Ransomware Data Recovery: 5 Ways to Save Your Data

A ransomware attack uses malware to encrypt systems and data, for the purpose of demanding ransom for decrypting the files. In a ransomware attack, cybercriminals hold your data and systems hostage. If you don’t have data protection strategies in place, a ransomware attack can result in catastrophic loss and disrupt business continuity. Read on to learn how to create a ransomware data recovery strategy, including five methods for recovering ransomware encrypted files.

In this article you will learn:

What Is a Ransomware Attack?

A ransomware attack is an attack carried out with malware that encrypts your systems and data. Attackers demand a ransom to decrypt your data, allowing you to access it again. Often, attackers ask for payment in cryptocurrency since it is anonymous and less traceable. The ransoms demanded can be minor or can be for large sums of money.

How to Prevent Ransomware: Building Your Ransomware Data Recovery Strategy

The most effective way to protect your systems against ransomware is to prevent it from being installed. The next best way is to anticipate how it can enter your systems and what data is likely to be targeted. This helps you focus protections and ensure that data is backed up before an attack.

To develop a robust protection strategy, it’s often easiest to start with your data and work from there. The following steps can help you develop a solid ransomware data recovery strategy.

  1. Inventory your data—create an inventory of your data to determine how data should be categorized and where it is stored. Categories might include critical, valuable, regulated, or proprietary. Once you have an inventory, you can determine how data needs to be protected and you can initiate data backup.
  2. Identify your endpoints—you need to know where your endpoints are to identify where ransomware infections might come from. Like with your data, you can categorize endpoints to determine priority and ensure high-value endpoints are protected appropriately.
  3. Determine your recovery plan—create a ransomware data recovery plan for all assets and data, prioritizing mission-critical ones. You should be able to either restore or rebuild all assets, preferably from a master backup or image.
  4. Protect your backups—backups are only helpful when secure and accessible. You need to make sure your backups are as protected as your systems and data to ensure that you can restore data from backups and that the data you are restoring is reliable.
  5. Duplicate data offsite—you should store at least one copy of data either offline, offsite, or both. This ensures that even if on-site backups are encrypted with ransomware you still can restore data. When storing these copies, make sure to secure data just as you would for the primary copy.

A ransomware data recovery strategy is typically included in a disaster recovery and business continuity plan.

5 Methods To Recover Ransomware Encrypted Files

If you have already been affected by ransomware, there are several methods you can try to restore ransomware encrypted files, rather than paying your attacker.

1. Restore From Backup

The fastest way to recover from ransomware is to simply restore your systems from backups. For this method to work, you must have a recent version of your data and applications that do not contain the ransomware you are currently infected with. Before restoration, make sure to eliminate the ransomware first. This is typically done by resetting your systems to factory defaults.

2. Windows System Restore

If you are using Windows systems, you might be able to recover your data with the Windows System Restore utility. This tool stores point in time backups for your Windows devices which you can roll back to when needed.

To use this utility, go to Control Panel and select System and Security. Next, choose Backup and Restore. When you select “Restore files from backup” you are taken to a wizard that helps you complete the process.

Source: Microsoft

3. Windows File Versions

As an alternative to System Restore, Windows provides the ability to restore individual file versions. This feature can help you with specific encrypted files. For this feature to work, your target file must be included in a previous restore point, Windows Backup, or File History.

To restore previous file versions in Windows:

  1. Right-click the file you want to restore and select Properties.
  2. Select the “Previous Versions” tab.
  3. Select from the list of restore points the version that you want to restore. You can verify the version by selecting View from the options.
  4. Once you have verified your version, you can either create a copy (using Copy) of the file in the same directory as your encrypted file or you can overwrite the encrypted file (using Restore).

4. Data Recovery Software

If you are not trying to recover a Windows device or if you just want to use a third-party solution, you can try using data recovery software. This software can be helpful if you do not have backups or recovery points to restore from. If you need to recover ransomware files, you can use dedicated ransomware backup solutions.

You can use data recovery software to:

  • Extract corrupted or deleted data from storage devices
  • Repair hard drive partitions or de-format drives

These solutions work for both system-created and user-stored data and can recover data from most storage devices. This includes flash drives, hard disks, external storage, and tape drives. This software can also help you recover corrupted or mistakenly deleted data. A few popular solutions are Stellar Recovery, Prosoft Data Rescue, and Disk Drill.

5. Ransomware Decryption Tools

Depending on the type of ransomware you’re infected with, there may be decryption tools available to you. These tools simply break the ransomware encryption placed on your files and systems using algorithms developed by security experts.

There are multiple sources online for these tools, including the No More Ransomware project. Before downloading any tool, however, make sure that the source is trusted. There are many fake tools available that include additional malware.

Ransomware-Resilient Backup from Cloudian

Cloudian® HyperStore® is a massive-capacity object storage device that can help you store data in a way that is resilient to Ransomware and recover more easily from attacks.

HyperStore can store up to 1.5 Petabytes in a 4U Chassis device, allowing you to store up to 18 Petabytes in a single data center rack. HyperStore comes with fully redundant power and cooling, and performance features including 1.92TB SSD drives for metadata, and 10Gb Ethernet ports for fast data transfer.

Cloudian storage devices can be deployed:

  • As a backup target for data protection applications including Rubrik, Commvault, and VERITAS.
  • As an enterprise synch-and-share solution allowing client systems to synchronize data and maintain a copy of critical files on a central repository.
  • As a file server used by client systems to directly save important files.

Cloudian protects your data from Ransomware in two ways:

  • Write Once Read Many (WORM)—Cloudian ensures that data, once written, cannot be changed or deleted until a specified time has passed. Because the data cannot be modified, it cannot be encrypted rendering ransomware ineffective. WORM is available as a system-level function of Cloudian storage devices.
  • Data Versioning—Cloudian creates a new copy of the data when changes are made, while retaining the original copy for a specified period. If malware encrypts a file, a copy of the unencrypted file still exists.

Learn more about Cloudian’s ransomware backup solutions.