It’s your company’s worst nightmare: attackers managed to sneak ransomware onto your servers. Now, you’re locked out of every file unless you agree to pay whatever price they’re asking. As if the situation couldn’t get any worse, the attackers disappear without a trace and you can’t even pay their ransom to unlock your files. What do you do now?

Why Attackers Disappear

Many companies faced this when cyber crime organizations REvil and DarkSide disappeared overnight. The attackers held systems and terabytes of data hostage and demanded huge sums of money in exchange for the keys to unlock the files. With no one to pay, entertaining the idea of handing over the money was off the table.

Sometimes gangs crumble under pressure from law enforcement agencies, for example. In some cases, police or federal agencies take control of the attacker’s servers, effectively stopping them in their tracks. Alternately, police may have arrested the attackers, landing them in jail or prison. That could give law enforcement access to the attacker’s decryption keys, which they can then use to unlock victims’ files.

In other cases, the ransomware groups get scared and abandon their efforts, possibly from heightened media attention, or the fear they may be caught and criminally prosecuted. Others simply don’t have the ability to follow through and decrypt the data. Those groups hope victims will pay before they discover the ruse. Once your money is in their account, they disappear, leaving you without your cash or data.

The threat of getting caught, however, isn’t enough to scare off groups hoping to score big with ransomware attacks. They can — and in some cases do — start up again under a different name.

Don’t Pay Up

To be clear, paying the ransom is typically a bad idea, and we don’t recommend it. There isn’t any guarantee the attackers will decrypt your data. They may also have duplicated your files with plans to release everything online, in which case you just paid cyber criminals to leak your company’s sensitive data. In most cases, it’s better to deal with the situation as if the attackers disappeared. Of course, if they really are gone, you have no choice but to recover your data without their involvement.

What to Do When You Discover an Attack

Identifying the malware threat is critical to recovering. Once you know a breach has happened, isolate and remove all devices suspected of infection from the network. If someone catches the threat quickly enough, it may be possible to keep it from spreading to more devices or departments. ID Ransomware and Crypto Sheriff offer online tools to help identify ransomware threats. ID Ransomware can detect and identify threat profiles, whereas Crypto Sheriff offers some decryption tools.

Be sure to check every device with access to your network for the malware threat. In some cases, it may lay dormant for some time before activating and encrypting files. Catching every device that’s been compromised, regardless of whether or not it has an active payload, helps protect you from additional attacks.

At this stage, people often forget to check computers and mobile devices that get used outside, as well as directly or remotely connected to, your network. That can include personal devices, too.

What Role Does Law Enforcement Play?

It’s also important to notify law enforcement of the ransomware attack. Reports help the FBI identify and track cyber threats, and in some cases, the agency may have recovered digital keys to unlock encrypted files. The FBI’s Internet Crime Complaint Center website includes a form for reporting ransomware attacks.

Law enforcement can also help with forensic analysis to uncover just how the attackers breached your computers and servers. The evidence uncovered could help identify the method of attack, track down the attackers and possibly even lead to criminal prosecution.

Recovering From Ransomware Damage

You have a couple of choices when deleting the malware from your systems. First, try to remove the malware or wipe the affected devices and restore data from backups. Assuming you can wipe the ransomware from your network, you still need to deal with the encrypted files. If decryption tools can’t help, it’s time to restore your data from backups. Depending on how much you need to restore, the process can take days. So, prepare for some downtime.

Choosing to wipe and reformat devices cuts down the risk of missing infected files and hidden malware installers. It also means you’re essentially ‘starting from scratch’ with your recovery and setup process. Don’t restore software from backups in case the malware payload installer hid inside one of the apps you rely on. Instead, reinstall the software from trusted sources, like the installers provided by the vendor or downloads from the developer’s website.

How to Restore From Backups

Restoring data from backups is a little more tricky because you don’t want to risk reinstalling the malware that started the problem by mistake. Research your backups to find the earliest trace of the ransomware, which may be earlier than when its payload activated and started encrypting files. Look for file dates that coincide with the attack, as well as any other telltale signs that match patterns of the specific malware threat you’re dealing with.

Restore from backups that predate the malware’s first appearance, and that didn’t physically connect to your network if possible. Falling back to data that didn’t touch your impacted systems reduces the risk of accidentally reintroducing the threat. Offsite backups that didn’t connect to your network since the attack started are a good place to start.

Protecting Yourself From More Attacks

Recovering from a ransomware attack is expensive. Along with the cost of time spent to regain access to your data, there’s also the cost of lost business, lost customer trust, damaged employee morale and potentially seeing your proprietary or customer data dumped on the internet. Taking measures to avoid another attack is critical. As General H. Norman Schwarzkopf said during his 1991 Naval Academy graduation speech, “The more you sweat in peace, the less you bleed in war.”

Ongoing training for front-line workers all the way up to the C-suite can help make employees more aware of what to look for in phishing attacks and other schemes that open the door for attackers. Keeping applications and system software up to date cuts down on security threats. Staying on top of security software updates helps catch and stop attacks before they become a problem.

Routinely checking backups, and including off-site backups as part of your data protection strategy, keeps you ready for any data loss scenario. Periodically performing audits and tests to find potential security holes in your network and software is important, too.

Falling victim to a ransomware attack is time-consuming and expensive, and losing contact with the group targeting you makes the situation even more stressful. It doesn’t, however, mean you’re dead in the water. With some planning and good data backups, you can recover and move forward.

More from Incident Response

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Breaking Down a Cyberattack, One Kill Chain Step at a Time

In today’s wildly unpredictable threat landscape, the modern enterprise should be familiar with the cyber kill chain concept. A cyber kill chain describes the various stages of a cyberattack pertaining to network security. Lockheed Martin developed the cyber kill chain framework to help organizations identify and prevent cyber intrusions. The steps in a kill chain trace the typical stages of an attack from early reconnaissance to completion. Analysts use the framework to detect and prevent advanced persistent threats (APT). Organizations…

Defining the Cobalt Strike Reflective Loader

The Challenge with Using Cobalt Strike for Advanced Red Team Exercises While next-generation AI and machine-learning components of security solutions continue to enhance behavioral-based detection capabilities, at their core many still rely on signature-based detections. Cobalt Strike being a popular red team Command and Control (C2) framework used by both threat actors and red teams since its debut, continues to be heavily signatured by security solutions. To continue Cobalt Strikes operational usage in the past, we on the IBM X-Force…

What is a Red Teamer? All You Need to Know

A red teamer is a cybersecurity professional that works to help companies improve IT security frameworks by attacking and undermining those same frameworks, often without notice. The term “red teaming” is often used interchangeably with penetration testing. While the terms are similar, however, there are key distinctions. First and foremost is the lack of notice from red teams. Pen testing may be scheduled in advance to assess the ability of specific security measures to handle a simulated attack; red team…