It’s your company’s worst nightmare: attackers managed to sneak ransomware onto your servers. Now, you’re locked out of every file unless you agree to pay whatever price they’re asking. As if the situation couldn’t get any worse, the attackers disappear without a trace and you can’t even pay their ransom to unlock your files. What do you do now?

Why Attackers Disappear

Many companies faced this when cyber crime organizations REvil and DarkSide disappeared overnight. The attackers held systems and terabytes of data hostage and demanded huge sums of money in exchange for the keys to unlock the files. With no one to pay, entertaining the idea of handing over the money was off the table.

Sometimes gangs crumble under pressure from law enforcement agencies, for example. In some cases, police or federal agencies take control of the attacker’s servers, effectively stopping them in their tracks. Alternately, police may have arrested the attackers, landing them in jail or prison. That could give law enforcement access to the attacker’s decryption keys, which they can then use to unlock victims’ files.

In other cases, the ransomware groups get scared and abandon their efforts, possibly from heightened media attention, or the fear they may be caught and criminally prosecuted. Others simply don’t have the ability to follow through and decrypt the data. Those groups hope victims will pay before they discover the ruse. Once your money is in their account, they disappear, leaving you without your cash or data.

The threat of getting caught, however, isn’t enough to scare off groups hoping to score big with ransomware attacks. They can — and in some cases do — start up again under a different name.

Don’t Pay Up

To be clear, paying the ransom is typically a bad idea, and we don’t recommend it. There isn’t any guarantee the attackers will decrypt your data. They may also have duplicated your files with plans to release everything online, in which case you just paid cyber criminals to leak your company’s sensitive data. In most cases, it’s better to deal with the situation as if the attackers disappeared. Of course, if they really are gone, you have no choice but to recover your data without their involvement.

What to Do When You Discover an Attack

Identifying the malware threat is critical to recovering. Once you know a breach has happened, isolate and remove all devices suspected of infection from the network. If someone catches the threat quickly enough, it may be possible to keep it from spreading to more devices or departments. ID Ransomware and Crypto Sheriff offer online tools to help identify ransomware threats. ID Ransomware can detect and identify threat profiles, whereas Crypto Sheriff offers some decryption tools.

Be sure to check every device with access to your network for the malware threat. In some cases, it may lay dormant for some time before activating and encrypting files. Catching every device that’s been compromised, regardless of whether or not it has an active payload, helps protect you from additional attacks.

At this stage, people often forget to check computers and mobile devices that get used outside, as well as directly or remotely connected to, your network. That can include personal devices, too.

What Role Does Law Enforcement Play?

It’s also important to notify law enforcement of the ransomware attack. Reports help the FBI identify and track cyber threats, and in some cases, the agency may have recovered digital keys to unlock encrypted files. The FBI’s Internet Crime Complaint Center website includes a form for reporting ransomware attacks.

Law enforcement can also help with forensic analysis to uncover just how the attackers breached your computers and servers. The evidence uncovered could help identify the method of attack, track down the attackers and possibly even lead to criminal prosecution.

Recovering From Ransomware Damage

You have a couple of choices when deleting the malware from your systems. First, try to remove the malware or wipe the affected devices and restore data from backups. Assuming you can wipe the ransomware from your network, you still need to deal with the encrypted files. If decryption tools can’t help, it’s time to restore your data from backups. Depending on how much you need to restore, the process can take days. So, prepare for some downtime.

Choosing to wipe and reformat devices cuts down the risk of missing infected files and hidden malware installers. It also means you’re essentially ‘starting from scratch’ with your recovery and setup process. Don’t restore software from backups in case the malware payload installer hid inside one of the apps you rely on. Instead, reinstall the software from trusted sources, like the installers provided by the vendor or downloads from the developer’s website.

How to Restore From Backups

Restoring data from backups is a little more tricky because you don’t want to risk reinstalling the malware that started the problem by mistake. Research your backups to find the earliest trace of the ransomware, which may be earlier than when its payload activated and started encrypting files. Look for file dates that coincide with the attack, as well as any other telltale signs that match patterns of the specific malware threat you’re dealing with.

Restore from backups that predate the malware’s first appearance, and that didn’t physically connect to your network if possible. Falling back to data that didn’t touch your impacted systems reduces the risk of accidentally reintroducing the threat. Offsite backups that didn’t connect to your network since the attack started are a good place to start.

Protecting Yourself From More Attacks

Recovering from a ransomware attack is expensive. Along with the cost of time spent to regain access to your data, there’s also the cost of lost business, lost customer trust, damaged employee morale and potentially seeing your proprietary or customer data dumped on the internet. Taking measures to avoid another attack is critical. As General H. Norman Schwarzkopf said during his 1991 Naval Academy graduation speech, “The more you sweat in peace, the less you bleed in war.”

Ongoing training for front-line workers all the way up to the C-suite can help make employees more aware of what to look for in phishing attacks and other schemes that open the door for attackers. Keeping applications and system software up to date cuts down on security threats. Staying on top of security software updates helps catch and stop attacks before they become a problem.

Routinely checking backups, and including off-site backups as part of your data protection strategy, keeps you ready for any data loss scenario. Periodically performing audits and tests to find potential security holes in your network and software is important, too.

Falling victim to a ransomware attack is time-consuming and expensive, and losing contact with the group targeting you makes the situation even more stressful. It doesn’t, however, mean you’re dead in the water. With some planning and good data backups, you can recover and move forward.

More from Incident Response

How the Mac OS X Trojan Flashback Changed Cybersecurity

Not so long ago, the Mac was thought to be impervious to viruses. In fact, Apple once stated on its website that "it doesn't get PC viruses". But that was before the Mac OS X Trojan Flashback malware appeared in 2012. Since then, Mac and iPhone security issues have changed dramatically — and so has the security of the entire world. In this post, we'll revisit how the Flashback incident unfolded and how it changed the security landscape forever. What…

What Hurricane Preparedness Can Teach Us About Ransomware

Each year between June and November, many parts of the U.S. become potential targets for hurricanes. In October 2022, we had Hurricane Ian devastate Florida. To prepare for natural disasters like hurricanes, organizations are encouraged to build out and test business continuity, disaster recovery, and crisis management plans to use in the response efforts. Millions of dollars each year are spent on natural disaster preparation, but natural disasters are not the only disruption businesses face. While we can’t equate the…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…

A Day in the Life: Working in Cyber Incident Response

As a cybersecurity incident responder, your life can go from zero to 100 in a heartbeat. One moment you are sipping a beverage reading the latest threat intelligence or getting the kids ready for bed; the next, you may be lunging for your "go bag" because you cannot remote in to the breached system. It's all part of the game. Seasoned incident responders can handle this jab: "Why would you want a job like this? Are you crazy?" The truth…