For any organization struck by ransomware, business leaders always ask “how do we decrypt the data ASAP, so we can get back in business?”
The good news is that ransomware files can be decrypted. The bad news is it doesn’t work most of the time:
- Paid ransom decryption tools and keys don’t always work.
- Free decryption tools don’t always work.
- Paid decryption tools don’t always work.
The best defense and the best option for recovery will always be the availability of sufficient, isolated data backups and a practiced restoration process. However, even with the best planning, organizations can find a few users, machines, or systems that were overlooked or whose backup may be corrupted or encrypted.
What can be done to recover from ransomware attacks when backups are not available?
The First Calls After an Attack
First, call the cyber insurance company that issued the organization’s cybersecurity policy. Most insurance companies require specific incident response vendors, procedures, and reporting that must be met to meet the standards to be insured.
Insured companies often will not have options. Instead, the cybersecurity insurance company will take full control, and the insured company will need to follow instructions.
If the organization does not have insurance, then the fastest way to recover is to call an MSSP, incident response specialist, or ransomware recovery specialist. Executives, legal counsel, and law enforcement such as the local office for the FBI or police should also be on the incident response phone list for early contact.
Before Decryption, Block the Attacks
Whether handing off recovery to the insurance company, paid incident response professionals, or attempting recovery in-house, the next steps will generally be the same:
- Stop the spread of the ransomware.
- Eliminate attacker access.
- Begin work on recovery.
Note that decryption is not a consideration until at least step three because the IT team cannot safely attempt any decryption without stopping the spread of ransomware or blocking access that attackers might use to interfere with recovery. These steps are covered in more depth in How to Recover From a…