Ransomware Recovery: How to Restore Your Data from Backup

Protect against data loss with a backup strategy based on your business’s ransomware recovery priorities, like reducing operational downtime, or cost-efficiency.
Ransomware Data Recovery

According to Fortinet’s 2021 Global Threat Landscape Report, 94% of organizations say they are concerned about a ransomware attack. The thing they’re most concerned about? 62% said the risk of losing data. Attackers know this; that’s why ransomware attacks are even attempted in the first place. Threat actors understand that data is valuable, and companies may be willing to pay large sums of money to avoid losing that data.

The goal of ransomware resilience planning, however, is to not have to resort to paying the ransom to avoid losing your data. According to the Sophos 2021 State of Ransomware Report, only 8% of companies that paid the ransom got all of their data back, so even paying the ransom will not guarantee complete data recovery. That’s why it is essential that you have a method for recovering your data as part of your ransomware incident response plan.

Understand Your Risk

Conduct a risk assessment to determine how your backup strategy will be used. Keep in mind that even the best backup strategies can’t restore all data to a point in time where zero productivity or data is lost. The assessment should include how much productivity, perhaps measured in days, your business can afford to lose in the case of a ransomware attack that requires restoring from a backup. Then decide how much overhead and complexity the business is willing to accept during the restoration process. Below are some items to consider when making a strategy for backups.

Configurations and Firmware

Due to the critical nature of network infrastructure and devices within it, keeping a backup of configurations and factory images is essential for timely restoration to maintain network availability in case of a compromise. In a situation where configuration backups do not exist or cannot be trusted, change control systems should be used to validate that the existing configurations are legitimate. A trusted factory image should be used if a full rebuild of a network device is required for remediation. Ideally sourced from the vendor, assuming no vendor compromise, but offline backups of factory images can help as well.

Offline Backups

A backup that only occurs periodically and is disconnected between backups is very resilient against ransomware if intelligently implemented. To accomplish this, backup during a trusted time on a trusted device, without malware, and keep the backup device disconnected and offline until the next backup cycle. The downside of this type of backup is that you may lose the productivity gained between the time of the last backup and the time of restore. If the backup schedule is 14 days, that is how much work you may lose if you must restore. Data that does not change often, such as cryptographic keys or seed files, is a good candidate for an offline backup. In cases like this, keeping the backup media stored in a physically secure space is also an important consideration.


A platform that supports file versioning could be a robust method to reduce the impact of restoring after a ransomware attack. With file versioning, ransomware may encrypt your files only at a point in time. To restore the encrypted data, select a backup date to restore to that is before the ransomware attack. However, versioning can be more costly due to the extra needed disk space required to keep multiple versions of files.


Cloud-based services can be an easy way to increase resilience against ransomware. Some platforms like Dropbox and Google Drive support file versioning which will allow you to access the backup at different points in time. For example, before ransomware encrypted files.


Your backup solution should be periodically tested to ensure the technology and processes work as intended. Testing should be done during a time when it will not impact other business operations.


If a backup restore is not possible, either because you don’t have a backup or because your backup was also encrypted by the attackers, another option is to decrypt your data if possible. Some types of ransomware have known decrypting tools out there, but many do not, unfortunately. Decryption is not a reliable method of recovering your data, but it may be worth a try depending on your situation. Reach out to law enforcement, like the FBI Internet Crime Complaint Center (IC3), if you have exhausted all options and are considering an attempt to decrypt your files.

Any backup method you use will not guarantee zero data loss. However, having a backup will reduce downtime and allow you to maintain access to a large portion of your data without the need to pay the ransom.

Ransomware Resilience Planning Guide

Get actionable strategies to reduce your organization's ransomware risk.

More Recent Blog Posts