What is the first action to take against ransomware?

Ransomware is a type of malicious software that encrypts files on a device and demands payment in order to decrypt them. It has become an increasingly common cyber threat in recent years. When ransomware infects a device or network, the first reaction is often panic. However, giving in to that panic can lead to rushed decisions that may make the situation worse. Instead, the absolute first action to take when faced with a ransomware attack is to stay calm and execute a planned response.

Why is staying calm important?

Ransomware attacks are designed to cause as much disruption and damage as possible in a short period of time. The attackers are counting on the victim making mistakes in their haste to regain access to their files and systems. By staying calm, you can help minimize the amount of damage caused and carefully consider the next steps rather than reacting rashly.

Some key reasons why staying calm matters:

  • Panic leads to poor decision making – Rushed or emotional decisions often turn out to be the wrong ones when dealing with cybersecurity incidents.
  • Calmness allows a methodical approach – A measured response focused on established plans and procedures will be more effective.
  • Attackers want you rattled – Panic plays right into the attackers’ hands.
  • Others will follow your lead – Your composure sets the tone for the rest of the response team.

By keeping calm in the face of an attack, you put yourself in the best position to minimize disruption and damage while responding properly.

What is the first step in the planned response?

Once you have committed to remaining calm, the next immediate step is to isolate the infected devices to prevent the ransomware from spreading further in your network. This involves:

  • Disconnecting infected devices from any networks they are on. This includes disconnecting any storage devices or cables.
  • Shutting down or disconnecting any wireless capabilities on infected devices.
  • Disabling remote access to infected devices.

Isolating the initially infected devices prevents additional files and systems from being encrypted. In a hyperconnected world, infections can spread in seconds once ransomware gets an initial foothold. Prompt isolation limits the magnitude of the outbreak.

Ideally, your ransomware response plan will have identified high-risk endpoints and users ahead of time. This makes it easier to quickly isolate probable infection points when an attack begins.

Why is isolation so important as a first step?

Here are some key reasons isolation needs to happen immediately:

  • Prevents spread of infection – Disconnecting infected devices keeps ransomware from compromising more systems.
  • Limits damage – The smaller the ransomware outbreak, the less data is encrypted and held for ransom.
  • Makes remediation simpler – Contained infections are easier to address than widespread compromise.
  • Allows time to plan – Isolation buys time to develop an effective tailored response.
  • Can reduce costs – Preventing spread may avoid the need to pay ransom on numerous systems.

Isolation enables you to regroup and determine the root cause of the infection before the attackers can capitalize further on their access. It is an essential first move when responding to ransomware.

How can you quickly identify infected devices?

When isolation needs to happen immediately, how can you accurately identify which devices have been infected by ransomware? There are a few key signs to look for:

  • Activity spikes – Unusually high CPU, disk, or network activity can indicate encryption processes running.
  • Failed file access – Inability to open files that were previously accessible often means encryption.
  • Renamed files – Many ransomware variants rename files by appending extensions like “.encrypted”.
  • Ransom notes – These text or HTML files contain instructions for paying ransom to decrypt data.
  • Screen changes – Some ransomware displays ransom payment screens on infected devices.

Tools like endpoint detection and response software can also automatically identify ransomware activity based on behavior analysis and trigger alerts. This allows infected devices to be isolated right when malicious encryption starts.

What happens after isolating devices?

Once infected endpoints have been disconnected from networks, the next priority is determining the root cause and extent of the infection. This involves:

  • Analyzing malware samples – Captured ransomware samples are dissected to identify vulnerabilities exploited.
  • Evaluating attack vectors – How ransomware entered the environment guides future defense improvements.
  • Inventorying compromised data – Knowing what data is impacted determines if backups can recover.
  • Assessing damage and risks – A comprehensive inventory of affected assets and related risks enables decision-making.
  • Contacting law enforcement – Authorities may aid investigations, particularly if an organized crime group is responsible.

This information then allows development of a remediation plan tailored to the specifics of the attack. Options like restoring from clean backups, decryption tool availability, or negotiated ransom payment can be weighed against business priorities.

Additional key steps in the plan may include:

  • Communicating with staff and leadership – Keep stakeholders informed of response progress and impact.
  • Rebuilding compromised systems – Completely rebuilding infected systems reduces likelihood of backdoors.
  • Improving defenses – Update antivirus, firewalls, VPNs and other security controls as needed.
  • Increasing user training – Educate staff on updated policies and ransomware red flags.
  • Testing backups – Verify backups are intact, complete and easily restorable.

Having robust backup processes in place is one of the most important defenses against ransomware. Backups allow restoration of encrypted data without needing to consider ransom payment. Testing backup recoverability should be part of any response.

Should you pay the ransom?

Paying ransom demands is a complex decision. Considerations include:

  • Data criticality – How essential is prompt access to encrypted data for business operations?
  • Backup status – Are accessible backups available to recover encrypted files?
  • Decryption options – Are free decryption tools available for the ransomware strain?
  • Ransom amount – Is the ransom financially reasonable compared to other options?
  • Trustworthiness – Is there confidence the attackers will properly decrypt data after payment?

In some cases, paying a ransom may be the most cost-effective way to resume business operations. This should only be considered after careful analysis of all alternatives.

There are also ethical considerations. Payment incentivizes and funds future ransomware attacks. However, for organizations for which immediate data access is essential, payment may be the only realistic option. There are persuasive cases on both sides of this issue.

Key factors arguing against paying ransom include:

  • No guarantee of decryption – Attackers may still not provide a working decryption key after receiving payment.
  • Encourages more attacks – Ransoms fund development of new ransomware and incentivize more attacks.
  • May violate laws – Payment of cyber extortion is illegal in some jurisdictions.
  • Loss of leverage – Payment leaves victim with little leverage for negotiating a lower ransom.
  • Availability of options – Backups, decryptors and system rebuilding provide alternatives to payment.

There are certainly situations where payment is warranted, but it should not be the default option. Evaluate all alternatives thoroughly before electing to pay.

How can impacts be minimized during remediation?

After isolating devices and investigating the attack, focus turns to containing the damage and restoring operations through remediation. This process can take days or weeks depending on the scale of infection. During remediation, business impacts can be minimized through steps like:

  • Working from backups – Access archived, unencrypted data copies where possible.
  • Single user mode – Limit functionality during rebuilds to core duties per user.
  • Switching to manual processes – Handle data activities directly where automated systems unavailable.
  • Communicating status – Keep users aware of remediation timeframes and workarounds.
  • Temporarily restricting access – Limit use of systems to essential personnel during cleanup.
  • Using loaner devices – Provide temporary PCs/devices to maintain workflows.
  • Prioritizing functions – Restore mission-critical systems and data first.

Planning should identify time-sensitive business processes and personnel that will require continuity of operations support during remediation. Creative workaround solutions may be needed in some cases.

How can the risk of ransomware be reduced going forward?

Recovering from a ransomware outbreak can be extremely costly in terms of direct impacts and lost productivity. Preventing infections in the first place should be a top priority. Some key best practices include:

  • User security training – Educate staff on ransomware red flags and safe practices.
  • Email filtering – Block dangerous file types and scan attachments.
  • Vulnerability management – Promptly patch software, OSes and firmware.
  • Updated antivirus – Ensure signature-based malware detection is current.
  • Activity monitoring – Watch for suspicious file access, network traffic and system changes.
  • Least privilege – Only provide user rights needed for a role.
  • Backups – Maintain protected backups offline and regularly test restores.
  • Incident response plan – Have a detailed plan for detecting, isolating and remediating intrusions.

Defense against ransomware should involve layers of complementary controls and practices to block initial entry, halt advancement and support resilient recovery.

Here are some examples of how specific security tools can help prevent or minimize ransomware infections:


  • Blocks incoming traffic from malicious sources.
  • Prevents communications over uncommon protocols.
  • Limits outbound connections to potentially risky sites.

Intrusion Prevention System (IPS)

  • Identifies and blocks ransomware installation and movement in network traffic.
  • Uses behavior analysis to detect ransomware actions like file encryption.
  • Can automatically isolate endpoints exhibiting ransomware behavior.

Endpoint Detection and Response (EDR)

  • Tracks suspicious activities and changes on endpoints.
  • Can halt processes associated with ransomware.
  • Provides detailed analysis of malware root cause and scope.

User Behavior Analytics

  • Identifies unusual user activity indicative of account compromise.
  • Can trigger added authentication requirements during risky sessions.
  • Helps distinguish attacker actions from legitimate behavior.

Data Loss Prevention

  • Blocks unauthorized access or copying of sensitive files.
  • Prevents encryption of protected documents.
  • Limits damage if an account is compromised.

Security Information and Event Management (SIEM)

  • Correlates event log data to reveal multi-stage attacks.
  • Provides a single dashboard for monitoring diverse security controls.
  • Enables establishing baselines to detect abnormal activity.

The right blend of people, process and technology controls tailored to your risk profile offers the best defense against costly ransomware attacks. Ongoing user education and updating of controls also helps counter constantly evolving threats.


Ransomware represents a serious threat that can greatly impact business operations and finances. Careful planning and testing allows an effective response focused first on promptly isolating infected systems. This limits damage and buys time to assess options. With backups, decryption tools and diligent remediation efforts, organizations can often recover from attacks without paying ransoms. Reducing the chance of infections requires continuous evaluation of risks and deployment of layered defenses.

Staying calm, isolating compromised devices, mobilizing specialized resources, containing the outbreak, communicating status and transparently evaluating tradeoffs enables resilient recovery from ransomware. With proper planning and testing, organizations can implement response protocols that avoid being pressured into rash decisions under duress. Ongoing training, system protections and cloud backups provide additional depth of defense. Ransomware threatens businesses large and small, but its impacts can be minimized through preparation and a systematic approach.