Ransomware Recovery

What is Ransomware? Ransomware Protection Anti-Ransomware Security Detect Ransomware Recover from a Ransomware Attack

The FBI reports that more than 4,000 ransomware attacks are executed daily. These attacks encrypt files and block users from accessing their data. If there’s an invasion of your network, are you confident in your ability to recover? How do you restore your systems from a ransomware attack without paying the ransom?
Ransomware attacks on businesses increased 102% in 2021. 56% of organizations have faced a ransomware attack in the last year; 27% paid the ransom. The impact of these attacks is substantial; the average downtime for an infected organization in 2020 was 16.2 days. The average cost of downtime due to ransomware has jumped nearly 600% over the past couple of years, from $46,800 to $274,200.
With the widespread proliferation of these attacks, it’s become a matter of when not if. One thing remains clear — you need to have a robust business continuity plan to resume operations during and after a breach.

The 3-2-1 Rule

As part of your ransomware defense, Unitrends supports the industry best practice of implementing the 3-2-1 Rule of data protection. The rule suggests having 3 backup copies of the data, using 2 different media, with 1 copy being offsite. To combat ransomware take this strategy a step further with the 3-2-1-1 rule where the last copy is on immutable storage. For example, the immutable copy may be stored on media that’s physically disconnected from the network or data replicated to the Unitrends Cloud. While there are lots of prospective permutations to put this formula to use, Unitrends Recovery Series

appliances and Unitrends Cloud give you an integrated, easy-to-use backup and continuity solution that lets you implement and administer 3-2-1-1 backups from a single pane of glass.

The 3-2-1 rule (and any of its permutations) is a component of an exhaustive line of defenses that ensure continuity for your organization. Backup and disaster recovery are the foundation for recovering your systems after a ransomware infection.

Disaster Recovery (DR) Plan

Not knowing if your DR plan will work when you need it most adds significant risk to your ability to recover after ransomware strikes. Without testing you can’t be certain the plan will work, that all systems that should be protected have been, and that your backups are functional. 23% of organizations never test their DR plans, and another 29% test only once per year.

Unfortunately, disaster recovery testing is neglected because it’s often time consuming and cumbersome. Ransomware authors are increasingly leveraging deceptive techniques to hide malware on systems and have them included in backups. When infected backups are used in recovery, it creates an attack loop where the malware detonates again. Before you begin the ransomware recovery process, you need to ensure you have clean, validated, recoverable backups.

Recovery Assurance

Unitrends backup appliances offer automated testing for your DR plan using Recovery Assurance. Recovery Assurance orchestrates recovery testing for local, remote and cloud workloads. Fully customizable testing enables you to segment machine boot orders, define networking dependencies, and perform fully automated, application-level tests to validate services are functional. By spinning up backups within an isolated environment and executing your defined tests, the appliance will proactively uncover recovery issues, like ransomware, for physical and virtual machines. Validating your DR plan with comprehensive testing brings the confidence of knowing the recovery point to come will be successful. The consequences of not verifying your DR plan can be dire. Tragically, more than half of small businesses that fall victim to cyberattacks go out of business within six months.

After ransomware, the ability to recover systems and data with minimum disruption is predicated on having a DR plan that works. Recovery Assurance automates testing for all your physical locations as well as any workloads running in the cloud. Tested, verified backups provide confidence and peace of mind knowing your recovery point is validated. You know that you can safely retrieve your data. Unitrends offers the most complete and agile backup and recovery capabilities in the industry, enabling your business to recover from ransomware in a jiffy.

Unitrends Unified BCDR gives IT professionals the tools to respond when ransomware strikes. In the face of such a career-defining moment, it can mean the difference between being seen as a hero or needing to update your résumé.


Ransomware attacks have grown more sophisticated to thwart defenses and make recovery an even greater challenge. The average cost of a ransomware downtime incident has risen more than 600% in the last 3 years, from $46,800 to $283,000 per incident. When devising your DR Plan and the financial impact, you need to consider the variables that affect your industry, revenue, manpower, and level of data transactions. How long can you be without access to critical systems and files? How much data can you afford to lose?
Your DR plan should include specific Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs). Your RPO refers to the maximum amount of data (in terms of time) that you can afford to lose. If you get attacked by ransomware, what is the goal for having a safe and effective restore point for your system? How much data can you lose without devastating your organization?
Recovery Time Objectives (RTOs) refer to the maximum amount of time that your enterprise can afford to be offline. Defining your RTO is a key component of developing a DR plan that works within your business continuity goals. Your maximum tolerable downtime comprises the management goals for your ransomware recovery. Set your backup solution to meet your RTO and RPO targets.
To streamline scheduling and ensure SLAs are met, Unitrends backup introduced Service Level Agreements (SLA) policy automation. This feature automatically controls the flow of backups through a simple, easy-to-use policy, using a single pane of glass. The automated process requires just three simple steps from the user. You set RPOs, RTOs – where data should go – and how long should it be kept. Recovery Assurance testing against policy-based backups ensures compliance with SLAs and certifies their recoverability.

What Happens When You’re Attacked?

A new ransomware attack is launched every 14 seconds. Even with all your preparation, your organizations can still be attacked by cybercriminals. You need to know how to eliminate ransomware from your network. You’ve backed up your data on a regular schedule, replicated copies safely offsite, tested your disaster recovery plan, set up your detection alerts for ransomware, and then you’re hit by an attack. Your system detects an invasion; what steps do you need to take to recover?

Find the Ransomware

Ransomware attacks are typically uncovered by IT admins who either get a detection alert warning from a security or BCDR system or they see a trail of encrypted files with revised extensions on file names. Invasions also may be reported by users who can no longer find or open files. IT may even get a barrage of panicked co-workers reporting locked machines and ransom notes popping up on their desktop.

Stop the Damage

The FBI urges IT staffers to “isolate the infected computer immediately.” By removing the affected machine from your system, you prevent ransomware from attacking other network locations or shared drives. The US Government also recommends that devices that have not been completely corrupted be isolated or shut off. Prevent further damage by unplugging the ethernet connection, disconnecting from Wi-Fi, and switching off impacted machines as soon as you notice the attack. Ransomware can spread

via network connection, so you can help contain the breach by disconnecting shared drives and shutting down your network. Before starting a recovery, evaluate the status of the attack to see if it is still active. Sophistication on behalf of cybercriminals has improved the efficacy of these attacks and they’re hiding malware in a number of places. Be sure to check critical system files, Windows registries, temporary folders, .ink and Word files; even basic spam filters recognize .exe files as dangerous. To get around this, cybercriminals have been known to take advantage of Microsoft Office Visual Basic for Applications (VBAs) to insert malicious code in places like Word document macros.

Restore after Ransomware Attack

If you have an effective backup and recovery plan in place, you can use it to recover encrypted files. You want to trigger the process to recover asset-level backups for your operating systems. To restore your system, you must have a recovery backup target; it could be local, virtual, or in the cloud.
Check to make sure that you’re using a backup that isn’t affected by the ransomware so you can move forward with an asset-level backup. Check for file encryption extensions and modification dates in your backup files, surefire clues that the system has been compromised.

You can recover by using either a hot backup copy (dynamic or online backup that is actively online and accessible to users) or a cold backup copy (offline backup of data that is offline and inaccessible to users). Perform cold target backup from the public cloud (AWS, Azure, etc.), NAS, FC, ISCSI, attached disks or tapes. Hot backup techniques would be used for both Unitrends Cloud and Recovery Series appliances.

If the volume of infected files is manageable, you can recover at the file level by searching for the backup versions of the encrypted files and importing them to your appliance. Link to the platform that contains the files to import. Click on the files you want to recover and save them to your import target.
If you have a network-wide infection you need to find a safe, viable backup copy or snapshot of your system. Find the indices you want to restore. Import your backup file and resurrect your system. Using your clean verified backup leads to the ransomware removal that previously caused the disruption.
While your primary mission is to prevent malware attacks, you need to prepare for ransomware removal and backup restoration to overcome the effects of an infection. Ransomware attacks have been relentless. While IT pros prefer to avoid the aggravation associated with an invasion, verified backups must be in place to ensure your continuity. Unitrends Unified BCDR solutions provide the help you need to take the ransom out of ransomware.