Skip to Main Content


Dear Ramey: Bad Guys Deleted Our Data. How Do We Get It Back?



Answering burning questions from victims of cyber events

My organization was hacked. The bad guy found our data and deleted it — including our backups! All they left was a note stating, “Send a message to this email address to get your data back.” What’s it going to take to get my data back?RICKY RESTORE


I’m very sorry to hear of your challenges. Extortion is all too common nowadays. With the lower cost of storage and faster upload speeds, the bad guys are finding clever ways to extort businesses and force them to pay ransoms.

My colleague Jaycee Roth recently blogged about Data-as-a-Hostage (DasH). She shares trending techniques where the bad guys may not deploy ransomware. Rather, once they gain access to a victim’s systems, they copy the data from the network and delete it from the victim’s servers.

To regain access to their information, victims often need to contact and pay the bad guys the ransom price, after which the bad guy will release the username and password to the cloud account that is storing their information.


First and foremost, paying the ransom should be the last possible resort. Instead, you should examine all available information to identify what was taken and where it was transferred.

    • Check firewall logs for outbound activity to cloud-sharing sites.
    • Engage a data privacy law firm and cybersecurity experts to assist with the investigation.
    • Leverage a cybersecurity expert to negotiate on your behalf.

Let’s assume the first two options don’t result in substantial information to recover your data. Now, you’re faced with contacting and negotiating with the foreign entity.

Timing is a critical component with any recovery, whether from a ransomware attack, extortion, or just general hardware failure. Loss of IT infrastructure can mean impact to productivity and ultimately, revenue loss. There’s no situation where loss of access to your digital information can be good.


The negotiation timetable is up to the bad guys. They’ll dictate when — or even if — they will respond to victims. Most bad guys who lock systems with ransomware are from Eastern Europe but where they are located is a separate conversation — they can really be anywhere. They leverage technologies like VPNs, proxies, and the TOR network to hide their location.

Assuming your organization is based in the United States, there can be a major time-zone gap in play. Some of these groups have “call center”-style operations while others personally handle communications. In any case, it can take anywhere from 12 hours to a week to work through initial contact, negotiation, and payment.

To further complicate matters, once you make payment, it may take another four hours to several weeks to receive the decryption tool or credentials. We once had to wait for a bad guy to return from vacation to receive the decryption tool.


Most, if not all, bad guys want payment in some form of cryptocurrency. The most common is Bitcoin; a close second is Monero. Unfortunately, purchasing Bitcoin is not as straightforward as some may think. Yes, websites like Coinbase and Kraken make it easier, but they require verification of individuals or businesses to open an account for purchase and transfer of cryptocurrency assets. Verification can take a few hours or several weeks. Further, these sites may also place a limit on how much you can purchase or transfer in a single day.

Once you purchase cryptocurrency, the transaction will take time to complete. You must:

    • Wire fiat currency to the exchange for Bitcoin and let the transaction settle. A wire transfer can take a few hours; an ACH transfer can take a few days. The banks control this speed.
    • Transfer cryptocurrency to the threat actor. The blockchain will have to confirm the transaction, meaning it must have consensus that the transaction is valid with independent verification by other nodes on the blockchain. The blockchain’s bandwidth and activity will dictate speed, but generally, the process can take anywhere from 30 minutes to 24 hours.

Now the longest wait of all … waiting for the bad guy to send the decryption keys or username and password. Depending on the threat actor at play, receipt of goods can be a matter of hours after the transaction is confirmed or, if the group is disorganized, it could take several weeks.

In the last couple of months, we’ve had two unique scenarios where the bad guys took quite a bit of time to provide access.

    1. The bad guy copied the data to a new cloud account and provided access to our threat intelligence team to access and download the data. We had to wait for a large volume of data to transfer to the new account for access.
    2. The bad guy used two different encryptors to encrypt the data, forcing several follow-ups across multiple weeks to decrypt the systems.

Decryption or downloading of data is not a fast process. The speed of decryption is directly related to the speed of the hard drive reading and writing as well as the volume of data. Decryption can take anywhere from 15 minutes to several days. The larger the storage repository, the longer it takes.

Like with downloading data, organizations are limited to their download bandwidth and network speeds. Not to mention, IT administrators will need to figure out where the data needs to ultimately reside, adding another undefined amount of time to copy data to its final internal destination.

Having to rely on a foreign and anonymous entity is a convoluted situation. There’s no fast way to get quick access to your information. Best advice: Plan to be down for a week to 10 days. Temporarily convert business operations to paper and pencil or, if you can rebuild systems, allow for some time to stand up new systems and perform a migration of old data to integrate with the new data.

    • Engage data privacy attorneys and cybersecurity experts to guide your organization through this process. Additionally, ensure the cybersecurity experts can purchase large quantities of cryptocurrency without any additional overhead.
    • Block cloud-sharing sites and their corresponding data transfer ports.
    • Set up perimeter monitoring for large volumes of data transferring to the same IP addresses or domains.
    • Ensure backups are segmented from the production network and cannot be administered with production credentials.

Arete IR Director Stephen Ramey is here to answer burning questions from victims of cyber events. If you have a question, please don’t hesitate to reach out at [email protected]. Arete wants to help by sharing our insight and experience.