It’s your company’s worst nightmare: attackers managed to sneak ransomware onto your servers. Now, you’re locked out of every file unless you agree to pay whatever price they’re asking. As if the situation couldn’t get any worse, the attackers disappear without a trace and you can’t even pay their ransom to unlock your files. What do you do now?

Why Attackers Disappear

Many companies faced this when cyber crime organizations REvil and DarkSide disappeared overnight. The attackers held systems and terabytes of data hostage and demanded huge sums of money in exchange for the keys to unlock the files. With no one to pay, entertaining the idea of handing over the money was off the table.

Sometimes gangs crumble under pressure from law enforcement agencies, for example. In some cases, police or federal agencies take control of the attacker’s servers, effectively stopping them in their tracks. Alternately, police may have arrested the attackers, landing them in jail or prison. That could give law enforcement access to the attacker’s decryption keys, which they can then use to unlock victims’ files.

In other cases, the ransomware groups get scared and abandon their efforts, possibly from heightened media attention, or the fear they may be caught and criminally prosecuted. Others simply don’t have the ability to follow through and decrypt the data. Those groups hope victims will pay before they discover the ruse. Once your money is in their account, they disappear, leaving you without your cash or data.

The threat of getting caught, however, isn’t enough to scare off groups hoping to score big with ransomware attacks. They can — and in some cases do — start up again under a different name.

Don’t Pay Up

To be clear, paying the ransom is typically a bad idea, and we don’t recommend it. There isn’t any guarantee the attackers will decrypt your data. They may also have duplicated your files with plans to release everything online, in which case you just paid cyber criminals to leak your company’s sensitive data. In most cases, it’s better to deal with the situation as if the attackers disappeared. Of course, if they really are gone, you have no choice but to recover your data without their involvement.

What to Do When You Discover an Attack

Identifying the malware threat is critical to recovering. Once you know a breach has happened, isolate and remove all devices suspected of infection from the network. If someone catches the threat quickly enough, it may be possible to keep it from spreading to more devices or departments. ID Ransomware and Crypto Sheriff offer online tools to help identify ransomware threats. ID Ransomware can detect and identify threat profiles, whereas Crypto Sheriff offers some decryption tools.

Be sure to check every device with access to your network for the malware threat. In some cases, it may lay dormant for some time before activating and encrypting files. Catching every device that’s been compromised, regardless of whether or not it has an active payload, helps protect you from additional attacks.

At this stage, people often forget to check computers and mobile devices that get used outside, as well as directly or remotely connected to, your network. That can include personal devices, too.

What Role Does Law Enforcement Play?

It’s also important to notify law enforcement of the ransomware attack. Reports help the FBI identify and track cyber threats, and in some cases, the agency may have recovered digital keys to unlock encrypted files. The FBI’s Internet Crime Complaint Center website includes a form for reporting ransomware attacks.

Law enforcement can also help with forensic analysis to uncover just how the attackers breached your computers and servers. The evidence uncovered could help identify the method of attack, track down the attackers and possibly even lead to criminal prosecution.

Recovering From Ransomware Damage

You have a couple of choices when deleting the malware from your systems. First, try to remove the malware or wipe the affected devices and restore data from backups. Assuming you can wipe the ransomware from your network, you still need to deal with the encrypted files. If decryption tools can’t help, it’s time to restore your data from backups. Depending on how much you need to restore, the process can take days. So, prepare for some downtime.

Choosing to wipe and reformat devices cuts down the risk of missing infected files and hidden malware installers. It also means you’re essentially ‘starting from scratch’ with your recovery and setup process. Don’t restore software from backups in case the malware payload installer hid inside one of the apps you rely on. Instead, reinstall the software from trusted sources, like the installers provided by the vendor or downloads from the developer’s website.

How to Restore From Backups

Restoring data from backups is a little more tricky because you don’t want to risk reinstalling the malware that started the problem by mistake. Research your backups to find the earliest trace of the ransomware, which may be earlier than when its payload activated and started encrypting files. Look for file dates that coincide with the attack, as well as any other telltale signs that match patterns of the specific malware threat you’re dealing with.

Restore from backups that predate the malware’s first appearance, and that didn’t physically connect to your network if possible. Falling back to data that didn’t touch your impacted systems reduces the risk of accidentally reintroducing the threat. Offsite backups that didn’t connect to your network since the attack started are a good place to start.

Protecting Yourself From More Attacks

Recovering from a ransomware attack is expensive. Along with the cost of time spent to regain access to your data, there’s also the cost of lost business, lost customer trust, damaged employee morale and potentially seeing your proprietary or customer data dumped on the internet. Taking measures to avoid another attack is critical. As General H. Norman Schwarzkopf said during his 1991 Naval Academy graduation speech, “The more you sweat in peace, the less you bleed in war.”

Ongoing training for front-line workers all the way up to the C-suite can help make employees more aware of what to look for in phishing attacks and other schemes that open the door for attackers. Keeping applications and system software up to date cuts down on security threats. Staying on top of security software updates helps catch and stop attacks before they become a problem.

Routinely checking backups, and including off-site backups as part of your data protection strategy, keeps you ready for any data loss scenario. Periodically performing audits and tests to find potential security holes in your network and software is important, too.

Falling victim to a ransomware attack is time-consuming and expensive, and losing contact with the group targeting you makes the situation even more stressful. It doesn’t, however, mean you’re dead in the water. With some planning and good data backups, you can recover and move forward.

More from Incident Response

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today