Related Topics


How To Recover From a Ransomware Attack

It is estimated that businesses around the world will face a ransomware attack every 11 seconds and that the costs of ransomware in 2021 exceeded 20 billion dollars.

With these types of attacks being so prevalent, it is no surprise that many businesses need to find a way to recover. Recovery will not always be easy but with the help of experts you will be able to return to normal.

In this article, you will learn the signs to recognise a ransomware attack, how to recover from a ransomware attack, and viable strategies to prevent attacks in the future.

Signs of Ransomware Attack

In order to spot a ransomware attack, employees need to be vigilant and educated in how to recognise some of the signs. With the number of attacks doubling in 2021, it is only a matter of time until your business is on the end of one, so remain vigilant of the following indicators:

Network and workstation slowdown

When devices slow down or are slow to process, it can often be a sign of too many users taking up the bandwidth. However, on closer inspection of your network, you may come to realise that there is no reason for the reduction in speed. Ransomware works by scanning networks for file locations, this scanning process results in slowing down the whole network.

Suspicious changes to filenames, locations etc.

Sudden changes to files or folders can indicate a sign of ransomware. Files that do not include common extensions such as: .pdf, .doc or .docx and .jpeg may be a sign of a cyber attack. Keep an eye on your change management programme, to track any changes and find ones that look suspicious.

Unauthorised data extraction

If you begin to notice a number of files are going missing over a period of time, this is an indicator that a ransomware attack is underway. Ransomware looks to move about undetected for as long as possible, but may take a small number of files to begin with to test its access and a company’s vigilance. Once successful, it will begin to move onto bigger targets.

Splash screen message

The most obvious sign of a ransomware attack is also the most dangerous. It is the splash screen message that comes up discussing the existence of malware on a computer. This sign is the most dangerous as it will appear once the attack has been successful, and is asking for a fee to return any encrypted data. This sign is not one to be recognised, but one that’s likelihood needs to be reduced in order to be successful against this form of a cyber attack.

How to Recover from a Ransomware Attack

If your organisation has been hit by a ransomware attack there are steps you can take to improve your chances of recovery. These steps act as a guideline to follow that will lead to the best possible outcome.

Never Pay the Ransom

You should never look to pay the ransom if you have backups of your data stored elsewhere. If you do not have these back ups then you need to evaluate whether the cost is really worth it. There are a few important reasons why you shouldn’t pay:

  • There is no guarantee that payment will result in recovery of the data. After all you are dealing with criminals
  • A successful attack will lead to repeat attacks on your company by the same criminals. They know they will get their ransom if successful and their attacks can be never ending.
  • Even after paying the ransom you still need to remove the malware on the system. Effectively meaning you have to double the costs. One for the ransom and one for cleansing your system and the time it takes to do so.

Report the Attack

The sooner the attack is reported, the sooner authorities can begin to identify the attacker, how they are choosing their targets, and help prevent others from falling victim to the same type of attack.

It is best to report the attack to the police, who will hand the investigation over to their cyber crimes department to follow up.

In the UK you can also report the attack to the organisation Action Fraud.

Raise Staff Awareness

Once an attack has been found, it is important to notify all staff so they can remain on the lookout for further attacks or report any that might have already taken place. The second step is to ensure that all members of staff are educated on what phishing is and how it can be identified. This will enable you to better prevent future attacks.

Activate Your Disaster Recovery Plan

Disaster recovery plans for your business should include what to do should a cyber attack take place. The effectiveness of a disaster recovery plan will depend on how in-depth it is, whether it accounts for all types of disasters, and the speed in which it can be enacted once a disaster takes place.

Isolate Affected Business Systems

We highly recommend that any impacted areas such as: systems, folders, files etc, are isolated from the rest of the business network as soon as possible, to stop further spread of the malware. This will keep the impact to a minimum, and help isolate the source of the attack, which will help authorities do their job when investigating the attackers.

Restore Affected Data from Backups

By having your business’s data regularly backed up it allows you to restore any lost data from a cyber attack easily and quickly. With regular backups you will be able to choose a date before the attack has taken place, ensuring that the restored data is malware free. Without regular backups, data recovery will take longer and some newer data may even be lost if backups are not regularly undertaken.

Ransomware Attack Prevention Best Practices

Here is a list of the best practices your business can take in order to prevent any future cyber attack.

Educate staff

By educating your members or staff to identify and avoid ransomware you will be taking the biggest step in preventing an attack. Show them how to identify phishing emails and test them regularly and without warning to ensure they are sufficiently educated.

Use 3-2-1 backup methods

The 3-2-1 backup method includes all of the following: have 3 different backup versions, store the backups in 2 different locations with at least 1 of the locations being completely offsite.

System updates

Make sure that all systems and software are as up to date as possible with the latest patches.

Intrusion detection

Have an intrusion detection system installed on your business’s network

Email filters

Set up email filters that can help identify and detect harmful or potentially harmful emails. Set them up to recognise any potentially malicious attachments or links


Set up blockers for any unauthorised programs to stop them running and whitelist all permitted apps.

User permissions

Make sure that users only have the rights and permissions to access areas they need to on the network.

Protect your business against ransomware

If your business has ever been under attack from ransomware there are steps to take that can help your business recover. Your main objective should be to prevent any attack before it takes place but with the above guidelines you should be able to steer your company through the storm as long as you follow each one.

Without the right strategy in place, a successful ransomware attack can seriously impact your business. By working with cybersecurity experts such as ourselves, you can begin to protect your business, educate your employees and keep your data secure. Get in touch with our team to work on your cybersecurity strategy and overcome any challenges you might have. Call us on 01252 917000, email or get in touch with us via our contact form.

Get in touch with BlueFort