Ransomware Recovery

What is Ransomware? Ransomware Protection Anti-Ransomware Security Detect Ransomware Recover from a Ransomware

The FBI reports that there are 4,000 ransomware attacks daily. Attacks that encrypt your files and lock users from access their data. If there’s an invasion of your system are you sure you have a viable recent backup in place so that you can recover your data without paying ransom? How do you restore your system to recover from a ransomware attack?
Attacks on businesses increased 3x in 2016. A company gets hit with ransomware every 40 seconds. On average organizations estimate they spent 33 hours dealing with the consequences of an infection from the bad actors who create and distribute these programs. Meanwhile, one in five victims who pay the ransom still do not get their data back.

It’s been reported that more than 60% of businesses have already confronted a ransomware invasion. You’re business falls into one of two categories, either you survived a ransomware attack or you’re due to be hit by one. It’s clear that you need to have a plan to recover after a breach.

The 3-2-1 Rule

As part of your ransomware defense, Unitrends supports the industry best practice of implementing the 3-2-1 Rule. IT pros should make 3 backup copies of the data, using 2 different media, with 1 version being offsite. While there are lots of prospective permutations to put this formula in use, Unitrends Recovery Series appliances and Unitrends Cloud give you a simple-to-use, single-interface backup and continuity solution that lets you implement and administer the 3-2-1 Rule from a single pain of glass.

The 3-2-1 rule is a component of an exhaustive line of defense that ensures continuity for your endpoints, on your network, and within your backups. Backup and disaster recovery are the foundation for reviving your system after a ransomware infection.
Disaster Recover (DR) Plan

When we surveyed 600 IT professionals, more than 60% said they test their disaster recovery once a year or less. And 37% said they never test their DR plan. Not knowing if your DR plan will work adds significant risk to your ability to restore after ransomware strikes.

Before you begin the ransomware removal process, you need to ask yourself, are you able to recovery from your backup files. Sadly, disaster recovery testing is often neglected because it’s time consuming and cumbersome.

Recovery Assurance

Unitrends solution offers automated testing for your DR plan using Recover Assurance. It systematizes recovery testing across local, remote, and cloud locations. With fully-automated, application-level testing and failover you can proactively uncover recovery issues, like ransomware, for physical and virtual machines. By validating your DR plan you can be confident that the recovery point to come will be successful. The consequences of not verifying you DR plan can be dire. Tragically, less than half of ransomware victims fully recover their data, even with backup.

After ransomware, system restore success is predicated on have a DR plan that works. Recovery Assurance automates testing for all your sites and the cloud. It gives you more confidence in your ability to get rid of ransomware by using a proven recovery point. With the knowledge that your Disaster Recovery plan has been tested and verified you know that you can safely retrieve your data. When you need to recovery from a ransomware infestation, Unitrends offers the most flexible and comprehensive backup and recovery capabilities in the industry, enabling your business to recover quickly.

Unitrends all-in-one enterprise backup and continuity gives you the tools to respond to ransomware strikes. When you need to rapidly restore your company’s data and IT services, an untested DR plan can pose a serious threat to the company security as a whole. And for you, it can mean the difference between being seen as a hero or needing to update your résumé.


Downtime is expensive, 98% of organizations say a single hour of downtime costs over $100,000. When devising your DR Plan and the financial impact, you need take into account the variables that affect your industry, revenue, manpower, and level of data transactions. How long can you be without access to systems and files? How much data can you afford to lose?

Your DR plan should include specific Recovery Time Objectives (RTOs) and Recover Point Objectives (RPOs). Your RPO refers to the maximum amount of data (in terms of time) that you can afford to lose. If you get invaded by ransomware, what is the safe and effective restore point for your system? How much data can you lose without devastating your organization?

Recovery Time Objectives (RTOs) refer to the maximum amount of time that your enterprise can afford to be offline with no access to your data and systems. Defining your RTO is a key component of developing a DR plan that works within your business continuity goals. Your maximum tolerable downtime comprises the management goals for your ransomware recovery. Set your backup solution to meet your RTO and RPO targets.
Unitrends Backup Software v10 has introduced Service Level Agreements (SLA) policy automation. The new feature automatically controls the flow of backups through a simple, easy-to-use policy using a single pane of glass. The automated process requires just three simple steps from the user. You set RPOs, RTOs, where data should go, and how long it should be kept.


After all the preparation, you can still be attacked by the cyber criminals. You need to know how to get rid of ransomware from you network. You’ve backed up your data on a regular schedule, tested your disaster recovery plan, set up your detection alerts for ransomware, and then you get hit by an attack. Your system detects and invasion; What steps do you need to take to actually recover from an attack?

Find the Ransomware

Ransomware attacks are typically uncovered by IT admins who either get a detection alert warning form their continuity system or they see a trail of encrypted files with revised extensions on file names. Invasions also may be reported by users who can no longer find or open files. Or IT may get overwhelmed by panicked co-workers who have locked machines and have ransom notes popping up on their desktop.

Stop the Damage

The FBI urges IT staffers to “isolate the infected computer immediately.” By removing the affected machine from your system, you prevent ransomware from attacking other network locations or shared drives. The US Government also recommends that devices that have not been completely corrupted be isolated or shut off. Prevent further damage by unplugging the Ethernet connection, disconnecting from WiFi, and switching off impacted machines as soon as you notice the attack. Ransomware can spread via network connection, so you can help contain the breach by disconnecting shared drives and shutting down your network. Before starting a recovery, evaluate the status of the attack to see if it is still active.

Restore after Ransomware Attack

Now you need to know how to remove ransomware. If you have an effective backup and recovery plan in place, you can use it to recover encrypted files.  You want to trigger the process to recover asset-level backups for your operating systems. To restore your system you must have a recovery backup target; it could be local, virtual or in the cloud.
Check to make sure that you’re using a backup that isn’t affected by the ransomware so you can move forward with an asset-level backup. Check for file encryption extensions and modification dates in your backup files, surefire clues that the system has been compromised.

You can recover by using either a hot backup copy (dynamic or online backup that is actively online and accessible to users) or a cold backup copy (offline backup of data that is offline and inaccessible to users). Perform cold target backup from public cloud (AWS, Azure, etc.), NAS, FC, ISCSI, attached disks or tape. Hot backup techniques would be used for both Unitrends Cloud and Recovery Series appliances.

If the volume of infected files is manageable, you can recover at the file level by searching for the backup versions of the encrypted files and importing them to your appliance. Link to the platform that contains the files to import. Click on the files you want to recovery and save them to your import target.

If you have a network wide infection you need to find a safe, viable backup copy or snapshot of your system. Using your continuity platform user interface, find the secure snapshot location. Select the indices you want to restore. Import your backup file and resurrect your system. Using your clean verified backup leads to the ransomware removal that previously caused the disruption.

While your primary mission is to prevent malware attacks, you need to prepare for ransomware removal and backup restoration to overcome the effects of an infection. Ransomware attacks have been relentless. While IT pros prefer to avoid the aggravation associated with an invasion, it’s imperative that verified backup is in place to ensure your continuity.  Unitrends enterprise backup and continuity solutions provide the help you need to take the ransom out of ransomware.