During a ransomware restore: how do we tell which snapshot is still clean?
Attackers often sit quietly inside for days or weeks before encrypting. So yesterday's snapshot isn't automatically clean. Verifying snapshots is real work, but the alternative is restoring already-infected data.
Try this first
- 1Establish the timeline first using SIEM, EDR or access logs. When was the first suspicious behaviour (lockouts, lateral movement, new processes) seen? That moment minus 1 day is your starting point.
- 2Mount that snapshot read-only on an isolated network. Don't restore straight to production, that's exactly what the attacker hopes for.
- 3Scan with an independent anti-malware tool (Defender Offline, Kaspersky, Bitdefender) and an EDR that hasn't run on this data before. 0 hits is a first signal, not a guarantee.
- 4Check IoCs: new AD accounts, scheduled tasks, services, registry run keys, persistent RAT binaries in temp folders. If present, go one snapshot earlier.
- 5Verify integrity of critical config: AD replication, GPOs, DNS records. A backup of a corrupted AD is corrupted AD.
- 6Document which snapshot you picked and why. That's worth gold later for insurance, audit and your own learning.
When to bring us in
If in doubt or you can't find a clean snapshot, escalate to a DFIR firm before restoring. A bad restore reseats the attacker on your fresh environment and you waste your strongest recovery moment.
See also
- We have backups but we do not know if they workA backup that cannot be restored is not a backup. Testing matters as much as taking the backup.
- Suspected ransomware: what to do RIGHT NOWThe first 30 minutes are critical. One wrong move spreads the damage. Read before acting.
- Someone accidentally deleted an important folderUsually fine to recover. The trick: do not save anything new on that drive until you know how.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.