted. Everything else used an on-premises data center.

When the ransomware hit the data center, IT staff decided it was time to move more resources to the cloud. The transition included migrating an on-premises version of a student records system. The move to cloud meant the team didn’t have to rebuild 24 local servers.

10. Prepare for the next ransomware attack

Although it may be hard to think about, your organization will face another ransomware attack sometime down the line.

Organizations can prepare for that future attack by developing a disaster recovery plan, Hannah said. A disaster recovery plan requires that organizations prepare on a business and technology level, which will enable rapid recovery from ransomware attacks.

It’s also worth considering cyber insurance, which can cover some of the ransomware recovery costs, Hannah added.

About the Author(s)

Karen D. Schwartz


Karen D. Schwartz is a technology and business writer with more than 20 years of experience. She has written on a broad range of technology topics for publications including CIO, InformationWeek, GCN, FCW, FedTech, BizTech, eWeek and Government Executive


Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like