Best Practices for Recovery from the Malicious Erasure of Files

Last Revised

There are many ways in which cyber criminals can damage computer systems and data, including changing or deleting files, wiping hard drives, and erasing backups to hide their malicious activity.

Hard drives are wiped, or "zeroed out," when the original data is overwritten with zeros or different characters. This allows malicious actors to alter or even erase existing data. In addition to impeding the restoration of the original data, this type of criminal activity makes it difficult to determine whether criminals merely accessed the network, stole information, or altered network access and configuration files. Restoring networks and assessing the damage to a business can be hindered when the full extent of malicious activity is unclear.

DHS and the FBI encourage businesses and individuals to employ mitigation strategies and best practices to effectively recover maliciously erased files, such as:

  • Implementing a data backup and recovery plan. A copy of the sensitive data should be kept in a separate and secure location. Make sure this backup copy is not readily accessible from local networks.
  • Regularly mirroring and maintaining an image of critical system files.
  • Encrypting and securing sensitive information.
  • Using strong passwords, implementing a frequent schedule for changing passwords, and making sure passwords are not reused for multiple accounts.
  • Enabling network monitoring and logging (when feasible).
  • Being on guard against social engineering tactics aimed at obtaining sensitive information, such as phishing.
  • Ensuring that sensitive files are securely eliminated from hard drives when no longer needed or required.

There are many resources available on the US-CERT website to protect users from this type of malicious activity, including these suggested readings from the National Cyber Alert System:

This product is provided subject to this Notification and this Privacy & Use policy.