Callback
  • From a market stall to a store

  • -

  • From a store to a retail chain

  • -

  • From retail to manufacturing

How to Protect Data from Ransomware

Volodymyr Vytyshchenko
Volodymyr Vytyshchenko

Trade automation expert at Torgsoft

Business cybersecurity

Server encrypted: what businesses should do and how to protect Torgsoft data

Current as of July 2026 Reading time: 18 minutes

If the files on the server have already been encrypted, disconnect the affected computer from the local network and the internet, do not connect backup drives to it, and do not run random decryption tools. Record the attackers’ message, the time, and the first signs of the attack, and involve a system administrator or cybersecurity incident response specialist. Accounting operations should be restored on a cleaned or new server using the latest verified backup created before the intrusion. If no such backup exists, fully restoring the accounting history may be impossible.

In 2026, ransomware remains one of the main threats to businesses. According to the Verizon Data Breach Investigations Report 2026, exploitation of vulnerabilities was the initial access method in 31% of confirmed data breaches, while ransomware was present in 48% of cases. Ukrainian businesses also face targeted destructive operations alongside financially motivated attacks. In 2025, CERT-UA handled 5,927 cyber incidents — 37.4% more than the previous year. The main threats included phishing, account compromise, attacks through suppliers, destructive software, and ransomware, as described in the 2025 review of Ukraine’s national cybersecurity system.

Key facts about backupsAn archive stored in the C:\DatabaseArchive folder, on another internal drive of the same server, or on a permanently connected USB drive is accessible to the operating system. Ransomware or an attacker with administrator privileges can encrypt or delete it together with the primary database.

What happens during an attack

A modern attack often lasts longer than the encryption process itself. The attacker gains initial access, examines the network, steals passwords, escalates privileges, locates servers and backup storage, copies data, and then starts encryption or destruction. Restoring files without eliminating the original intrusion method creates a risk of another attack.

Type of attackWhat the attacker doesConsequences for the store
File encryption Encrypts databases, documents, photographs, network folders, and accessible archives. Checkout stations and office staff lose access to accounting records, stock balances, sales history, and documents.
Double extortion Copies data before encryption and threatens to publish or sell it. In addition to downtime, there is a risk of customer, employee, and counterparty data being leaked.
Extortion without encryption Steals information and demands payment in exchange for not disclosing it. The software may continue to operate even though confidential data is already in the possession of third parties.
Data destruction Wiper malware erases files, virtualisation systems, and backups. Decryption is impossible because the data has been destroyed. Recovery requires a separate backup.
System locking Blocks access to Windows or individual services without encrypting files on a large scale. Operations stop, and the database must be checked before accounting operations are restored.

In attacks recorded in Ukraine in 2025, threat actors deliberately damaged virtualisation and backup systems. They gained access by exploiting vulnerabilities in suppliers, compromising VPN accounts without multifactor authentication, and using social engineering. This confirms the need to protect the server, remote access, user accounts, and backup storage simultaneously.

How ransomware enters a business network

Intrusion vectorTypical business scenarioWhat reduces the risk
Missing updates A scanner finds an outdated VPN, router, Windows server, or other application with a known vulnerability on the network. Supported software versions, timely updates, and an inventory of all devices and external services.
Remote access An RDP port is exposed to the internet and the password is guessed or stolen; the VPN operates without additional login verification. Close internet access to RDP, use a secure gateway or VPN with multifactor authentication, and restrict source addresses and access times.
Phishing An employee opens an attachment or link in an email concerning an invoice, inspection, delivery, penalty, vacancy, or official document. Email filtering, blocking dangerous macros and scripts, employee training, and verification of requests through another communication channel.
Stolen passwords The same password is used for email, remote access, and cloud storage; the credentials are already included in a data leak or have been stolen by an infostealer. Unique passwords stored in a password manager, multifactor authentication, separate administrator accounts, and termination of old sessions.
Unlicensed software and fake updates An employee runs an activator, software downloaded from a file-sharing service, a fake browser installer, or an «urgent update». Allow only an authorised employee to install software from official sources and control which applications are permitted.
USB drives and external disks An infected storage device is connected to a checkout computer or server. Ban unknown storage devices, scan them automatically, and restrict USB devices through Windows policies.
Another computer on the network An office laptop becomes infected, after which the attack spreads through shared folders, stolen passwords, and administrative tools. Network segmentation, a separate guest Wi-Fi network, minimum access rights, a local firewall, and different administrator passwords.
Supplier or remote support software A compromised contractor account or legitimate management tool provides access to several customers at once. Named accounts, multifactor authentication, access granted on request and for a limited time, connection logs, and removal of unnecessary tools.
Cloud account compromise An attacker signs in to a Google account, deletes or damages backups, and changes recovery settings. A separate service account, a passkey or multifactor authentication, session monitoring, and an independent offline copy.

Requests to Torgsoft technical support and public discussions by affected users repeatedly describe the same situations: all archives were stored on the infected PC; the external drive remained connected; the backup task had been failing for a long time; the cloud account was not protected with multifactor authentication; or only an outdated .mdf file could be recovered from the server. In an open Ukrainian discussion about backups, users also describe losing both primary files and accessible copies, as well as Google accounts being taken over when two-step verification was not enabled. These reports describe individual cases; the technical recommendations below are based on guidance from NIST, CISA, NCSC, Microsoft, and CERT-UA.

What to do if the server has already been encrypted

The first 15 minutes

  1. Isolate the affected computer. Unplug the network cable, disable Wi-Fi, and disconnect it from the VPN. Disconnect any other computers showing the same signs from the network.
  2. Stop the spread. The system administrator should block compromised accounts, active remote sessions, access to shared folders, and suspicious outbound traffic.
  3. Do not connect backup media. Pause automatic synchronisation and backup tasks if they could overwrite a valid copy with corrupted data.
  4. Do not delete evidence. Photograph the ransom message and record the encrypted file extensions, detection time, recent user actions, and known failures. Do not rename files or run unknown decryptors.
  5. If encryption is continuing and the device cannot be isolated from the network, turn it off. If a digital forensics specialist is available, consult them before shutting it down because the system memory may contain useful evidence.

Within the first hour

  1. Appoint an incident coordinator. This person records the time, decisions, people involved, affected devices, and the condition of the backups.
  2. Engage an incident response specialist. A standard antivirus scan is insufficient to determine whether unauthorised accounts, services, tasks, access keys, or other re-entry mechanisms remain in the system.
  3. Change passwords from a verified clean device. Start with administrator accounts, email, VPN, remote access services, the Google account containing the archives, and cloud provider accounts. Terminate active sessions and reissue access keys.
  4. Check the entire environment. This includes the server, workstations, checkout computers, router, network storage, email, cloud accounts, and contractor computers that connected remotely.
  5. Report the incident. Information about malicious content can be submitted through the form on the CERT-UA website. A cybercrime report can be submitted through the Cyber Police electronic reporting system. If personal, payment, or contractual data may have been leaked, separately assess the legal and contractual notification obligations.

Whether to pay the ransomCISA, NIST, and the law enforcement initiative No More Ransom advise against paying. Payment does not guarantee that a key will be provided, that the decryptor will work, that stolen data will be deleted, or that no further demands will follow. Before making any decision, involve law enforcement, an incident response specialist, a lawyer, and the insurance company if the business has cyber insurance.

How to check whether decryption is possible

Keep copies of the encrypted data, the ransom message, and several pairs consisting of an «encrypted file — its intact original», if available. The Crypto Sheriff service helps identify the ransomware family and check whether a free decryptor is available. Work on a copy of the data under the supervision of a specialist. New keys sometimes become available later, so it is advisable to retain encrypted files even when no solution is currently available.

How to restore Torgsoft after an attack

  1. Prepare a clean environment. Use a new computer or reinstall Windows on the compromised server after preserving the necessary evidence. Install all security updates and configure protection and remote access.
  2. Find the latest valid copy. Check the cloud archive, disconnected drives, copies stored in another location, and other storage systems. The archive date determines how many transactions will need to be restored manually.
  3. Check the copy before deployment. The archive must open, match the expected size and date, and pass a malware scan. Restoration should be performed in an isolated environment.
  4. Contact Torgsoft technical support. Once a secure server and a valid archive have been prepared, the specialists will help install the software and deploy the database.
  5. Check the accounting records. Verify the date of the latest sales, stock balances, cash documents, inventory movements, users, templates, and photographs. Record the missing period and prepare a plan for reconstructing it from the original documents.
Scope of Torgsoft assistance

The business owner, together with their system administrator or IT contractor, is responsible for securing the Windows server, network, accounts, and backup media. Torgsoft technical support does not decrypt affected files and cannot obtain a valid archive from data that has already been encrypted or destroyed. Once a clean server has been prepared, the specialists can install Torgsoft and restore the database from a suitable copy. It may sometimes be possible to attach a surviving .mdf file, but the outcome depends on the file’s integrity and date and is not guaranteed.

Migration to a rented server also requires a valid database or archive. The new environment restores the ability to continue working, while historical accounting data can only be restored from an available copy.

Why a copy on the same server does not provide protection

Where the copy is storedProtection against ransomwareReason
Another folder on drive C: Low The same Windows installation, administrator privileges, physical disk, and affected environment.
A second internal server drive Low The drive is permanently accessible to the system and to an attacker with administrator privileges.
A permanently connected USB drive Low During an attack, it functions as an ordinary accessible drive.
A network folder with permanent write access Low or medium Malware can encrypt files using the compromised user’s permissions.
A cloud folder synchronised as a drive Medium Damage and deletion may be synchronised; protection depends on file versions, the recycle bin, and account security.
A cloud archive using a separate account without a permanently connected drive Higher The copy is stored outside the server and is not displayed as an ordinary Windows network folder. The account and permissions must be protected separately.
A disconnected drive or immutable storage Highest among the listed options At the time of the attack, there is no available channel through which the copy can be changed or deleted.

NCSC recommends separating backup storage management from the primary network, using separate administrative credentials, requiring multifactor authentication for destructive actions, using disconnected media or immutable copies, and retaining previous versions for a defined period.

A practical backup scheme for a store

The 3–2–1–1–0 model is suitable for small and medium-sized businesses:

  • 3 copies of the data: the production database and at least two backup copies;
  • 2 different storage media: for example, a local drive for quick recovery and cloud storage;
  • 1 copy outside the primary premises or server;
  • 1 offline copy or a copy in immutable storage;
  • 0 unverified errors: backup logs are monitored and restoration is tested regularly.

Define the acceptable amount of data lossIf a store can re-enter no more than one business day of transactions, a valid backup must be created daily or more often. For a network with a high number of sales, the acceptable loss period is usually shorter. Agree the backup frequency and database load with an IT specialist and Torgsoft technical support.

How to configure an automatic copy to a protected drive

  1. Dedicate the storage device exclusively to backups. Do not store working documents or run applications on it.
  2. Do not leave the device permanently connected. Connect the drive for controlled copying, disconnect it correctly when the process is complete, and store it separately.
  3. Rotate at least two drives. While one device receives a new copy, the other remains disconnected in another secure location.
  4. Restrict permissions. Ordinary users and checkout operators must not have permission to delete backups. Backup credentials should not be used for daily work.
  5. Protect the data on the storage device with encryption. Keep the recovery key separately from both the server and the drive.
  6. Automate monitoring. The responsible person receives error notifications and checks the date of the latest backup and the available storage space every day.
  7. Test restoration. Every month, verify that a recent archive can be opened in an isolated environment. Every quarter, perform a full test restoration and record the time and result.

Automatic disk backups should not result in the storage device remaining connected all day. If the process cannot be organised consistently, use storage with immutable versions and separate management.

How to configure «Cloud Data Archive» in Torgsoft

Cloud Data Archive | 1-year license automatically creates an archive of the Torgsoft database or program directory and sends it to Google Drive according to a schedule. Copies are stored in the TORGSOFT_CLOUD folder. A separate TORGSOFT_CLOUD_SYNC folder is used to synchronise photographs.

  1. Create a separate Google account for the archives. Do not use an employee’s personal account. The business owner should control the account recovery methods.
  2. Enable multifactor authentication. A passkey or hardware security key is preferable. Store backup codes offline.
  3. Do not install the Google Drive synchronisation client for this folder on the server. The cloud archive should remain separate from ordinary Windows drives and network folders.
  4. Activate the option. In Torgsoft, open Settings → Scheduled Tasks → Archiving to Cloud Storage.
  5. Add a task. Select the type: database archive, program directory, or photograph synchronisation. Full recovery usually requires separate tasks for the database and important working files.
  6. Specify the retention period. Keep several copies from different dates. If required, enable moving outdated archives to the recycle bin instead of deleting them permanently.
  7. Enable database archive compression. This reduces the amount of data transferred and the storage space used.
  8. Configure a daily schedule. Local and cloud archiving must not run at the same time. If the local archive is created at 17:00, schedule the cloud task no earlier than 17:10. Leave at least 20 minutes between multiple cloud tasks.
  9. Authorise the Google account, activate the task, and save it. Do not add personal files to TORGSOFT_CLOUD, because the software applies the configured retention period to this folder.
  10. Check the result. Review the execution log, confirm that a recent archive has appeared in Google Drive, and then perform a test restoration.

Missed taskIf there was no internet connection at the scheduled time, the application server was not running, or an authorisation error occurred, the task is postponed until the next time the schedule conditions are met. The log and the date of the latest successful archive must therefore be checked regularly.

The cloud archive stores a copy outside the server and reduces the risk of losing the production database and local archives at the same time. Its resilience depends on the security of the Google account, the retention period, error monitoring, and cloud access permissions. For critical data, retain an additional offline or immutable copy.

How to protect a Windows server running Torgsoft

In this article, a server means the Windows computer on which the Torgsoft database is stored. Even if it is an ordinary PC in the store, it should operate as a dedicated server.

  • Use the server only for Torgsoft and the required services. Do not open email, messaging applications, social networks, or third-party websites on it. Do not download documents, software, drivers, or archives from unverified sources.
  • Do not perform daily work with administrator privileges. Create a separate standard user account and a separate administrator account for configuration tasks.
  • Keep Windows, SQL Server, the router, VPN, and remote access tools up to date. Versions that no longer receive security updates must be replaced or isolated.
  • Do not expose RDP port 3389 directly to the internet. Arrange remote access through a VPN or secure gateway with multifactor authentication, named accounts, and connection logging.
  • Close unnecessary ports and services. Allow access to SQL Server and shared folders only from the required devices on the local network. SMB port 445 must not be accessible from the internet.
  • Separate the networks. Do not place the server and checkout computers on the guest Wi-Fi network. Office laptops, cameras, televisions, and personal phones must not have unnecessary access to the server.
  • Enable and monitor endpoint protection. Antivirus or EDR software must receive updates, operate in real time, and be protected from tampering. Attack surface reduction rules, folder protection, and application control should first be tested for compatibility with Torgsoft and SQL Server.
  • Restrict applications and macros. A dedicated server does not need office editors, archiving tools, browser extensions, or utilities that are not involved in Torgsoft operations.
  • Use unique passwords and multifactor authentication. This is mandatory for email, VPN, cloud accounts, remote support, and backup accounts.
  • Maintain logs and configure alerts. Monitor failed sign-in attempts, administrator account creation, disabled protection, new services, remote access connections, backup errors, and insufficient storage space.
  • Review contractor access. Grant access for a specific period and disable it after the work is complete. Replace permanent shared passwords with named accounts.
  • Protect the power supply. An uninterruptible power supply and correct system shutdown reduce the risk of database corruption during power outages.

In its SQL Server security recommendations, Microsoft specifically emphasises RDP protection, closing ports with a firewall, timely updates, minimising installed tools, and storing a backup so that a shared administrator account cannot delete it. For Windows, Microsoft also recommends multifactor authentication, tamper protection, attack surface reduction rules, and rapid installation of critical updates.

Minimum 30-day protection plan

DeadlineActionsResult
Today Close direct RDP access, check updates and antivirus protection, change administrator passwords, enable multifactor authentication, and create a copy outside the server. The risk of the most common intrusion methods and complete data loss is reduced.
Within 7 days Activate «Cloud Data Archive», configure a separate Google account, check the logs and test restoration, and introduce offline drive rotation. Several independent recovery methods are available.
Within 14 days Inventory the devices, separate the networks, remove unnecessary software and access permissions, and review contractors and remote management tools. The number of entry points and the possibility of attack propagation are reduced.
Within 30 days Approve a concise incident response plan, responsible contacts, acceptable data loss, notification procedures, and a quarterly full recovery test. The owner and employees know who is responsible for each action during an incident.

Short answers to customer questions

The server and all archives have been encrypted. Can Torgsoft recover the database?

Only if a valid archive or an intact database file remains. Technical support does not have a universal tool for decrypting data affected by ransomware.

An .mdf file has survived. Can operations be restored?

The specialists can check whether it can be attached. The file must be intact and contain current data. If it was created several months ago, accounting records after that date will be missing.

Will migration to a rented server help?

It provides a new environment for future operations. The accounting history is transferred from a valid database or archive, so a suitable copy must first be found.

Is «Cloud Data Archive» sufficient?

It is an important layer of basic protection. For critical data, add a separate offline or immutable copy, multifactor protection for the Google account, log monitoring, and regular test restorations.

How often should an archive be created?

The frequency depends on the number of transactions and the acceptable amount of data loss. A daily copy is the minimum for an active store. If losing one business day is unacceptable, a more frequent schedule agreed with an IT specialist and Torgsoft technical support is required.

Can the server be cleaned with antivirus software after an attack and then returned to operation?

This is insufficient for reliable recovery. The attacker may have created additional accounts, tasks, services, and hidden access channels. A secure approach requires investigation, elimination of the intrusion method, and deployment on a clean system.