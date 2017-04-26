Respond to ransomware in three steps: secure, assess, recover

There’s no easy button for ransomware recovery. But if you have a response plan you’ll be ready to spring into action and restore your system’s operations following an attack

Your help desk email and phones start lighting up. Your CIO is in your office looking stressed and staring at you. Quickly, you learn your company is the latest target of a ransomware attack.

Logically, you shouldn’t be in this position. The latest detection software and data protection tactics are commonplace at your organization, intending to keep you out of this mess. Also, you have followed all best practices to ensure maximum data availability, so it’s likely your backups and disaster recovery sites were impacted as well. At this point, all that matters is that your data has been kidnapped, and you need to restore operations as soon as possible.

It’s tempting to consider paying the ransom and moving on. You likely don’t want to reward the criminals who put you in this position, but you want to get back to normal. However, when ransomware strikes, it puts your data through a blender – files will be moved, deleted and renamed, or outfitted with new ransom notes in pop-up windows. Paying to unlock that information will still leave collateral damage throughout your environment, and paying also doesn’t guarantee that you’ll even get the data back.

Although there are plenty of solutions to help your team discover and stop ransomware, as you just experienced, none of them are fail-proof and none of them help you recover the data. An easy explanation is that this is a backup/recovery problem, but you know it’s more complex. Putting things back together will be like assembling a puzzle when you don’t have the picture on the box showing what things should look like at the end. However, the most complex restore scenario is recovering your production data that likely is living in virtual machines (VMs). The recovery plan for other types data is similar but likely less complex.

The below recovery plan assembles the recovery puzzle, framed by three phases nearly every organization goes through as they address malware and ransomware attacks:

Phase No. 1: Secure the crime scene



Following a ransomware attack, the crime scene is your data. Begin by taking a read-only snapshot of your VMs – a VMware or storage snapshot backup – to protect what’s left of your data in the wake of your attack. This way, if your recovery plans go badly, you can get back to where you started and try again.

