In many cases, YES, so don't pay the ransom just yet...
It is reported that someone new gets hit by a ransomware attack every few seconds, and less than 50% of people that pay the ransom actually get their data back.
It is imperative to seek expert help immediately, and research your options thoroughly before proceeding with any decryption or recovery attempt, and certainly before handing over any ransom payment.
Use our tool to find expert local help immediately, and avoid paying the ransom:
What is ransomware?
Ransomware, malware, virus, encryption attacks - whatever you call it, it is usually a significant breach that will have negative implications for the attacked, either financially, operationally, through reputational damage or all of the above.
It is essentially an uninvited and unwanted attack on computer systems and data by a harmful player that deploys malware to lock access to systems. Usually, a significant ransom payment is demanded to release or decrypt the data, with these payments often being requested in cryptocurrency to protect the identity of the attacker.
Frequently the attack is so sophisticated that existing backup and disaster recovery strategies are unable to provide adequate data restoration, leaving the infiltrated with no option but to take a chance and pay the ransom.
Or perhaps not.
Data recovery after a ransomware attack is in many cases a viable alternative, even on VMs / virtual machines and RAID, and we detail here various aspects of this approach
So if you're wondering "what do you do when you suffer a ransomware attack" then read on:
Is ransomware data recovery possible?
Whether the ransomware attack has affected servers, backup tapes, or other storage devices, data recovery after a ransomware attack is in many cases possible. The key to a successful recovery however is calling in the experts as a first step. Many well-intentioned efforts to mitigate the risk or avoid data loss actually end up making the situation worse, as ransomware attacks vary hugely from one case to another, and it takes a wealth of experience to find the correct solution.
Even paying the ransom is generally not advised, as there is rarely a guarantee that this will release the data, and in some cases is simply a sign to the attacker that you are willing and able to pay, and so data is held back for further extortion. How vulnerable is your company?
The ransomware recovery experts on our panel have a wealth of experience in quickly, and safely, working with you to understand the situation and options, and then proposing a path back to recovery.
Rarely does one size fit all, so all of our ransomware recovery experts have access to in-house proprietary tools, as well as the ability to create a bespoke solution via R&D teams to meet the specific needs of the case. This is a very rare and specific skill set, and we cannot stress enough the need to get this decision right the first time.
So in many cases, it is absolutely possible to recover data from ransomware provided you speak to the right experts, and contact them as soon as you realise you have a ransomware infection.
Click below to answer a few questions about your ransomware situation and get access to the right local consultant straight away.
How do you recover data from ransomware?
Unlike regular data recovery services, there is rarely a physical or electromechanical element to ransomware data recovery. This by no means makes the process any easier though, in fact, in most cases ransomware or malware data recovery is more difficult.
But not impossible.
So despite data recovery success rates being lower for this type of recovery, it is still very much an endeavour worth investigating, after all, how much data can you afford to lose?
The process that a data recovery ransomware expert will usually follow is very similar to the regular data recovery process. The service is divided into distinct discovery and recovery phases.
Initial phone consultation to establish the known facts, and ensure that the first steps taken by the attacked are sensible and won't cause further complications or irrecoverable data loss.
A deeper look at the files and signatures of the attack to establish what type of attack it is, how far and wide it has spread, and whether or not there are known decryptors or tools available to safely assist.
A review of the wider backup infrastructure to ascertain whether or not it is likely that the systems can be safely rolled back to a clean state, or whether there is a way to gain access to an uninfected backup or deleted version of the data.
Once the above has been understood, a recovery effort can begin, either using tools already developed or employing the R&D team to create a custom tool to overcome new or particularly challenging variants.
Checking and cleaning recovered files as required, and returning them to the customer in a useable and protected state, with provisions to protect from future attacks being put in place.
Unfortunately, this process is far from an exact science, and sometimes engaging with the attacker is the only possible outcome - but this should never be the first step.
Even after paying a ransom, and hopefully receiving back decrypted data, there is still frequently a lot of clean up and repair work required for the recovered data, again often necessitating the custom development of repair tools, so look for a data recovery company that is able to assist with all of the above.
Why not just pay the ransom and move on?
It is tempting, especially when all around you are panicking and demanding a quick and quiet solution, to just take the 'easy' way out and pay the ransom.
This rarely goes the way you'd expect it to, and at the very least we highly recommend exploring alternatives first.
So how do ransomware data recovery services help versus paying up, especially if the ransom fee is low?
Engaging a professional data recovery expert to recover your files can be much cheaper than paying a ransom
Professional data recovery companies have much higher security and confidentiality standards
Paying the ransom often results in files not being decrypted, or being returned in a fragmented or unusable format
There is no guarantee that, once you have paid your first ransom, you will not be asked to pay it again
There is no guarantee that, once you have paid the ransom, your files will not be made public anyway
Paying a ransom is funding an illegal and destructive industry, and is morally questionable in some circumstances
Paying a ransom is, in some cases, illegal and can result in your prosecution
For the sake of a quick call to a ransomware expert to evaluate your options, is it worth taking the above risks?
What types of ransomware data recovery can be performed?
New ransomware types appear all the time, sometimes new variants of previously seen strains, other times completely new threats. Each can potentially be devastating, and frequently the resolution path is different for each.
Commonly seen (and potentially recoverable) examples include:
It is almost impossible to stay ahead of new variants, however, so whenever you encounter any type of ransom note or suspect that your systems have been compromised, don't rely on lists being up to date, call an expert straight away.
In regards to ransom notes, again there are many that are common and should be a clear sign that the attack is legitimate, including the following examples:
|
_HELP_instructions.html |
DECRYPT_INSTRUCTION.TXT |
|
_how_recover.txt |
de_crypt_readme.bmp |
|
_Locky_recover_instructions.txt |
de_crypt_readme.txt |
|
About_Files.txt |
de_crypt_readme.html |
|
Coin.Locker.txt |
DECRYPT_ReadMe.TXT |
|
HELP_RESTORE_FILES.txt |
HELP_TO_DECRYPT_YOUR_FILES.txt |
|
HELLOTHERE.TXT |
HELPDECRYPT.TXT |
|
How_To_Recover_Files.txt |
IAMREADYTOPAY.TXT |
|
Read.txt |
ReadDecryptFilesHere.txt |
|
recover.txt |
recoverfile[random].txt |
|
restorefiles.txt |
SECRET.KEY |
|
DecryptAllFiles.txt |
help_decrypt_your_files.html |
|
DECRYPT_INSTRUCTIONS.TXT |
HELP_TO_SAVE_FILES.txt |
|
DecryptAllFiles.txt |
Help_Decrypt.txt |
|
encryptor_raas_readme_liesmich.txt |
HELP_RECOVER_FILES.txt |
|
FILESAREGONE.TXT |
help_recover_instructions+ |
|
HELP_TO_SAVE_FILES.txt |
HELP_YOUR_FILES.TXT |
|
HELPDECYPRT_YOUR_FILES.HTML |
HOW_TO_DECRYPT_FILES.TXT |
|
IHAVEYOURSECRET.KEY |
INSTRUCCIONES_DESCIFRADO.TXT |
|
README_FOR_DECRYPT.txt |
READTHISNOW!!!.TXT |
|
RECOVERY_FILE.TXT |
HowtoRESTORE_FILES.txt |
|
SECRETIDHERE.KEY |
YOUR_FILES.HTML |
No matter which variant you are seeing though, whether listed above or not, after a ransomware attack file recovery will be very complicated and potentially a unique solution for you. For a successful, secure and complete outcome, take advantage of everything the experts have to offer.
How to prevent a ransomware attack on your data?
It is often easy to see how an attacker can penetrate a network after the event, and with the benefit of hindsight the attack could appear to be easily avoidable. In reality, however, the weakest link in your defences is repeatedly shown to be a human / user, and despite best efforts and constant training, busy employees simply let their guard down frequently.
It is therefore imperative that multiple actions are taken to reduce the risk of being infiltrated, and frequent reminders and training for anyone that has access to valuable data is deployed.
Users need to:
Not open any files or attachments that they don't recognise, instead send them to IT to be checked in a sandbox. That could be attachments or links from unusual or unknown senders, or unusual attachments or links from known senders.
Ensure that anti-virus software is installed, activated, and updated. These companies work very hard to ensure their tools are regularly updated, so it is important to ensure you are taking advantage of this.
Backup. Preferably twice. Or thrice. Make it automated, and have copies of important files going to multiple backup destinations. Whilst this is no guarantee against infection, it does sometimes offer a simpler recovery after attack.
IT departments need to:
Make sure you have a joined-up data management and retention strategy. This means knowing what you've got, classifying all data accordingly, knowing where it is, and knowing what and when to get rid of at end of data life.
Understand where all endpoints are and protect especially well the vulnerable and/or high-value ones. With an increasingly dispersed (and mobile) workforce, this is both more difficult and more important.
Backup. Preferably twice. Or thrice. Make backups protected and know what backup data sits where and why. Backups should also be duplicated to a different site so you have access to a clean copy of your data after infection.
Everyone needs to:
Hope for the best but plan for the worst. This ransomware 'industry' is only gaining speed so encountering data loss challenges is inevitable. Make sure you have access to a local expert to assist as soon as disaster strikes, you're not in this alone.
Ransomware data recovery additional FAQs
The initial discussion will usually be quite quick - maybe 30 minutes - and that will often establish the likelihood of data recovery. For the more in-depth review (which is sometimes completed remotely), you should factor 24-48 hours. For the recovery itself, there are a host of variables, especially any need for tool development, so this could take anything between a couple of days and a couple of weeks.
The initial consultation is almost always free, with the detailed evaluation usually landing in the $500-$1,000 range. For € and £ you can more or less expect a 1:1 conversion. The recovery phase itself usually starts at around $2,500, but complex cases can easily exceed $5,000, with expedited service levels and R&D fees (where required) adding significantly more.
Whilst several ransomware recovery software products exist, there are always risks involved in using them, especially if you are experiencing ransomware for the first time. It probably comes down to data value, if the value is limited and you cannot justify paying the ransom or engaging a data recovery expert, then some software tools represent a low-cost option to attempt a recovery in some cases. Always proceed with caution, however, and take advantage of a free consultation with an expert first.
Yes, absolutely. Pretty much any storage device that can be attacked by ransomware can equally be a candidate for data recovery. That includes tape archives, desktops, laptops, servers, RAID servers, virtual servers, NAS, DAS etc. As always, the advice is to isolate the systems, and call an expert straight away to review options.
There are several tools and methods available to competent data recovery companies to recover your data without paying a ransom, including hundreds of decryption tools, restoration from backups, the use of specific data recovery software, the rolling back of files or even systems where possible, or custom-developed file repair and recovery tools. Paying a ransom should never be your first consideration.
Data recovery is possible from most system types, including servers and RAID systems. The approach for recovery will vary depending on many factors, but what is usually consistent is the fact that the earlier you seek professional help, the greater the chances of a meaningful recovery.
Generally speaking virtual machines are recoverable in similar ways to physical machines, albeit sometimes with an additional layer of complexity. It is important however to disconnect your infected machines as soon as possible, and refrain from any DIY rebuild or restore, as this can make any subsequent data recovery effort more difficult and even render data irrecoverable in some cases.
Ransomware attackers generally gain access to your systems or devices through a security weakness or by deceit. Once in, they will damage, exfiltrate or encrypt your digital assets and demand a ransom payment to release or return your data. Usually untraceable, and with no guarantee that they will honour their agreement to release your data, it is very rarely recommended to engage with these attackers.
A recent article from Tech Digest suggests that downtime after an attack can cost large entreprises more that $10m per day due to downtime, and Arete report huge average ransom payments by certain sectors - over $2m per attack in the case of financial services companies. For smaller companies in less regulated industries it can still be a 6 figure problem however.
Your insurance company, provided you have cyber cover, will almost certainly be able to help, as their interests in these cases match yours - you need the situation resolved with the minimum cost and disruption to your business, which in many cases will be paying a data recovery company to resolve the issue. In addition, they will have resources including negotiators and relevant currencies (Bitcoin?) to assist you if paying the ransom is the only option.
CONSULTATION
CONNECT MEDIA
RECOVERY
DATA BACK
⭑⭑⭑⭑⭑
"I was horrified when my files disappeared. But thanks to your help we managed to get a complete recovery, even when another firm said it was impossible!"
MARK D | VERIFIED 5 STAR REVIEW
