Recovering from Ransomware Attacks

Encrypting malware, or ransomware, is a serious security threat that causes an increasing number of data loss incidents. Ransomware attacks are extremely difficult to recover from. In particular, maintaining an automated cloud backup does not help protect against encrypting malware. While following a concise backup strategy goes a long way helping to make the effect of such attacks negligible, most computer users don’t have a backup strategy at all or rely solely on cloud storage for all their backup needs. As we’ll show below, this is not the right strategy in the case of ransomware attacks.

Recovering from Ransomware Attacks


  1. “Your Files Are Now Encrypted”.
  2. Recovering after a Ransomware Attack.
  3. Preventing Malware Attacks.

“Your Files Are Now Encrypted”

Encrypting malware (sometimes referred to as ransomware) targets computers running Windows. These types of malware can be propagated via email attachments, installed from malicious or hacked Web sites or arrive with software downloaded from dubious sources. When it gains control over an infected computer, ransomware encrypts the user’s document storage with an asymmetric encryption key (meaning that the encryption key distributed with the virus is different from the decryption key, which is kept privately by the criminals). The malware then displays a message reading “Your personal files are encrypted”, and demands a ransom for decrypting them.

Although it is usually easy to remove such ransomware, the files do usually remain encrypted. What is worse, an automated cloud backup (such as OneDrive or Dropbox) picks up encrypted files and uploads them into cloud storage, replacing unencrypted copies with encrypted ones. (This, by the way, is one of the reasons you should never rely upon cloud upload as your only backup solution).

Recovering after a Ransomware Attack

While encrypted files cannot be feasibly decrypted or broken into, a data recovery product such as Office Recovery can usually help recover at least some unencrypted files. This is possible because the encrypting malware works by creating a new file, reading the existing document, encrypting its content and writing it into the new file; only after the process is finished is the old file deleted, and the encrypted one renamed to mimic the original file name. These deleted files can frequently be recovered. If you had a lot of free space on your disk, there is a good chance that many (or most) files don’t become overwritten with their encrypted copies.

Preventing Malware Attacks

While it can be possible to recover from a ransomware attack, at least partially, it is much easier to not let the attack happen. We won’t talk about antivirus monitors and spyware protection. In today’s world, having a good antivirus monitor is a must, and you know it.

Instead, we’ll discuss a backup strategy in order to make ransomware attacks inefficient.

Encrypting malware relies solely on the assumption that you only have one copy of your important files. By restricting your access to the only copy of your very own files, ransomware has an effective leverage to blackmail.

As we already discussed, having a single cloud backup does not help preventing ransomware attacks. The cloud sync application will update your backup copies in the cloud with newly encrypted files, making the entire backup useless in this situation.

As a result, you must follow a multiple-step backup strategy.

For your current backups, the cloud is enough. Whether you use Dropbox,, OneDrive or iCloud, freshly saved copies of your documents will be uploaded into the cloud instantly and automatically after every save. While this is extremely convenient, this backup strategy alone does not provide even the minimum level of protection against malware attacks. Moreover, if you (or someone else) delete one or more files from a synced folder, these deletions will be reflected in your cloud backup almost immediately, and you’ll lose the backup copy of the deleted file. Not much of a backup if you ask me.

In order to maintain a reasonable level of security, maintaining an offline backup is essential. You can use an external hard drive (e.g. WD MyPassport), a high-quality USB flash drive, a large SD card or a set of DVD/Blu-Ray blanks to make backups.

Read-only media such as DVD-R, DVD+R or Blu-Ray has a number of advantages. First and most importantly, no software or malware can change anything recorded on these discs, ever. Recordable media can be stored for long amounts of time. Finally, recordable blanks are cheap enough to afford making a monthly dump of your important files. They are also small enough to afford keeping year-old copies.

External hard drives such as WS Passport, Toshiba Canvio or Seagate Expansion offer better convenience and much larger storage space, allowing you to back up your entire set of files without too much fuss. Just make sure you keep an old (known good) copy of your files at all times, or you risk backing up the encrypted (or damaged) files during a backup session.

Don’t keep your backup media connected to your PC all the time. If you do, malware may (and probably will) destroy or encrypt your backup data set, rendering your backup effort useless. Disconnect backup media every time after making a backup.

Den Broosen

About Den Broosen

Author and site editor for RecoverySoftware. In his articles, he shares his experience of data recovery on a PC and the safe storage of information on hard drives and RAID arrays.
Leave a comment
Online Chat with Recovery Software