Attackers who remain silent in networks for long periods of time can also plant persistence mechanisms in the backups to ensure they can return to threaten the organization even after payment has been made. A best practice for backups is redundancy, and keeping backups checked, segregated or offline, to limit the potential for tampering. In cases where a network share was impacted by malicious encryption, there’s still a chance that several of the most recent backups may contain partially encrypted files. For example, if an organization’s file share is backed up daily, but an infected employees’ device takes five days to encrypt everything on the file share before discovery of the attack, the last five backups are likely to contain files that have been encrypted. It is recommended to have a reliable backup process in place — one that utilizes industry best practices, such as ensuring that not only local backups are kept, but that backups are also archived to removable media (tapes, optical disks or removable hard disks) and to cloud based resources. Simply relying on local disk images, replication, and other local network backups may not be sufficient, as these can be encrypted by ransomware as well, or the backup could run after the files have been encrypted by the ransomware, rendering it useless for the purpose of internal recovery.
Fully restoring files from backups can sometimes be impossible. In these cases, organizations may seek to find ways to break the encryption without paying the ransom, or perhaps locate decryption keys on infected systems. While both can happen, it is rare for either of these options to succeed. Knowing the variant and version of the ransomware infection may help determine options. It can also aid the Recovery phase and inform decisions about how to approach recovery, as well as the consequences of each potential route. The first way to approach the question of encryption reversal is to work with a subject matter expert that can potentially offer insight into the malware variant and explore options.