hamburger icon close icon
Ransomware Recovery

Ransomware Recovery: The Basics and 6 Critical Best Practices

Read Next:

What is Ransomware Recovery?

During a ransomware attack, threat actors prevent you from accessing your data by encrypting it. They demand payment in exchange for keys that enable you to decrypt the data. When a ransomware attack targets data needed for normal operations, organizations may not have access to critical information or systems needed for ongoing operations.

Ransomware recovery is a critical part of ransomware protection, which enables organizations to resume normal operations in the aftermath of a ransomware attack. It is a key component in a disaster recovery (DR) plan, which defines ways to recover from various data loss scenarios. Successful ransomware recovery can help organizations reduce the cost of downtime and minimize reputation damage and revenue losses.

In this article:

Key Elements of an Effective Ransomware Recovery Plan

An effective ransomware recovery plan ensures you can readily respond to an attack without paying any ransom.

Here are tasks you should include in your ransomware recovery plan:

  • Identify the ransomware malware trigger files—identify and remove ransomware malware trigger files deployed on your devices.
  • Determine the attack style—knowing the type of ransomware will help you decide what measures you need to take. There are two main types of ransomwares: encryption-based and screen-locking.
  • Disconnect all devices—to restrict the impact of ransomware and stop the attack from spreading, disconnect all vulnerable devices from your network.
  • See if a decryptor is available—the No More Ransom project, and several other online sources, provide decryptors for many types of ransomware. If a decryptor is available for your strain of ransomware, you can use it to restore your data.
  • Restore file systems—before restoring data from backup, perform an anti-malware scan on your backup systems to ensure they were not infected by ransomware as well. Otherwise, you risk re-infecting production systems when restoring data. After being sure that backups are clean, restore lost data from backups.

How to Restore Data After a Ransomware Attack

Here are several methods you can use to restore data following a ransomware attack:

Recovery type


How it works

Bare metal restore

Threat actors encrypted the entire server.

Set up data backup that enables you to restore your computer system from its bare-metal state.

This recovery type should not involve reinstalling operating systems or manually configuring hardware.

Granular restore

Quickly restoring specific data.

Set up data backup that enables you to immediately restore specific data and recover the rest later.

The goal is to quickly enable the business to resume operations before all systems are recovered.

Instant rollbacks from VMs

Quickly resume operations.

Instant rollbacks enable you to restore data from virtual machines (VMs) in a matter of minutes.

The goal is to resume operations immediately even if the ransomware still exists in the environment.

Data center on-demand

Restore all data from a third-party server.

You can send a copy of your primary data to an offsite server hosted by a service provider.

This option lets you restore data from a different environment.

Each recovery option fits different scenarios, depending on the scope of the attack. You can choose the option that suits your needs and allows you to resume normal operations during and after a ransomware attack.

6 Ransomware Recovery Best Practices

Perform Backups of Critical Data

Most ransomware attacks aim to prevent victims from accessing critical data until they pay a ransom fee. You can mitigate this risk by backing up your critical data. If ransomware encrypts your data, you can use backups to restore your access without meeting the attacker's demands.

Here are key points to consider when backing up your critical data:

  • Store backups so attackers cannot access them via the network—keep the backup on an external device, or disconnect it, so a ransomware attack will not compromise it.
  • Remember to address the initial vulnerability—when you restore an entire system from backup, you return to a point where you probably still have the vulnerability the attackers exploited. Ensure your ransomware recovery procedures include identifying and remediating the attack's root cause.

Protect Backups from Ransomware

Backups are an important way to protect against ransomware, but if you don’t take the appropriate measures, ransomware attacks can reach your backups as well. If ransomware manages to encrypt backups, there may be no way to restore your data.

Follow these best practices to protect your backups against ransomware:

  • Maintain an offline backup—modern backup systems are connected to production systems and synchronized on a regular basis. Therefore, an important protective measure is to maintain an offline backup that is not directly connected to your network.
  • Use immutable storage—regular automated backups will continue to operate even though a ransomware process has infected your system. This could cause the new, encrypted files to replace your backups. To solve this problem, many storage solutions support a standard called Write-Once-Read-Many (WORM). This lets you store data in a format that is locked against modification.
  • Endpoint protection on backup servers—a backup server is a critical resource, which should be protected by modern endpoint protection solutions. These platforms can block known types of ransomwares and automatically detect abnormal behavior of system processes which may indicate an unknown ransomware strain. They can also prevent ransomware from spreading throughout the network.
  • Increase backup frequency—determine your recovery point objective (RPO) and set backup frequency accordingly. Consider the damage caused by losing all data since your most recent backup. For business-critical applications you may need to backup data multiple times per day, once per hour, or more frequently.

Related content: Read our guide to Cloud Backup Services

Recover Safely

Restoring data before neutralizing the ransomware might allow the attacker to compromise the system or data again. You should start recovering operations once you have neutralized the ransomware, meaning you may be required to recover data in isolation or using a new system. Also, ensure you recover to an isolated environment that the original ransomware cannot access.

Decrypt Data

In a ransomware attack, attackers encrypt data, and demand that you pay a ransom fee to decrypt and recover it. However, if a decryptor exists for the ransomware used in the attack, you can decrypt your existing data to make a full recovery.

You must conduct decryption in a secure environment. If you cannot neutralize the ransomware, you may need to decrypt your data in an isolated environment.

Prioritized Recovery

Create a plan that outlines which applications and lines of business you will prioritize. Ensure that foundational services needed for core functionality, including DHCP, Authentication, and DNS, are running and restored first. Recovered systems need these basic services to function effectively.

Use Automation

You can use automation to speed up recovery, however, you may not need automation for all scenarios. Here are examples of where automation can be useful:

  • NAS systems that have tens or hundreds of shares
  • Entire virtual environments with hundreds or thousands of VMs
  • Database servers with numerous databases
  • File sets across multiple servers that need to be recovered to the same point in time

Ransomware Recovery with NetApp Cloud Backup

NetApp understands ONTAP better than anyone else, which is why the best backup solution for ONTAP systems is NetApp Cloud Backup. Designed by NetApp specifically for ONTAP, Cloud Backup automatically creates block-level incremental forever backups. These copies are stored in object format and preserve all ONTAP’s storage efficiencies. Your backups are 100X faster to create, easy to restore, and much more reliable than with any other solution.

Cloud Backup simplifies the entire backup process. It’s intuitive, quick to deploy, and managed from the same console as the rest of the NetApp cloud ecosystem. Whether you’re looking for a less expensive way to store your backups, a faster, more capable technology than NDMP, or an easy way to enable a 3-2-1 strategy, Cloud Backup offers the best backup solution for ONTAP.

New call-to-action

NetApp Ransomware Protection Solution

NetApp Ransomware Protection is a comprehensive set of data-centric capabilities that allows youto protect your data estate with a Zero Trust approach from the inside out. It enables you to map and classify your data, detect abnormal user activity, manage access, and avoid costly downtime using rapid backup and restore. IT teams can apply these advanced defense mechanisms to strengthen cyber resiliency and make sure the most critical data stays protected.

Want to learn more about Ransomware Recovery?

See our additional blog posts on related topics.

Ransomware & Cloud Backup: Enhance Your Cyber Resilience with NetApp Cloud Backup

Protect against ransomware with Cloud Backup by accessing ransomware protection as cloud storage. With this level of defense, you’ll be able to establish the cyber bunker you need to help you jump right back into business in the event of a malware attack.

Read more in Ransomware & Cloud Backup: Enhance Your Cyber Resilience with NetApp Cloud Backup.

Immutable Backups with Cloud Backup: A Key Tool in Ransomware Protection

Immutable backups offer a fail-proof solution for you to secure your data. With immutable backups, your copies are impossible to delete or change, helping you to avoid paying ransoms and bring your business back online in the event of ransomware attacks. This blog looks in-depth at NetApp Cloud Backup’s immutable backups and how they add more protection against malware.

Read more in Immutable Backups with Cloud Backup: A Key Tool in Ransomware Protection.

7 Ransomware Backup Best Practices to Survive the Next Attack

Ransomware attacks infect systems and then encrypt files and folders to prevent access to important systems and data. Learn critical ransomware backup best practices - learn how to backup data and ensure you can use it to restore operations in case of a ransomware attack.

Read more: 7 Ransomware Backup Best Practices to Survive the Next Attack

Cloud Backup and SnapLock: Create Immutable WORM Backups On-Prem or in the Cloud

The cloud backup services of NetApp Cloud Backup now support immutable Write Once, Read Many (WORM) storage in the cloud or on-premises with StorageGRID appliances. Find out how SnapLock support gives Cloud Backup users a more secure way to protect backup data than ever before.

Read more in Cloud Backup and SnapLock: Create Immutable WORM Backups On-Prem or in the Cloud

Introducing Cloud Backup DataLock: A New Way to Keep Backup Data Immutable

Ensuring that your backup data is safe from ransomware just got a little bit easier thanks to the new DataLock feature of Cloud Backup. With DataLock, you can now store backup copies in immutable WORM storage in the cloud or on-prem.

Add this to Cloud Backup’s other security-enhancing features and you’ll be better prepared to handle ransomware when it attacks.

Read more in Introducing Cloud Backup DataLock: A New Way to Keep Backup Data Immutable

Fighting Ransomware with NetApp BlueXP Backup and Recovery

Ransomware attacks are a leading cause of data loss in companies, but these attacks are becoming more sophisticated and are also targeting backup data. This could make it even more difficult to recover sensitive data in the event of an attack.

Find out more about how BlueXP backup and recovery’s security features allow enterprises to protect their data and backups from malicious attacks.

Read more in Fighting Ransomware with NetApp BlueXP Backup and Recovery

Large US Financial Institution Chooses NetApp BlueXP Backup and Recovery to Protect Its Data

The financial industry’s data protection requirements are stricter than other industries, given the nature of the data, and the ensuing regulatory demands to keep it safe. That’s why this large US financial institution picked BlueXP backup and recovery.

BlueXP backup and recovery helps protect this company’s data by storing it in an all-NetApp, offline system, ensuring it is safe from ransomware and easily recoverable from any kind of data loss.

Read more in Large US Financial Institution Chooses NetApp BlueXP Backup and Recovery to Protect Its Data.

The BlueXP Feature That Protects Backups from Ransomware

With backups presenting the last line of defense against ransomware, the hackers have started to adapt. Gaining control of the backups themselves is now a primary goal of most ransomware attacks. BlueXP has a way to make sure that doesn’t happen.

BlueXP backup and recovery has a ransomware protection feature that automatically scans your backups, detecting any attempt to change the data inside. Once detected, users get alerts and the last known unharmed copy becomes the new source of truth.

Find out more about how it works in The BlueXP Feature That Protects Backups from Ransomware

Air Gap Backup with BlueXP Backup and Recovery

As ransomware attacks evolve to target backup data, recovery is becoming more challenging. Air-gapped backups can isolate your data from other systems or networks to protect against potential attacks, providing you with a reliable solution for securing your backup copies.

Find out more about BlueXP backup and recovery uses logical air gapping to help you secure your data.

Read more in Air Gap Backup with BlueXP Backup and Recovery

Semion Mazor, Product Evangelist

Product Evangelist