Ransomware victim? Here are 8 things to do after the attack

by | June 29, 2021 | How to

What to do after a ransomware attack.

Ransomware attacks have increased recently! “Why can’t I open that document? My computer is just getting slower and slower; I need help!” It all starts with this, and then you get a call from your IT team telling you the words you were hoping not to hear: “We’ve been breached, sir!” Basically, these are a few signs that show you’re the victim of a ransomware attack! The good news: you are in a safe place where you will learn step by step what to do after the cyberattack.

“What do I do now?” you may wonder. In the first place, do not panic because your response to the attack can make the difference! Instead, try to take a few initial steps that can help you protect your data.

What do you need to know about ransomware?

Shortly put, ransomware usually spreads through spam or phishing emails. Although, you can get ransomware by being on websites or by downloading different files. Once in place, the ransomware keeps the organization’s files locked, using strong encryption until the organization pays a ransom to restore it.

What are the steps in a typical ransomware attack?

  1. Infection– after being delivered to the system through email attachment, phishing email, infected application, or other method mentioned, the ransomware installs itself on the endpoint and any network devices it can access.
  2. Secure key exchange– the next step happens when the ransomware contacts the command and control server operated by the attackers to generate encryption keys to be used on the local system.
  3. Encryption– the malicious software starts encrypting any files it can find on local devices and the network.
  4. Extortion– after the encryption work is completed, the ransomware will display instructions for extortion and payment of ransom and threaten to destroy the data if it does not pay.
  5. Unlocking– organizations can pay the ransom and hope that cybercriminals can actually decrypt the affected files, or they can try to recover by deleting the infected files and systems from the network and restoring the data from a clean backup. Unfortunately, negotiations with cybercriminals are often a reason for failure, as a recent report found that 42% of the files in the organization that paid the ransom were not decrypted.

Now that you learned what happens during the attack let’s see what we can do next!

What to do next?

Getting infected with ransomware is a very bad thing to have happened to you. Luckily, there are some steps you can take to minimize the spread and undo some of the damage.

1. Isolate the infection

  • Prevent the infection from spreading to your other files by disconnecting the computer from the network (both wired and Wi-Fi) and isolating the hard drive.

2. Identify the infection

  • From identification tools, evidence on the computer, and messages. But, first, determine which malware strain you are dealing with.
  • Mostly you can recognize it when it asks for ransom. Numerous specific sites help you identify the ransomware (for example, ID Ransomware).
  • Identifying it will help you understand what type of ransomware you have, how it spreads, the types of files it encrypts, and your options for deletion and disinfection. It will also enable you to report attacks to the authorities, which is recommended.

3. Report to the authorities

Using your phone camera, take a photograph of the ransom message on the screen. Then, you can file a report with the FBI at the Internet Crime Complaint Center.

4. Determine your options

Your options when you’re being a victim of the attack are the following:

  • try to remove the malware
  • pay the ransom
  • wipe the device(s) and reinstall from scratch

Paying the ransom is usually considered a bad idea because it encourages more ransomware, and in lots of cases, the unlocking of the encrypted files is not successful. Even if you decide to pay, it is a strong possibility you won’t get back your data. That leaves you with two other options: removing the malware and selectively restoring your system or wiping everything and installing from scratch.

5. Secure backups

Although backups play a crucial role in the remediation, it is important to understand that they are not immune to ransomware. Much modern malicious software will specifically target a company’s backups and try to encrypt, override or delete them. In that case, you must secure your backups by disconnecting backup storage from the network or locking down access to backup systems until the infection is fixed.

6. Identify the source

  • After disconnecting the infected devices, find the source by investigating your network.
  • If you have a big organization, it might seem a bit difficult for you to find “patient zero.” Therefore, you’ll have to reach out to your employees to find who was first targeted with the attack. Try to find out either they clicked on a link in an email that caused the ransomware to breach or noticed unusual prompts in their browsers.
  • You will also need to determine what permissions we needed to modify the files and who has these permissions.
  • Once you found patient zero, you might be able to limit the infection by acting quickly. However, keep in mind that most infections don’t even get noticed until the entire operation is completed.

7. Decrypt the files

  • Depending on the ethics of the attacker, you may receive a tool to decrypt the files once the ransom is paid. Therefore, you have to use the software provided by the attacker to decrypt the files.

8. Restore or start fresh

  • Whether you can successfully and completely remove an infection is debatable. A working decryptor doesn’t exist for every known ransomware. Therefore the newer the malicious software, the more sophisticated it’s likely to be, and the less time the good guys have had to develop a decryptor.
  • The surest way of being certain that ransomware has been removed from the system is to do a complete wipe of all storage devices and reinstall everything from scratch. In addition, formatting the hard disks in your system will ensure that no pieces of malware remain.

Final thoughts

It is clear now that the best way to respond to a ransomware attack is to avoid having it on in the first place! And how do you do that? Only two essential actions:

  1. Train your employees to be careful
  2. Make sure you have good backups

At this point, you should know how to react when dealing with a ransomware attack to protect your business!


by Andreea Popa

Content writer for Attack Simulator, delivering your daily dose of awareness for cyber security! Love to write passionately about any subject and my mainly inspiration are people's stories. You can also find me on social media, for some more friendly things!

There’s no reason to postpone training your employees

Get a quote based on your organization’s needs and start building a strong cyber security infrastructure today.