What action should be taken after ransomware attack?

What is ransomware?

Ransomware is a type of malicious software that encrypts files on a device or network, preventing the owner from accessing them. The attacker demands a ransom payment in cryptocurrency to provide the decryption key and restore access. Ransomware has become a major cyber threat in recent years, with attacks increasing in frequency, sophistication and cost. Some of the most damaging ransomware strains include WannaCry, NotPetya, Ryuk and Conti.

Ransomware is typically delivered through phishing emails, compromised websites or unsecured Remote Desktop Protocol connections. Once executed, it quietly encrypts files and may also encrypt system backups to make recovery more difficult. A ransom note is displayed demanding payment, often with a threat of deleted files if the deadline passes. Most ransomware aims to infect systems of businesses and organizations where disruption has a high impact.

What are the immediate actions after an attack?

When ransomware is detected, containment is the top priority to prevent further damage. Immediate actions include:

– Disconnect infected systems from all networks, Wi-Fi and VPN connections. This helps stop lateral spread.

– Shut down any running processes associated with the infection. Ransomware often leaves processes running to communicate with command and control servers.

– Identify the variant, scope and origin if possible. This provides clues for decryption tools and other countermeasures.

– Check if files are actually encrypted or just renamed. In some cases, files may appear encrypted but are recoverable.

– Determine if any recent system backups hold clean, decryptable copies of files. Backup systems should be immediately isolated.

– Notify senior leadership, legal counsel and cyber insurers per incident response plans. Expert input will be needed.

– Report the attack to law enforcement such as the FBI Cyber Crime unit if organization policy requires it. They may assist with forensic analysis or ransom negotiations.

– Initiate dialog with the attackers only after containment and analysis. This helps assess options before “tipping your hand.”

– Begin tracking costs associated with system downtime, clean up and lost business as soon as possible. Accurate cost estimates are essential for insurance claims.

Should ransom be paid to decrypt files?

Paying ransom should be carefully considered based on the specific circumstances:

– Paying does not guarantee files will be recovered. Hackers do not always honor agreements.

– It encourages and funds criminal activity. There are ethical concerns with paying criminals.

– Alternate decryption options may exist. Security researchers sometimes break ransomware strains and release free decryption tools.

– Files may be retrievable from backups. Restoring from backups is preferable to paying ransom.

– The ransom amount may exceed the value of encrypted data. Paying high ransom amounts can be difficult to justify economically.

– Some ransomware uses persistent backdoors to re-infect after payment. Attackers may demand more money in the future.

However, paying ransom may be justified if:

– No backups are available and downtime cannot be sustained.

– Threat actors provided proof they can decrypt files after a small test payment.

– The ransom amount is less than the cost of business disruption and remediation.

– Files are mission critical with no options for recreation or workarounds.

If the decision is made to pay, precautions include using an experienced negotiator, paying only the minimum amount, verifying decryption capability, and requiring the attackers purge compromised data.

How can files be recovered without paying ransom?

Several alternatives to paying ransom exist which should be explored first:

– **Restore from backups** – Uninfected backups provide the fastest way to recover encrypted files. Air-gapped, immutable backups provide the best protection.

– **Use official decryption tools** – Free decryption tools are sometimes released for older ransomware strains. Check sites like nomoreransom.org.

– **Work with security researchers** – Researchers may independently develop decryption tools. However, results are not guaranteed.

– **Attack the encryption** – In some cases, flaws exist that allow decryption via methods like brute force password cracking. This requires technical expertise.

– **Perform forensic analysis** – Investigating the infection may uncover server locations, encryption keys or other clues that enable decryption.

– **Reconstruct key files** – For critical files with no backups, manually recreating or extracting data from previous versions may be possible.

– **Disable ransomware** – If active processes are uncovered, stopping the executing binary may disable encryption in some instances.

– **Wipe and rebuild systems** – As a last resort, wiping systems and rebuilding from scratch will resolve infection. Data loss will occur.

File recovery without paying ransom should be attempted first, but is not always successful. The viability depends on the ransomware variant and expert assistance is recommended. If decryption is truly impossible, disaster recovery plans, including fail-overs and ramping additional capacity may enable business continuity.

How can files and systems be restored after decryption?

After obtaining the decryption key and unlocking files, focus shifts to restoring systems and data. Steps for safely restoring encrypted systems include:

– Decrypt a test subset of files first and verify correct operation.

– Strictly follow decryption instructions provided. Errors may corrupt data.

– Decrypt files on copies or backups first before production data.

– Isolate decrypted systems and scan thoroughly for remnants before reconnecting to networks.

– Restore decrypted files from quarantined folders into staged folders organized by data owner.

– Validate integrity of decrypted files against hashes or signatures. Verify no corruption.

– Work with data owners to check for completeness and manually restore missing critical files.

– After data validation, move files into production folders and systems.

– Gradually restore services and monitor systems. Contain any suspicious activities.

– Run full anti-virus scans. Completely wipe and rebuild compromised systems if needed.

– Force password resets across all infrastructure and implement strict security controls on any opened RDP ports.

– Assure backups are free from infection then run complete backups to re-protect data. Consider air-gaped backups.

With critical files decrypted and restored, focus turns to strengthening defenses and rectifying vulnerabilities the attackers initially leveraged to infiltrate networks.

What steps can prevent future ransomware attacks?

A combination of technology solutions and user education is required to guard against ransomware and minimize cyber risk overall. Protective measures include:

**Network security**

– Implement intrusion prevention and detection systems to block known threats. Maintain signatures and monitors for rapid response.

– Segment networks with firewalls and ACLs to contain threats. Limit lateral movement opportunities.

– Disable unused remote access protocols. Enable only where required and maintain RDP hygiene.

– Require VPN for external connections. Enforce MFA and limit access to only necessary resources.

**Email and web security**

– Employ inbound email filtering and blocking for spam, phishing attacks and malicious attachments / links.

– Educate users on phishing tactics. Encourage reporting of suspicious emails.

– Block access to disreputable websites via blacklists. Ban high-risk categories across network.

– Limit user privileges. Prevent downloads and installs without administrative approval.

**Endpoint protection**

– Maintain comprehensive anti-virus tools on all endpoints. Ensure real-time scanning and signature updates.

– Enable host-based firewalls and intrusion systems to block malicious processes.

– Regularly patch operating systems, software and firmware to eliminate vulnerabilities.

– Implement application allowlisting to prevent unauthorized executables.

**Backups and recovery**

– Maintain both onsite and offsite backup copies. Test restoration regularly.

– Implement immutable backups that cannot be deleted or encrypted.

– Store backups offline and isolated from networks with air-gaps or physical separation.

**Access controls and policies**

– Enforce least privilege permissions tightly tied to job functions. Limit admin rights.

– Implement strong, complex password policies across all systems and apps.

– Educate users never to share credentials or reuse passwords across accounts.

– Rapidly disable accounts after employee departures.

– Develop clear cyber security and internet usage policies.

**Continuous training**

– Educate through realistic phishing simulations to raise awareness.

– Keep users updated on latest threats and response procedures.

– Ensure training completion is mandatory and repeatedly administered.

With a defense-in-depth strategy combining the above technology and policy protections, organizations substantially reduce likelihood of ransomware success and minimize business disruption if an attack occurs. However, cyber security requires ongoing vigilance and continuous improvement as new threats emerge.


Ransomware presents a severe danger to businesses and organizations, threatening disruption, high costs and loss of critical data. When attacks strike, containing infection is the immediate priority, followed by determining options for file recovery with assistance from legal counsel and cyber insurers. Alternatives to paying ransom such as restoring from backups should be pursued first, but paying may be warranted if needed data cannot be retrieved any other way. Once files are restored, focus shifts to strengthening defenses across endpoints, networks and users to prevent repeat attacks. With advanced preparation and testing, proactive security measures, and rapid response when incidents occur, enterprises can manage ransomware risks and maintain operations if hackers come knocking.