IronSights
All insights

incident response

Are my backups safe to restore after ransomware? Three questions first

Restoring backups straight after a ransomware attack can re-infect the environment or destroy recoverable data. Three questions to answer first: do the backups still exist, are they clean, and where are you restoring to?

By IronSights Editorial, Practitioner team19 July 20262 min read
ByIronSights Editorial19 July 20262 min read

After a the instinct is to reach for the backups and restore everything as fast as possible. Sometimes that is exactly right. Sometimes it re-infects the environment, destroys evidence, or restores the attacker's foothold along with the data. Whether your backups are safe to restore comes down to three questions.

Do the backups still exist?

Attackers go for backups before they trigger the , because intact backups are the main reason victims refuse to pay. Connected backup drives and network shares get encrypted with everything else. Cloud backup consoles get wiped using stolen administrator credentials. Volume shadow copies are deleted as a routine step by most strains. Do not assume; check. And take whatever has survived offline immediately, before anything else can reach it.

Are they clean?

The encryption is the loud finale, not the break-in. Attackers typically spend days or weeks inside a network first, and every backup taken during that window can contain their tools, their accounts and their persistence mechanisms. Restore an infected backup and you can hand the environment straight back to them. Establishing when the intrusion actually began is one of the first things an incident response engagement works out, and it decides which backup generation you can trust.

Where are you restoring to?

Never restore over the top of the compromised environment. The machines you would overwrite are evidence, and where files are only partially encrypted they may still hold recoverable data. Restoring on top of them destroys both at once. Build clean systems, patch them, change the credentials, then bring validated data across.

The test that answers all three

A backup nobody has restored from is a hope, not a plan. If you are reading this before an incident, run a restore test this month: pick one important system, restore it into an isolated environment, and time it. You will learn whether the backups are complete, whether they are clean enough to trust, and how long a real recovery would take. Those are exactly the answers you will want on the bad day.

If the bad day is today and the backups have failed, that is not necessarily the end of the data. Encrypted files are often partially intact and rebuildable. Our ransomware data recovery guide covers how that works, and the printable First-Response Guide covers what to do in the first hours. Call 1300 004 766, any hour, and we will tell you honestly where you stand.

Keep reading

More from the IronSights team.