As an MSP and support provider, we have a unique view. We’re usually the first people called when incidents occur...


2021 has been a record-breaking year for data breaches. According to Identity Theft Resource Centre research, the total number of data breaches through 2021 has exceeded the total number of events in 2020 by 17% 📈


According to the NCSC report, 39% of UK businesses reported a data breach or cyber-attack in 2021 😳


"I was compelled to write this blog after several weeks dealing with the fallout of several major ransomware incidents. Our recovery teams dealt with 3 major cases affecting thousands of servers, users and endpoints in the last 2 weeks alone. This is on top of having to deal with several new attack vectors such as Log4j. It’s difficult to warn of the dangers without scaremongering, ransomware incidents are off the scale in recent times - news stories come out almost daily."
Andy Pilkington, Technical Director


Approaching a Ransomware incident is slightly different to approaching any other type of outage. Whilst recovery time is of paramount importance to get things back up and running and meet whatever RTO/SLA’s you have defined, there are definitely additional steps that you should take to ensure you don’t end up back at square one. This article aims to provide advice on the steps to take, before or during recovery.





Step 1 - Test and protect your backups


Whilst not specifically a step to be taken during the incident, regular testing of backups is an absolute must to ensure that they are going to be available when you need them most. Carry out regular maintenance on your backup data (scanning for disk corruptions etc.) and perform regular, active restore tests of complete servers in a segregated test network.


Modern ransomware will also actively seek out your backups to ensure that they incur maximum damage, leaving you no way of recovery. Ensure that the device that is being used to store your backup data is protected as much as possible. This should:


-       Never be in the same AD authentication scheme as your production systems

-       Have limited network connectivity with local firewall rules enabled

-       Ideally, be air-gapped or immutable




Step 2 - Disconnect


The first step after any breach is to disconnect all servers and workstations from the network and disable Internet access. This serves 2 purposes. It stops ransomware infections from spreading any further and also disconnects any compromised systems from the ‘bad-guys’ command and control.


Step 3 - Identify the breach


There is absolutely no point in just kicking off your recovery plan only to have the Ransomware re-infect your environment. If you have Cyber Insurance, speak to them as a matter of urgency as they usually have a Cyber-Forensics team who can help identify the point of infection, allowing you to fix this before carrying out restores.


Step 4 - Prioritise


As part of your recovery plan, you should have a well-defined and prioritised recovery order with all appropriate dependencies defined. For example, Active Directory and DNS are usually the first systems that need to be brought up as everything depends on them, followed by DB and application servers.


🤓Pro Tip: In our experience AD/DNS really doesn’t like to be recovered from backups as a lot of its functionality is time-sensitive. Just like after a good night-out, you have effectively removed up to 24hrs of its memory… think about it like the Hangover films. You will usually spend some time coaxing AD back into life.


Step 5 - Recover your workloads (carefully)


The initial malware infection may still be present in your backups. It is imperative that each server or workstation that is recovered is fully checked for any signs of infection before bringing back into production. This can be achieved by connecting them to an isolated network and checking via an out-of-band console connection. Technology also exists to do a “staged” restore to automate scanning during recovery.


🤓Pro-Tip: If your existing anti-malware did not pick up the initial infection, now may be a good time to use a more advanced, next-gen anti-malware solution to scan your workloads during recovery. Trials are usually available to use in this type of scenario.




Prevention is absolutely better than cure, but businesses should plan for, and approach, potential ransomware infections as they do for any other DR scenario with the primary difference being that you would usually recover on-prem rather than at a remote DR site. However, the important thing is that you have a plan and don’t leave this to chance. If you test your backups and incident response regularly, you will definitely sleep better at night.


Technology moves fast. We do too and so can you. Talk to us.