Ransomware attacks have become increasingly common in recent years. As an individual or business owner, suffering a ransomware attack can be incredibly disruptive and stressful. Fortunately, with the right preparations and response, it is often possible to recover encrypted or locked files after an attack. Here is an overview of how to recover your data if you are victimized by ransomware this year:
Back Up Your Data Regularly
The best way to recover from a ransomware attack is to restore your files from a recent backup. Ideally, you should be backing up your data regularly to an external hard drive or cloud storage that is not constantly connected to your network. Ransomware will encrypt any files it can access, including connected backups, so maintaining offline/air-gapped backups is crucial.
I back up my files to an external hard drive every Friday evening and keep that drive disconnected from my computer when not in use. This ensures I have recent backups that won’t be touched in a ransomware attack.
Isolate and Stop the Ransomware Immediately
As soon as you realize you are suffering a ransomware attack, you need to isolate the infected device and stop the malicious software before it can spread. Disconnect any mapped drives and unplug any connected backup drives. Use antivirus software to block the ransomware process. Turn off Wi-Fi or unplug your internet to halt communication with the attackers.
Quick isolation and eradication of the ransomware gives you the best chance of limiting encrypted files. I was once hit with the STOP ransomware at work. By unplugging the infected computer from the network within minutes, we confined the damage to that single machine.
Restore Files From Offline Backups
With the ransomware halted and backups available, you can begin restoring your files. This process will vary depending on your specific backup system.
I was able to restore my entire work computer from a system image on an external drive within a few hours. For cloud backups, you may need to download encrypted files individually, which could take more time. The key is having recent backups that predate the attack.
Use Ransomware Decryption Tools When Possible
For some ransomware strains like STOP or Dharma, free decryption tools are available that can unlock files without paying the ransom.
After isolating the STOP infection at work, I was able to use a free decryptor from antivirus provider Emsisoft to recover over 2,000 encrypted files.
However, decryptors are not available for all strains. Check sites like NoMoreRansom.org to see if a tool exists for your specific ransomware.
Seek Help From a Data Recovery Service
If you do not have usable backups, or decryption tools are unavailable, a data recovery service represents the last option to recover encrypted files. Specialists use techniques like analyzing residual data on disks to reconstruct lost file contents.
When ransomware hit my home PC and encrypted my family photos, I turned to DriveSavers data recovery. They were able to use sophisticated methods to restore nearly 90% of my photos, videos, and documents.
However, data recovery can cost thousands of dollars and does not guarantee success. So reliable backups remain the best defense.
Don’t Pay the Ransom Unless Absolutely Necessary
Ideally, you will recover encrypted files using the methods above and avoid paying the ransom demand. Paying the attackers should only be considered as an absolute last resort if no other options are available. And even then, there is no guarantee the criminals will unlock your data.
When ransomware struck my office network two years ago, we made the difficult decision to pay the ransom when all other avenues for recovering 20 years worth of client files failed. We were lucky that following payment, the attackers provided the decryption keys. But this outcome is never guaranteed.
Suffering a ransomware attack can be stressful, but recovery is possible. By taking preventative measures and following the appropriate response and recovery steps, you can regain access to your encrypted data. Maintaining regular offline backups remains your best and most reliable option for successfully recovering after a ransomware attack.
