It’s your company’s worst nightmare: attackers managed to sneak ransomware onto your servers. Now, you’re locked out of every file unless you agree to pay whatever price they’re asking. As if the situation couldn’t get any worse, the attackers disappear without a trace and you can’t even pay their ransom to unlock your files. What do you do now?

Why Attackers Disappear

Many companies faced this when cyber crime organizations REvil and DarkSide disappeared overnight. The attackers held systems and terabytes of data hostage and demanded huge sums of money in exchange for the keys to unlock the files. With no one to pay, entertaining the idea of handing over the money was off the table.

Sometimes gangs crumble under pressure from law enforcement agencies, for example. In some cases, police or federal agencies take control of the attacker’s servers, effectively stopping them in their tracks. Alternately, police may have arrested the attackers, landing them in jail or prison. That could give law enforcement access to the attacker’s decryption keys, which they can then use to unlock victims’ files.

In other cases, the ransomware groups get scared and abandon their efforts, possibly from heightened media attention, or the fear they may be caught and criminally prosecuted. Others simply don’t have the ability to follow through and decrypt the data. Those groups hope victims will pay before they discover the ruse. Once your money is in their account, they disappear, leaving you without your cash or data.

The threat of getting caught, however, isn’t enough to scare off groups hoping to score big with ransomware attacks. They can — and in some cases do — start up again under a different name.

Don’t Pay Up

To be clear, paying the ransom is typically a bad idea, and we don’t recommend it. There isn’t any guarantee the attackers will decrypt your data. They may also have duplicated your files with plans to release everything online, in which case you just paid cyber criminals to leak your company’s sensitive data. In most cases, it’s better to deal with the situation as if the attackers disappeared. Of course, if they really are gone, you have no choice but to recover your data without their involvement.

What to Do When You Discover an Attack

Identifying the malware threat is critical to recovering. Once you know a breach has happened, isolate and remove all devices suspected of infection from the network. If someone catches the threat quickly enough, it may be possible to keep it from spreading to more devices or departments. ID Ransomware and Crypto Sheriff offer online tools to help identify ransomware threats. ID Ransomware can detect and identify threat profiles, whereas Crypto Sheriff offers some decryption tools.

Be sure to check every device with access to your network for the malware threat. In some cases, it may lay dormant for some time before activating and encrypting files. Catching every device that’s been compromised, regardless of whether or not it has an active payload, helps protect you from additional attacks.

At this stage, people often forget to check computers and mobile devices that get used outside, as well as directly or remotely connected to, your network. That can include personal devices, too.

What Role Does Law Enforcement Play?

It’s also important to notify law enforcement of the ransomware attack. Reports help the FBI identify and track cyber threats, and in some cases, the agency may have recovered digital keys to unlock encrypted files. The FBI’s Internet Crime Complaint Center website includes a form for reporting ransomware attacks.

Law enforcement can also help with forensic analysis to uncover just how the attackers breached your computers and servers. The evidence uncovered could help identify the method of attack, track down the attackers and possibly even lead to criminal prosecution.

Recovering From Ransomware Damage

You have a couple of choices when deleting the malware from your systems. First, try to remove the malware or wipe the affected devices and restore data from backups. Assuming you can wipe the ransomware from your network, you still need to deal with the encrypted files. If decryption tools can’t help, it’s time to restore your data from backups. Depending on how much you need to restore, the process can take days. So, prepare for some downtime.

Choosing to wipe and reformat devices cuts down the risk of missing infected files and hidden malware installers. It also means you’re essentially ‘starting from scratch’ with your recovery and setup process. Don’t restore software from backups in case the malware payload installer hid inside one of the apps you rely on. Instead, reinstall the software from trusted sources, like the installers provided by the vendor or downloads from the developer’s website.

How to Restore From Backups

Restoring data from backups is a little more tricky because you don’t want to risk reinstalling the malware that started the problem by mistake. Research your backups to find the earliest trace of the ransomware, which may be earlier than when its payload activated and started encrypting files. Look for file dates that coincide with the attack, as well as any other telltale signs that match patterns of the specific malware threat you’re dealing with.

Restore from backups that predate the malware’s first appearance, and that didn’t physically connect to your network if possible. Falling back to data that didn’t touch your impacted systems reduces the risk of accidentally reintroducing the threat. Offsite backups that didn’t connect to your network since the attack started are a good place to start.

Protecting Yourself From More Attacks

Recovering from a ransomware attack is expensive. Along with the cost of time spent to regain access to your data, there’s also the cost of lost business, lost customer trust, damaged employee morale and potentially seeing your proprietary or customer data dumped on the internet. Taking measures to avoid another attack is critical. As General H. Norman Schwarzkopf said during his 1991 Naval Academy graduation speech, “The more you sweat in peace, the less you bleed in war.”

Ongoing training for front-line workers all the way up to the C-suite can help make employees more aware of what to look for in phishing attacks and other schemes that open the door for attackers. Keeping applications and system software up to date cuts down on security threats. Staying on top of security software updates helps catch and stop attacks before they become a problem.

Routinely checking backups, and including off-site backups as part of your data protection strategy, keeps you ready for any data loss scenario. Periodically performing audits and tests to find potential security holes in your network and software is important, too.

Falling victim to a ransomware attack is time-consuming and expensive, and losing contact with the group targeting you makes the situation even more stressful. It doesn’t, however, mean you’re dead in the water. With some planning and good data backups, you can recover and move forward.

More from Incident Response

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America. IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that…

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today