How do you recover data after a cyber attack?

Cyber attacks are an unfortunate reality in today’s digital world. From ransomware to malware and phishing scams, cyber criminals are constantly looking for new ways to infiltrate systems and steal or destroy valuable data. When an attack does occur, acting quickly is crucial to recover compromised data and limit the damage. Here we’ll explore the steps you need to take to recover data after a cyber attack.

Assess the Situation

The first step after a cyber attack is to thoroughly assess the situation. Determine what systems and data have been impacted. Try to identify the type of attack, as this will give insight into the motivations of the attacker and help determine the best recovery strategies. Be sure to involve your IT/security team as they may have tools to analyze system logs and provide forensic information.

It’s also critical to assess the scope of the breach. Were customer records accessed? Financial data? Intellectual property? Understanding what specific data may have been compromised will help guide the recovery process. You’ll also need to find out if any data was deleted or corrupted. Knowing the type of data loss will determine if recovery is possible.

Isolate and Contain

Once you’ve assessed the initial damage, your next priority is to isolate and contain the attack. This means preventing the cyber criminal from doing any further damage or exfiltrating more data from your systems. Immediately disconnect infected devices from the network. Revoke access rights if any accounts have been compromised. Temporarily disabling certain services or forcing password resets can also help quickly contain an attack.

Work with your IT team to scan all connected systems to identify any malware or vulnerabilities that may have enabled the attack. Remove any malware and patch vulnerabilities to prevent reinfection. Isolating and containing the attack as quickly as possible gives you the space needed to begin recovering data without further interference.

Determine Recovery Potential

Now it’s time to determine how much compromised data can potentially be recovered. First, assess whether you have well-tested backups in place. Backups provide the simplest path to restoring deleted or corrupted files. Verify that backups are isolated from the infected systems and uncompromised. Test a sample of backup files to confirm usability.

If backups are not available, then you’ll need to consider forensic data recovery methods. Software tools can scan hard drives and memory to recover deleted files. However, this becomes much more difficult if the attacker encrypted or overwrote the original files. In these cases, specialized data recovery firms may be needed, but expect limited results.

Be sure to evaluate which data is most critical to the business to prioritize recovery efforts. You likely won’t have the time or resources to recover everything. Focus on high-value assets first.

Restore from Backup

If verified backups are available, you’re in a good position to start restoring lost data. A few best practices will facilitate smooth restoration:

  • Isolate backups – Copy backup data to a clean system unconnected to the compromised network before restoring.
  • Prioritize critical systems – Finance, databases, file servers. Get mission-critical systems up first.
  • Roll back incrementally – Restore the last clean backup, then layer on incremental backups one by one.
  • Verify functionality – Test systems and spot check data to ensure the accuracy and usability of restored data.
  • Watch for malware – Some sophisticated malware can penetrate backups. Scan for malicious code.

With an isolated, staged approach you can methodically restore systems without reinfecting them. Be sure to maintain backups in case any need to be restored again.

Attempt Forensic Data Recovery

If backups aren’t available, forensic data recovery methods may recover some deleted or encrypted files. Software tools can scan storage media and memory to find files marked for deletion but not yet overwritten. Common software options include:

  • Ontrack EasyRecovery
  • Stellar Phoenix Data Recovery
  • EaseUS Data Recovery Wizard
  • SpinRite

These tools can restore varied file types from hard drives, SSDs, and even optical media. Booting from an external device may be required for systems with malware present. Expect partial returns as overwritten data is less recoverable.

Recovering Encrypted Data

Recovering encrypted data is challenging if you don’t have the encryption keys. Brute forcing encryption keys is difficult for modern algorithms. However, security flaws are sometimes discovered that can crack certain encryption. Explore options like:

  • Passware Kit Forensic
  • Elcomsoft Forensic Disk Decryptor

These leverage vulnerabilities that may decrypt some lost data. Consult a forensic firm for assistance determining if encrypted data is recoverable.

Engage a Forensic Firm

For extensive or highly complex data loss, engaging a forensic data recovery firm may be your best chance for recovery. Specialists have proprietary tools and deep expertise recovering obscured data. They can attempt restoration from damaged media and disassemble storage devices in a certified cleanroom environment if needed.

The downside is cost. Prices often start around $1000 but can reach $10,000+ for advanced recovery. Weigh the value of lost data vs recovery costs. Also, expect longer turnaround times as forensic recovery is a manual, meticulous process.

Vet any firm thoroughly – you are granting them access to your compromised systems and data. Look for respected companies like:

  • DriveSavers
  • Gillware
  • Secure Data Recovery Services
  • WeRecoverData

Rebuild Systems and Restore Data

Once data is recovered, systems need to be cleaned and rebuilt before restoring data. All infected systems should be wiped and reformatted to eliminate residual malware. Reinstall operating systems and software from scratch, applying the latest security patches. Also reset all account credentials to prevent unauthorized access.

With clean systems rebuilt, data can now be restored from backups. Take precautions not to re-contaminate systems. Scan backups for malware and restore data in stages, verifying integrity at each step. Once data is validated, reconnect recovered systems to the network in a staged manner.

Improve Defenses

Before returning to normal operations, be sure to learn from the incident and improve defenses against future attacks. Some steps to take include:

  • Perform a security risk assessment – Identify and address any gaps
  • Update software, OS, and firewalls – Eliminate vulnerabilities
  • Implement strong password policies – Require complexity and regular resets
  • Deploy malware and intrusion detection – Monitor systems proactively
  • Provide updated staff training – Educate on cyber risks and policies
  • Review and test backups – Ensure regular, isolated backups
  • Consider cyber insurance – Protect against financial losses

A compromised network can serve as a crucial wake-up call to ramp up defenses and safeguard your organization from even more severe cyber incidents down the road.

Verify Normal Operations

Prior to resuming normal operations, verify that all systems are functioning reliably and securely after recovery efforts. Here are some best practices:

  • Monitor system performance – Load test servers/apps to verify stability
  • Validate accessibility – Confirm remote access and services work as expected
  • Check for malware – Rescan all systems one final time
  • Confirm data integrity – Spot check reports and key data for accuracy
  • Test security controls – Re-run vulnerability scans to check for gaps
  • Run incognito tests – Safe phishing emails to employees to keep security top of mind

By methodically revalidating all systems, you can confidently resume operations knowing critical systems and data are intact following the attack and recovery efforts.


Recovering from a cyber attack takes time but following these key steps can successfully restore compromised data and get your organization back to business:

  • Assess damage and scope of breach
  • Isolate and contain the attack
  • Determine recovery options based on backup availability
  • Restore data incrementally from clean backups
  • Attempt forensic data recovery methods if needed
  • Rebuild infected systems completely before restoring data
  • Strengthen defenses to prevent repeat attacks
  • Verify all systems are functioning normally post-recovery

While harrowing, even severe cyber attacks can be overcome with advanced planning and preparation. Follow best practices for backups, incident response, and data recovery to minimize business disruption and financial losses from inevitable cyber threats.