How to recover from a ransomware attack

It is arguably one of the most dreaded words for any organization today – ransomware. Ransomware can bring a bustling, thriving, profitable business to its knees in hours. The aftermath can lead to a ripple effect of lost revenue, and customer confidence and ultimately may entirely take some organizations out of business. Ransomware is the new pandemic for most organizations worldwide. Given the risk and the likelihood of a ransomware attack, companies must be prepared to take the proper steps in dealing with an attack. Ultimately, taking the appropriate steps after a ransomware attack can make the difference between a successful recovery and dire consequences.

color meter from green to red
Check Your AD for 950M+ Compromised Passwords with a free, read-only audit

What is a ransomware attack

First, let’s understand the tremendous risk presented to organizations by a ransomware attack. A ransomware attack is a type of cyberattack where attackers use encryption to “lock up” files so the victim can no longer access their data until a ransom is paid. Once a user is infected with the malicious ransomware code, it begins encrypting all files the user has access to, including files located on the enterprise network, such as file shares, network locations, and even cloud storage.

It takes public/private key encryption generally used as legitimate security technology and turns it around for a malicious purpose. Instead of the encryption keeping mission-critical data from falling into the wrong hands, it is used to keep the legitimate owner of the data from accessing their information.

A ransomware attack uses malicious code to lock up the victim’s files, and when the encryption process is finished, the ransom demand is made. It infiltrates networks using compromised credentials, insecure remote connectivity tools, malicious URLs, phishing emails, or users downloading infected attachments or executables. Without the decryption key provided by the attacker or restoring from backup, the data is unrecoverable.

Let’s consider a recent example of how easily a ransomware attack can capitalize on vulnerabilities such as weak or breached passwords. A massive ransomware attack in 2021 affected a major fuel pipeline in the U.S., Colonial Pipeline. It shut down some 5500 miles of the pipeline leading to fuel shortages and high fuel prices along the Eastern Seaboard. The Colonial Pipeline hack resulted from compromised VPN credentials on a breached password list found on the dark web.

How have ransomware attacks evolved?

Ransomware has undoubtedly evolved over the past several years. It has grown from a simple attack affecting individual users and their PCs to a multi-billion dollar (and growing) cyberattack affecting organizations, large and small.

Early ransomware variants typically targeted anyone and everyone. Now, attackers have perfected their craft. They currently operate in very sophisticated ransomware groups that function as a business in and of themselves. Ransomware groups are now carefully choosing their victims. Targets can be based on the organization’s size, revenue, or other factors, including nation-state incentives.

Attackers are also using new ways to pressure victims into paying the ransom demanded, including a tactic called “double extortion.” What is double extortion? Double extortion demands a ransom for decrypting the data itself and another ransom payment to keep the data from being leaked to the dark web. This new threat to organizations is a very alarming development. Even if organizations have backups for recovering their critical data, attackers can use the threat of data leak to pressure a ransom payment.

In the latest Digital Defense Report, Microsoft details the new and very concerning double extortion tactic: How cyberattacks are changing according to new Microsoft Digital Defense Report – Microsoft Security Blog

How to recover from a ransomware attack

Businesses must prepare now for a ransomware attack. It is arguably not a case of if a ransomware attack will happen but when. Organizations unprepared and ill-equipped to deal with an attack suffer the worst consequences and long-term effects, including lost business and customer confidence.

Let’s consider the following general three steps to recover from a ransomware attack:

  1. Contain
  2. Secure
  3. Remediate

As we will see, these steps closely tie together to prevent the spread of ransomware through an environment, revoke access to attackers who may have compromised endpoints or credentials for entry, and resolve any vulnerabilities and weak points moving forward.

1. Contain

The first step of recovering from a ransomware attack is to contain the attack. To stop the attack, organizations must isolate the infected hosts on the network. There is an entry point to the network with any ransomware attack  – a client PC, a server, etc. It is often the quick thinking of IT staff or a savvy end-user that can stop the spread of ransomware through the network.

It was the case in one Florida hospital. After the IT department realized they were experiencing a ransomware attack, they decided to shut down the hospital’s computer systems. It was the quick thinking noted to have thwarted the ransomware attack from spreading and compromising all the critical data.

By containing the spread of ransomware, organizations can drastically reduce the amount of downtime, lost data, disrupted services, and breached records.

2. Secure

In conjunction with the contain step, organizations must secure their environment aggressively once a ransomware attack is discovered to help remove the access and credentials attackers may have to allow them to access critical systems. This step encompasses the tasks and actions needed to prevent further damage from a cyberattack. For instance, it may include taking down site-to-site VPN connections between locations to ensure the ransomware does not spread to additional sites. In addition, it can mean shutting down external email and firewall rules that allow certain types of traffic into the internal network or DMZ.

One of the crucial steps to perform is to force users to change their passwords. This step is needed because attackers commonly use compromised credentials to gain entry into computer systems in the internal network. According to the IBM Cost of a Data Breach Report 2021, “compromised credentials was the most common initial attack vector.”

Locking all accounts and forcing users to change their passwords before regaining access helps ensure any compromised credentials are changed. Additionally, this step helps to revoke access attackers may have due to stolen/compromised credentials, making it more difficult to maintain access to the environment.

3. Remediate

The final step is to remediate. In this phase, organizations look to rectify and resolve underlying cybersecurity issues in the remediate phase to prevent future attacks from happening. It includes patching discovered vulnerabilities, rearchitecting weak remote access solutions, and implementing breached password protection for Active Directory user accounts, to name a few.

Attackers can often take advantage of unpatched security vulnerabilities on an Internet-facing server or perform brute-force password attacks against improperly secured Remote Desktop Protocol (RDP) servers. Businesses must address all of these in the post-mortem of a ransomware attack.

As mentioned in the secure step, changing account passwords is vital to revoke access to attackers who possess compromised credentials. In addition, organizations must check password resets to ensure passwords are not contained in breached password lists and remediate the risk of users using weak/breached passwords. Unfortunately, breached password protection is not a native feature of Microsoft Active Directory password policies and requires the use of a capable third-party tool to implement. Nevertheless, it is a critical component of a robust strategy to strengthen the cybersecurity posture of your business.

Specops Password Policy with Breached Password Protection is a best-in-class solution allowing companies to have effective breached password protection that ensures passwords chosen during password resets are not found in breached password lists. After implementing Specops Password Policy with Breached Password Protection, organizations have a way moving forward to check Active Directory passwords for compromised credentials continuously. If credentials are breached in the future, Specops provides the controls to remediate this risk. This proactive approach is needed to ensure passwords remain secure as this is arguably one if not the most common attack vectors for ransomware.

Concluding thoughts

The threat of a ransomware attack is topping the list of potential cybersecurity threats for many organizations. It is a dangerous type of attack that can leave businesses without access to their data and the potential for massive data leaks. Businesses must plan now to recover from a ransomware attack. For most, it is not if an attack will occur but when. Having a multi-faceted plan to deal with a ransomware attack is vital for the business to survive an attack successfully. Using the secure, contain, and remediate strategy helps contain an attack, secure vital resources, and remove the threat moving forward. Using solutions like Specops Password Policy with Breached Password Protection helps to bolster one of the commonly used attack vectors – weak or breached passwords.

Learn more about Specops Password Policy with Breached Password Protection.

(Last updated on September 16, 2022)

brandon lee writer

Written by

Brandon Lee

Brandon Lee has been in the industry 20+ years, is a prolific blogger focusing on networking, virtualization, storage, security & cloud, and contributes to the community through various blog posts and technical documentation primarily at

Back to Blog

Related Articles

  • Impact and cost of ransomware attacks

    Sophos, a global leader in cybersecurity, revealed in its survey “The State of Ransomware 2021” that the average total cost of recovery from a ransomware attack has more than doubled in a year, increasing from $761,106 in 2020 to $1.85 million in 2021. With total costs associated with ransomware crippling businesses, understanding ransomware attacks is…

    Read More
  • Ransomware Attacks 101 – from Wannacry to Darkside

    Think of ransomware attacks as virtual kidnapping. Ransomware actors use encryption to hold your devices’ functions and files hostage or lock you out of your system. Then they request a ransom for its release. These actors are mostly motivated by financial gain, like kidnappers.   However, paying a ransom doesn’t guarantee you get some or all…

    Read More
  • Ransomware Prevention Best Practices

    A thriving industry of holding data hostage has emerged out of the malicious software known as ransomware. The FBI’s Internet Crime Complaint Center (IC3) states in its Internet Crime Report for 2020 that it received a record number of ransomware complaints that year. Attributing the rise in cybercrime to the organizational chaos caused by the…

    Read More