Administration Guides

How to Recover Data after a Ransomware Attack




The steps in this topic cover the process to recover files using Ransomware Defender CSV files.

When to start data recovery after a Ransomware Attack

Many steps should be completed before starting any data recovery steps.

  1. Inspect all of the IT infrastructure to verify impact and no remaining threat exists in the environment. Example Active Directory, DNS,  application servers, desktop PC's and any other system required for normal IT operations.
  2. The chief security officer or similar role within your Enterprise should declare a data recovery start phase.  This phase may not start for many days depending on how long the security audit of the safety of the infrastructure takes to complete.
  3. Until this phase has been declared by senior security management within your company no data recovery should be attempted. The risk of data being attacked again from a persistent active threat will increase your recovery phase.
  4. Ransomware Defender users in lockout state should remain in this state until the recovery phase is completed and the infected PC's or VM's have been remediated.

How to recover data after a Ransomware Attack

  1. To begin the data recovery phase start to build a list of snapshots with creation time stamps in a document.
  2. Login to Ransomware Defender open the active events tab and open the snapshots list for each locked out user and record the date and time stamps of each SMB share.  Example below.
  3. For each locked out user download the most recent CSV file listed 
  4. The CSV files contain the first 1000 files of the users activity during the attack.   To get a more precise list of files including files the user touched prior to the detection an Easy Auditor user report can be run using /ifs/ path and last 24 hours for the search. Example below.
  5. Using the CSV files and Easy Auditor reports review the absolute path of the files and user the snapshots taken from the first user that was detected.  This user will have the oldest detection time in the active events window.  See example below.
  6. Using the snapshot list from this procedure browse to the snapshots listed for user one and use this snapshot to restore the files in the CSV by dragging the files from the snapshot back into the file system.  Repeat these steps for each file in the CSV or Easy Auditor CSV report for each user.
    1. NOTE:  A visual inspection of the file system where data is being restored should be done during this process.  You may delete any encrypted files that are found in the file system or store data for analysis later.
      1. For follow analysis an administrator only SMB share can be created  for a post mortem and encrypted files can be moved to this SMB share. These files should be reviewed by security personnel before deletion.  
    2. NOTE:  You may find ransomware notes or possible other strange or unidentifiable file types , these files should be moved to the port mortem SMB share for further analysis by security personnel.
    3. NOTE:  After completing the post mortem and data recovery the encrypted/compromised files should be deleted.
  7. Unlocking  Locked Users -  This should require approval from the CSO or similar senior management.   Follow the procedures here
  8. Done

© Superna LLC