Administration Guides

How to Recover Data after a Ransomware Attack




The steps in this topic cover the process to follow when recovery from a large scale Ransomware Attack or other similar attack.


  1. Best Practice 
    1. Deploy an Airgap to protect versions of your data in an offline protected cyber vault.  See the Ransomware Defender Enterprise Airgap 2.0 guide.
    2. Forensics tools to determine the beginning of the attack.   Easy Auditor provides historical user behavior searching to provide input to the forensic research to determine the beginning of the attack.  Other security tools should be used in addition to audit data to determine when and where the initial attack began and what additional systems may have been compromised.
      1. Ransomware Defender's CSV files will provide input to the security team research.   Collect the list of users from  Ransomware Defender that need further analysis in Active Directory and other systems these users had access to and assess damage to other systems, applications, file systems.
      2. Easy Auditor provides interactive search by user or path to narrow down where in the file system the attack was initiated.
      3. Correlate time stamps with network security logs and SEIM tools to identify where the threat originated within the infrastructure.
      4. Compile a compromised systems list of servers, users, file system paths for a complete forensic analysis of the impact.

When to start data recovery after a Ransomware Attack

Many steps should be completed before starting any data recovery steps.  These steps would be completed by the Senior Security team members with input from the Storage team that has forensic input data needed to complete the process.

  1. Inspect all of the IT infrastructure to verify impact and no remaining threat exists in the environment. Example Active Directory, DNS,  application servers, desktop PC's and any other system required for normal IT operations.
  2. The chief security officer or similar role within your Enterprise should declare a data recovery start phase.  This phase may not start for many days depending on how long the security audit of the safety of the infrastructure takes to complete.
  3. The Chief Security officer team should provide the summary of the compromised systems list and the ordering of the recovery effort
    1. The applications servers, infrastructure are first priority
    2. Data recovery should not begin until the application servers and infrastructure (AD , DNS, NTP) recovery is completed.
    3. User work stations would be last in the recovery effort
  4. Until this phase has been declared by senior security management within your company no data recovery should be attempted. The risk of data being attacked again from a persistent active threat will increase your recovery phase.
  5. Ransomware Defender users in lockout state should remain in this state until the recovery phase is completed and the infected PC's or VM's have been remediated.
  6. Identify the time stamp of the initial attack to use in recovery from Ransomware Defender CSV files and snapshots or leverage Airgap data protected by Ransomware Defender.

How to recover data after a Ransomware Attack

  1. To begin the data recovery phase start to build a list of snapshots with creation time stamps in a document.
  2. Login to Ransomware Defender open the active events tab and open the snapshots list for each locked out user and record the date and time stamps of each SMB share.  Example below.
  3. For each locked out user download the most recent CSV file listed 
  4. The CSV files contain the first 1000 files of the users activity during the attack.   To get a more precise list of files including files the user touched prior to the detection an Easy Auditor user report can be run using /ifs/ path and last 24 hours for the search. Example below.
  5. Using the CSV files and Easy Auditor reports review the absolute path of the files and user the snapshots taken from the first user that was detected.  This user will have the oldest detection time in the active events window.  See example below.
  6. Using the snapshot list from this procedure browse to the snapshots listed for user one and use this snapshot to restore the files in the CSV by dragging the files from the snapshot back into the file system.  Repeat these steps for each file in the CSV or Easy Auditor CSV report for each user.
    1. NOTE:  A visual inspection of the file system where data is being restored should be done during this process.  You may delete any encrypted files that are found in the file system or store data for analysis later.
      1. For follow analysis an administrator only SMB share can be created  for a post mortem and encrypted files can be moved to this SMB share. These files should be reviewed by security personnel before deletion.  
    2. NOTE:  You may find ransomware notes or possible other strange or unidentifiable file types , these files should be moved to the port mortem SMB share for further analysis by security personnel.
    3. NOTE:  After completing the post mortem and data recovery the encrypted/compromised files should be deleted.
  7. Unlocking  Locked Users -  This should require approval from the CSO or similar senior management.   Follow the procedures here
  8. Done

© Superna Inc