News
Ransomware Expert Details the Five Stages of Recovery
"There are going to be more than 6,000 companies hit with ransomware this year. That's a staggering number," said Allan Liska during his presentation at today's Virtualization & Cloud Review online summit "The First 72: What To Do in the Hours Post-Attack."
Liska, an intelligence analyst and solutions architect at Recorded Future and a frequent expert commentator on outlets like CNN and PBS, warned that while each incident feels isolating, thousands of organizations are navigating the same crisis every year.
"The initial point of entry is going to tell you whether this was a one-time incident or whether there is a systemic problem in your network."
Allan Liska, Intelligence Analyst, Recorded Future
Liska, known in the industry as the "Ransomware Sommelier," has spent more than a decade tracking threat actors and guiding recovery efforts. In his session, he laid out a structured approach for dealing with what he described as the "ultimate punch in the mouth" for IT and security teams. The one-hour event -- being made available for replay -- covered wide-ranging considerations, from incident response planning to legal implications, too much stuff to cover in one article.
So we'll focus on the centerpiece of his talk: the five stages of ransomware recovery. These provide a practical playbook for organizations facing the critical first 72 hours after an attack: Identify, Contain, Eradicate, Recover, and Review.
Identify
[Click on image for larger view.] Identify Stage (source: Allan Liska).
In the first stage, organizations must quickly confirm what they are dealing with. Liska explained that this has grown more complicated as many incidents now involve data theft rather than encryption. "It used to be pretty easy to identify that you have been hit by a ransomware attack," he said, but now "knowing which ransomware group it is can [be] difficult." He cautioned that even with encryption events, some actors deliberately disguise themselves, making early analysis and legal involvement critical. He advised that counsel -- both internal and external -- often must be engaged right away, along with insurance providers who may dictate response procedures.
Contain
[Click on image for larger view.] Contain Stage (source: Allan Liska).
Containment is heavily shaped by network design. "A flat network is much harder to contain than a segmented network," Liska said. Segmentation slows an attacker's progress, giving defenders time to isolate critical systems. He acknowledged the tradeoff between preserving forensic evidence and halting the spread: shutting down servers may mean losing data in memory, but it could also prevent widespread encryption. He underscored the need to defend backup infrastructure as part of containment: "Ransomware actors want to encrypt or destroy backups, so ensure that your initial containment is protecting those systems."
Eradicate
[Click on image for larger view.] Eradicate Stage (source: Allan Liska).
This stage focuses on removing attackers and blocking their re-entry. "Many companies don't want to 'pull the plug' on their servers. I get it, but if it is the difference between a little data loss and ALL the data loss, shutting them all down may be the correct answer!" he said. He also urged teams to identify and patch the original point of entry, whether a vulnerability, a stolen credential, or a misconfiguration. "Plugging that initial point of entry is going to be important to prevent re-infection," he emphasized, noting that if one actor gained access, initial access brokers or other attackers are likely to try again.
Recover
[Click on image for larger view.] Recovery Stage (source: Allan Liska).
Once eradication is underway, recovery can begin. Caution is key, Liska stressed. "Start to bring machines online slowly in small groups," he said. Systems should be monitored for signs of lingering compromise, including command-and-control traffic or suspicious processes. He advised validating restored data carefully to avoid reinserting attacker tools preserved in backups. Recovery may be gradual, but rushing can mean reliving the attack all over again.
Review
[Click on image for larger view.] Review Stage (source: Allan Liska).
The final stage is about closing gaps and preventing recurrence. "This is not a blame session, instead it is necessary to find gaps in monitoring," Liska said. He recommended that security leaders brief executives with a clear plan for improvements, especially since resources often become available in the aftermath of a breach. Turning a crisis into an opportunity to strengthen defenses can ensure the next attack is less damaging, or prevented altogether.
Liska's presentation underscored that ransomware recovery is not just a technical process but an organizational one, requiring preparation, coordination, and honesty about existing weaknesses. By following a structured framework -- Identify, Contain, Eradicate, Recover, Review -- companies can avoid panic and focus on the steps that matter most in those crucial early hours.
And More
Beyond those top topics discussed above, Liska also covered a range of other key topics. You can learn all about those in the replay.
And, although replays are fine -- this was just today, after all, so timeliness isn't an issue -- there are benefits of attending such summits and webcasts from Virtualization & Cloud Review and sister sites in person. Paramount among these is the ability to ask questions of the presenters, a rare chance to get one-on-one advice from bona fide subject matter experts (not to mention the chance to win free prizes -- in this case $5 Starbucks gift cards awarded to the first 300 attendees by sponsor Rubrik, which also presented at the summit).
With all that in mind, here are some upcoming summits and webcasts coming up from our parent company in the next month or so:
About the Author
David Ramel is an editor and writer at Converge 360.