6 Steps to Recover After a Ransomware Attack

By Kathy Ennis, CPA, Partner and Lena Combs, CPA, Partner

Ransomware is a type of cyberattack that can infect a system whenever a user interacts with a malicious link, website, or file. In a ransomware attack, the hacker encodes data that can only be retrieved by paying a ransom and obtaining the encryption key used for decoding. Ransomware attacks are continuing to rise at an alarming rate, with cybercriminals targeting businesses across virtually all industries. 

If you get infected by ransomware, follow these tips on how to recover from a ransomware attack:


  1. Discover what kind of ransomware is attacking you – The best way to do this is to ascertain how much of your data you still have access to. There are two common types of ransomware, screen-locking and encryption-based, with each operating a little differently. Depending on the type of ransomware impacting you, there’s a chance that data recovery is still possible, and there may be a way to decode the encrypted files without having to pay the ransom. If you don’t have the internal resources to diagnose the type of ransomware you’ve been infected with, engage with a trusted cybersecurity firm for help.


  1. Disconnect from everything – The most important thing you can do is restrict ransomware impact by disconnecting your device, turning off the Wi-Fi, and preventing the virus from spreading throughout the network.


  1. Take a picture of the ransomware screen – When attacked, a note identifying the ransom will be displayed, including the amount to be paid and where to send the payment. Take a picture so the information is readily available for when the appropriate authorities are contacted.


  1. Enact your incident response plan – If you have one, enact your incident response policy immediately because this is a security breach. Follow the measures defined in your policy to ensure that the proper steps are taken, including notifying stakeholders of the breach.


  1. Attempt restoration from backups – If possible, you may want to restore your systems from any backups you have available. However, be cognizant that the ransomware may have been in your system for some time, so any backups could be compromised as well. Before restoring, make sure to deploy antivirus software through your system.


  1. Prevent it from reoccurring – Put measures in place to prevent future attacks. Protect your network with a phishing assessment and phishing awareness training. Understand your threat intelligence with an Open Source Intelligence Report (OSINT) Dark Web scan, and analyze your data privacy risks with Data Privacy Assurance. Ensure that you have an independent cyber insurance policy and conduct a risk analysis.


A proactive approach is the best way for businesses to help prevent a ransomware attack. In the event of a cyberattack, it is important for companies to investigate and immediately mitigate any impacts.

Withum is a forward-thinking, technology-driven advisory and accounting firm, committed to helping clients in the hospitality industry be more profitable, efficient, and productive in the modern business landscape. For more information, visit www.withum.com