View All R&D Articles

Ransomware Investigation Services

October 19, 2022

In 2022, researchers recorded over 623 million ransomware attacks worldwide. That number increased significantly from 2021 — and may be much higher, since many businesses choose not to report infections.

When a ransomware attack occurs, your organization needs to respond quickly. Recovery time can grow exponentially until you’ve evaluated the extent of the attack and isolated key systems. 

Ransomware variants have different attack vectors, goals, and endpoints, and we strongly recommend working with professional ransomware investigators from the first stages of recovery. To discuss your case with an expert, call 1-800-237-4200 or submit a case online. 

Below, we’ll discuss four key factors that can affect the timeline — and extent — of ransomware recovery.

1. Cyberthreat Identification and Verification Capabilities

For obvious reasons, malware groups use a variety of novel methods to hide their identities. Some ransomware variants may copy the ransom messages of other variants, changing only the pay instructions in order to avoid detection from law enforcement. Others are built on the code of earlier variants, but with modifications to improve the flexibility (and efficacy) of the attack. 

Your ransomware response team should have a robust strategy for verifying the design and capabilities of the ransomware variant, as well as methods for identifying the malware group when referring the case to law enforcement agencies. 

At, we’ve built those capabilities through decades of hard work. We’ve handled hundreds of ransomware investigations, but we don’t restrict our research to those cases — we actively study new variants to prepare the most effective response possible. 

Related: Quick Tips For Properly Responding To Ransomware Infections

2. System Isolation and Containment

Some ransomware variants lay dormant for weeks, months, or even years before activation. “Hibernation” is most common for enterprise-level attacks in which the malicious actors need to prevent disaster recovery processes from disabling the ransomware.

For example, we’ve seen variants target tape backup systems, which are widely considered to be an exceptional defense against standard malware. Most tape backups are offline, but if the ransomware stays dormant through an archive cycle, the malware will exist on the backups — typical disaster recovery strategies will not disable the infection.

Immediately after threat identification, your ransomware investigator should provide a clear strategy for quarantining the affected systems. This plan should accommodate your business needs wherever possible; while disabling all IT systems certainly isolates the threat, this also impacts business continuity. 

Our ransomware investigators assess the extent of infection and the capabilities of existent IT systems, which limits business impact during the disaster recovery period. 

This approach is only possible with a comprehensive understanding of the ransomware infection. Relying on your standard disaster recovery strategy is generally a poor practice — doing so could spread the infection to additional systems (and potentially increase the ransom). 

Related: Baltimore Stored Data On Local Hard Drives Before Ransomware Attack

3. Ransomware Disaster Recovery Planning

Many ransomware variants are extremely robust, and in those situations, the only option is to pay the ransom or recreate the affected data. However, this is not always the case: Not every malware group uses advanced encryption methods, and data recovery is sometimes a feasible alternative.

Even when ransomware uses secure encryption, you should understand your options before paying.’s investigators can help you choose the most appropriate strategy by considering important factors: 

  • The complexity of the ransomware variant
  • The method of encryption
  • The extent of data loss
  • Business continuity goals
  • The likelihood that paying the ransom will restore data access

No two ransomware cases are identical. By approaching every infection as a unique challenge, we enable strategies that minimize (or avoid) data loss while restoring key systems as quickly as possible. 

Related: Why Ransomware Criminals are Moving Away from Bitcoin

4. Ransomware Prevention Strategies

Ransomware investigations serve two distinct goals: recovering from the initial infection and preventing future attacks.

To that end, your investigation should continue until you’ve identified the vector of attack, resolved vulnerabilities, and implemented a robust disaster recovery strategy. Remember, ransomware disaster recovery is a last resort — even the best strategies will cause business disruption, and a proactive approach is much less resource intensive.

In addition to ransomware recovery, provides resources to support long-term security: 

  • Penetration testing (PEN testing)
  • Ransomware attack vector identification and neutralization
  • Ongoing monitoring including scanning the dark web for compromised credentials to limit the chances of future attacks
  • Data security compliance consulting, both before and after ransomware attacks occur

We provide a comprehensive solution for avoiding — and recovering from — ransomware attacks. From the initial consultation, we’re dedicated to providing our clients with total peace of mind while fighting back against malicious actors.

To learn more, call 1-800-237-4200 and ask to speak with a ransomware specialist.