Druva’s Guide to Ransomware Recovery Readiness

Boost security. Recover faster. Prevent data loss.

What Is Ransomware?

Ransomware is malware that prevents users from accessing their personal, work, or system files in order to demand a ransom payment. The idea is that access will be restored once the ransom is paid, but there is actually no guarantee this will happen.

Ransomware may access a computer system via a number of vectors. Phishing spam is among the most common delivery systems. This involves sending email attachments that appear to be trusted files to the victim. After the victim downloads and opens the attachment, it takes over the computer.

Ransomware with built-in social engineering tools is particularly dangerous because it tricks users into allowing administrative access. Certain aggressive types of ransomware don’t even need to trick users, bypassing them entirely to infect computers by exploiting security holes.

There are several ways ransomware might encrypt a victim’s files, but in any case, only the attacker will have the decryption key for the files. A variation on this theme is doxware or leakware, which threaten the victim not with encrypting files, but with public exposure of private files including sensitive data.

Ransomware is a Growing Threat

Ransomware by the Numbers

According to the 2022 "Verizon Data Breach Investigations Report," ransomware attacks surged dramatically in 2022, and were involved in 25% of all data breaches.

Druva commissioned a 2022 IDC survey of over 500 IT leaders on cyber attack readiness and found striking results — most organizations believe they’re ransomware-ready, but the data says otherwise.

  • 85% of organizations claim to have a ransomware recovery plan in place, yet 67% of those same organizations paid the ransomware in the event of a successful infection.

  • 92% of those surveyed claim their data resiliency tools are efficient, but only 14% are “extremely confident” in their ability to recover.

  • 93% claim to use automated tools to find the ideal recovery point, yet the inability to find this point was cited as the #1 reason for data loss in those experiencing ransomware. 

Druva estimates 46% of all organizations or more were successfully attacked in the last three years… and of those, 50% lost data! 

Get the full report for more key findings.

The Importance of Being Prepared for a Ransomware Attack

Given these striking findings, IT leaders are quickly realizing that the best approach to keeping their business-critical data safe goes beyond basic data security. While traditional approaches emphasize a company’s ability to protect against threats, a new comprehensive approach, deemed data resilience, refers to both an organization’s ability to “bounce back” by not only preventing threats to their data, but also recovering clean data quickly following a breach. 

No matter the cause, a resilient organization should be able to effectively minimize disruption by leveraging a flexible, scalable cloud-first solution for unified backup and recovery.

How Does Ransomware Work?

Ransomware is based on the three-step protocol of cryptoviral extortion that happens between attacker and victim.

Cryptoviral Extortion

In step one, the attacker generates a key pair and stores the public key secretly in the malware. The attacker then either releases the malware generally into the world or targets a victim specifically. Step one is in the direction of an attacker to the victim.

In step two, the attacker needs the victim’s system to respond to carry out the cryptoviral extortion attack and waits for the response. The ransomware encrypts the victim’s data by generating a random symmetric key and encrypts that key using its public key.

This hybrid encryption process generates the symmetric ciphertext of the victim’s data and a small asymmetric ciphertext. To prevent recovery, it zeroes the original plaintext data and the symmetric key.

The victim receives the ransom demand message that includes asymmetric ciphertext and payment instructions.

Finally, in step three, the attacker either does or does not receive the demand payment. They may or may not return the symmetric key to the victim or use their key to decipher the asymmetric ciphertext. In other words, the victim may pay the ransom or not, and either way may not receive access to their data.

Unfortunately, symmetric keys cannot help other victims because they are randomly generated. The attacker’s private key is never exposed to victims.

Delivery of the Ransomware Payload

Social engineering is a common way attackers deploy ransomware and are often part of a multi-step cyberattack. Hackers research potential targets using various social media platforms to find security vulnerabilities. Attackers will seek out ways to gain the target’s trust so they can successfully deliver ransomware and gain access to information.

Phishing emails are a common form of social engineering attack that trick the victim into opening an attachment or clicking a link by claiming urgency. Typically, attackers enter a system and deliver ransomware payloads using a trojan of some kind, such as a malicious email attachment, an embedded phishing link, or a network service vulnerability. Once the trojan pierces the system, the program runs a payload.

The ransomware payload either locks the system or claims to do so — for example, by displaying a fake warning about pirated media or illegal activities. Simpler payloads restrict or block the system unless or until the victim pays. They might do this by modifying the partition table and/or master boot record to stop the OS from booting until the attacker repairs it, or by setting the Windows Shell to itself. More sophisticated payloads actually encrypt files using strong encryption.

Since payment is usually an attacker’s goal, it is essential for them to find a convenient digital payment system that is difficult for law enforcement agencies to trace. Typically these include digital currencies like Bitcoin, premium-rate text messages, pre-paid voucher services such as paysafecard, and wire transfers — although cryptocurrencies have quickly become the payment option of choice.

Different Types of Ransomware Attacks

Though these examples are fairly comprehensive as of this writing, hackers are continuously refining phishing techniques to improve the yield from ransomware. The following are a selection of common ransomware attacks.


Crypto-malware such as the WannaCry ransomware attack from 2017 simply targets and encrypts folders, files, and hard drives. This is a classic ransomware attack, and in the case of WannaCry, it targeted systems running Windows OS and demanded ransom in Bitcoin.


Doxware, extortionware, or leakware is from all the same subset of ransomware and demands ransom or threatens to publish your stolen information online. This is the kind of attack typically linked to personal photos and other sensitive files.

Locker ransomware

Locker ransomware is so named because it infects the target operating system to lock out the user entirely. This kind of ransomware is most often Android-based and makes it impossible to access any applications or files. CryptoLocker, which generated a 2048-bit RSA encryption key pair, is an example of this kind of ransomware virus.

Mac ransomware

Since 2016, ransomware has been spotted on Mac operating systems. This form of ransomware infects Apple systems and encrypts victims’ files through an app called Transmission.

Mobile ransomware

Mobile ransomware has been present at scale since about 2014. It works basically same as other ransomware strains but is delivered through apps, leaving users with “locked” messages and non-functional mobile devices.

Ransomware-as-a-Service (RaaS)

Ransomware-as-a-Service is malware anonymously hosted on the dark web and offered by cyber criminals to a third-party. These hackers manage each step, including distributing the payload, managing ransomware decryptors, and collecting payments, for a share of the ransom.


Scareware imitates an antivirus tool, “detecting” problems on your system, and demanding a ransom to resolve them. Some scareware locks victim systems, while others flood the screen with pop-ups.

Best Practices for Ransomware Readiness

A multi-layered approach to security is the best way to stay protected, keeping in mind a breach may still be inevitable. While the best method to negate the effects of ransomware emphasizes resilience and ransomware recovery rather than prevention, use the following strategies and tools to help avoid a breach:

Use up-to-date antivirus and security software

  • Install and use a reputable antivirus and security suite that goes past viruses and includes mobile ransomware and ransomware removal tools. Always keep all software and anti-ransomware tools up-to-date to best guard against new ransomware variants.

Update your software and operating system

  • Ransomware attackers look for new security vulnerabilities to exploit that have not yet been patched, so update software frequently.

Do not open email attachments automatically

  • Email attachments are among the main ransomware infection vectors. Avoid opening attachments or emails with untrusted or unfamiliar senders. Phishing spam in particular may contain legitimate-looking links that actually contain malicious code that can stop you from accessing your sensitive data.

Do not trust email attachments with macros

  • Any email attachment that demands that you enable macros to see it should be viewed as suspect. Macro malware can infect multiple files once it is enabled, so do not enable macros, and always delete these emails unless you are absolutely certain of their source.Do not open email attachments automatically

Back up important data externally

  • Backups don’t do any good if they are also encrypted by an attacker, so an air-gapped backup (not attached to the network) is critical to avoiding loss from ransomware attacks. Backup files that are stored entirely separately, either in the cloud or otherwise off-premises, allow for an easier refusal of a ransom demand and a quicker recovery.

Use cloud services

  • Using cloud services, for example, to back up and recover after a ransomware attack, can help mitigate the damage and allow your business to roll back its files to their unencrypted form.

Never pay the ransom

  • It is unlikely paying will resolve the problem, or allow the victim to recover the encrypted data, and may make it worse, confirming for the hacker that they found a good target.

5 Tips to Protect Your Data in the Cloud

The first step in your ransomware playbook starts well before an attack. Make sure that a clean, safe copy of your critical data exists isolated from your backup environment. A good rule of thumb is to follow the 3-2-1 rule of backups.

Guarantee you’ll always have a clean copy of data to restore with the following steps:


Ensure data integrity and availability


The first step to protect backup data is making sure attackers can’t access where it’s stored. Do this by storing immutable copies of backup data on an air-gapped system, protected by strong access controls and security protocols.



Air-gap your data


Ransomware requires a persistent network connection to reach the command and control servers, so air-gapping is critical to stopping ransomware in its tracks.



Employ access controls with strong security protocols


Implementing RBAC to limit access to critical backup operations, MFA (Multi-Factor Authentication),  and SSO (Single Sign-On) to shore up access security should be non-negotiable table stakes.



Make your data immutable


Your backup solution should give you the option to mark specific data sets as immutable. This means that these data sets can’t be changed, even using administrative credentials. Learn about Druva’s immutable data storage here.



Keep up with operational security


It’s no shocker that keeping up with vulnerability scans, patching, and upgrades is a struggle. Attackers know that secondary environments are often a second priority when it comes to security and target your backup systems.


6 Steps to Stay Cyber Attack Ready

How do you know if you’re actually ready for an attack? Protecting your data just isn’t enough anymore. Security and IT teams need ongoing visibility into the security posture and data risks within their backup environments to spot anomalies and suspicious activities.

Quickly identify security issues before they cause major damage with the following steps:


Improve security posture and observability

You need the ability to evaluate and improve your security posture and guarantee clear visibility into your data, wherever it resides. This includes a centralized, security dashboard with alerts to suspicious activities.


Detect data anomalies

Ransomware attacks produce anomalies at the data level. Quickly identifying unusual data activity (UDA) helps you choose the right course of action during the recovery process, while detecting ransomware attacks.


Identify malicious access attempts

Situational awareness of activity in your backup environment can help identify malicious actions, like unauthorized access or deletions. Observing actions by users or APIs before and during an attack provides important insights.


Apply continuous monitoring

Continually monitor your backup environment to pinpoint out-of-the-ordinary issues.


Implement rollback actions feature

Because credential compromise is common and attackers are sometimes able to circumvent your MFA system, it's important to be able to get backup data back, despite it being deleted using "authorized" admin credentials. Learn more about Druva's Rollback Actions.


Get full visibility

You need complete visibility into backup security posture, data anomalies, and access attempts to protect your data, prepare for threats, and recover quickly.

Guide to a Swift, Painless Ransomware Recovery

You've Got Ransomware... Now What?

When it comes to how to recover from a ransomware attack, the first step is to stop the spread of malware. Backing up then restoring corrupted files can take you back to square one by reintroducing ransomware to your systems. Your backup solution should have the ability to automatically quarantine affected resources to avoid reinfection while you work to understand the scope of your ransomware attack.

Second, you need to figure out where the attack started and how it spread. Understanding the time frame and details of the attack is vital to identifying the correct data to recover in the final step of the ransomware recovery process. Collaboration between IT and security teams is key in this step of recovery. Your backups should provide historical information to your forensic analysis tools to expedite the process. Historical logs can be useful for tracking the progress of the malware, and catalog searches can identify when/where malware files arrived onto OneDrive, a VM, or a NAS share.

Validate Before Recovering

You should recover the most recent good version of your data with a combination of analytics and self-service. First, determine if your protection vendor can detect anomalies — this can immediately eliminate corrupted backups. Second, look at the distribution of file types across different backups and discard those with unusual backup types. Third, even after the recovery, users should be able to rapidly extract files from older backups with self-service restores.

Automation can also greatly reduce the manual effort necessary to accomplish this. AI technology has made it possible to identify the most recent clean version of every file or data set across the entire time frame of an attack, then compile them into a single snapshot so you can recover clean and complete data immediately. Use analytics, built-in malware scans, and test restores to ensure that you are ready.

Executing the Recovery

The three key steps to recovery performance are:

  • Prioritize — Under stress, every business struggles to identify which applications and infrastructure should be recovered first. Therefore, create a ransomware recovery plan ahead of time. The business can identify what matters, so when it comes time to recover, you just have to execute. 

  • Recover applications, not infrastructure — The business cares about applications, and ransomware may affect some components of an application but not others. In addition, you can further break an application by restoring components to a previous point in time, so it’s important to recover an application and its data in its entirety. It is also critical to test restores to validate application dependencies so you can recover the application when the time comes. 

  • Cloud scalability — Most on-premises environments are not built for large-scale recoveries, and they can bottleneck on protection appliances, network, and even the production target. The cloud can enable on-demand scale in all three dimensions: storage, compute, and network. Recover from the ransomware attack first and repatriate workloads to your data center at your own pace. 

There is no magic formula to rapid recovery, but the cloud is a key ingredient to success. If you are prepared, your recovery will be focused, successful, and run at the scale of your business.

Learn and Evolve

Ransomware attacks are constantly evolving. Whatever you build today will be obsolete sooner than you might expect because multiple groups are constantly releasing new ransomware packages. You need to be able to evolve with them.

Over the past few years, ransomware has evolved from:

  • Consumer to enterprise

  • Attacking production data to attacking backups AND production data

  • Targeting endpoints and file servers to VMs, cloud apps, and databases

A ransomware protection solution from just two years ago is helpless in the face of a modern attack.

You are facing an army of expert attackers who spend every day trying to compromise your defenses. You can take on that fight yourself, or work with an army of expert defenders who spend every day trying to protect you. “Do it yourself” ransomware protection is not a viable option anymore. It is time to enlist a service.

The World’s Most Powerful Ransomware Recovery Service

Enterprises must assume that they will eventually be compromised by ransomware. This means that their ransomware protection strategy must address a response plan that identifies, quarantines, and removes ransomware infections immediately, and automatically restores data to resume normal operations.

A proven vendor like Druva has the answer to today’s complex data resiliency questions. While no backup vendor can immunize you from future malware attacks, Druva is the industry’s only vendor with data recovery backed by a $10M guarantee — against key risks from cybercrime, human actions, applications, operational hazards, and environmental risks. 

The Druva Data Resiliency Cloud empowers security operations and IT teams to protect, detect, respond, and recover faster from external or internal attacks, ransomware, as well as accidental or malicious data deletion. 

Your teams will not only prevent data loss and save costs, but also accelerate response and recovery times to get your company back to normal in hours, not weeks or months after you’ve been hit by a ransomware attack. 

See for yourself! Watch a Druva facilitated ransomware recovery roll out in real time with the Ransomware Fire Drill.