What should you do in a ransomware attack?

Ransomware attacks are becoming increasingly common. These attacks involve malware that encrypts files on a computer or network, rendering them inaccessible. The attackers demand ransom payment in cryptocurrency to provide the decryption key. If you experience a ransomware attack, stay calm and take the following steps.

1. Disconnect infected devices from networks

As soon as you detect a ransomware attack, disconnect all infected computers and devices from wired and wireless networks. This prevents the malware from spreading to other devices and backups. Unplug Ethernet cables and disable Wi-Fi and Bluetooth on infected devices.

2. Determine the strain of malware

Identify the ransomware strain if possible. There are dozens of variants, including CryptoLocker, WannaCry, Ryuk, Conti and Phobos. Knowing the strain helps determine your options for removal, decryption and data recovery.

3. Do not pay the ransom

Security experts warn against paying the ransom. Doing so does not guarantee the attackers will provide a working decryption key. Paying also encourages more ransomware crime. Even if you pay up, the attackers may delete your files anyway.

4. Isolate or power off uninfected devices

To prevent the malware from spreading, isolate uninfected computers and devices on the same network. Turn them off if possible. Just leaving them disconnected from the infected network may not be enough, as some strains can spread via Wi-Fi signals.

5. Determine the scope of the infection

Figure out how many devices across your network were infected. Check PCs, laptops, file servers, NAS drives, backup storage, smartphones, tablets, printers, VoIP phones and any other connected equipment. The more systems compromised, the more challenging and expensive recovery becomes.

6. Check online backup history

Review your cloud backup history to determine when clean, pre-infection backups were made. Use those to restore your systems once the malware is removed. Offline backups may also be usable if protected from infection.

7. Consult incident response firms

Consider hiring professional incident responders if the attack is devastating enough. Reputable firms can isolate malware, restore data from backups and harden security to prevent a repeat. This very quickly becomes expensive but may be the only viable solution.

8. Wipe and reinstall infected systems

For extensive infections, it may be easiest to wipe hard drives and reinstall the operating system and software from scratch. Be sure to apply all security updates after reinstalling. Restore your data only from known good backups.

9. Boost your defenses

Update antivirus software, firewalls, filters and signatures across your network. Harden remote access, patch management and privileged account security. User education and training are also key to prevent falling prey again.

10. Test for lingering malware

After containing the attack, run thorough scans to check for dormant ransomware remnants. Attackers frequently leave backdoors to enable future access. Continuously monitor for suspicious activity going forward.

Key steps during a ransomware attack

Here are the key steps to take during an active ransomware attack:

1 Disconnect infected devices from networks
2 Determine the malware strain
3 Do not pay the ransom
4 Isolate or power off clean devices
5 Check scope of infection
6 Review backup history

How ransomware infects networks

Cybercriminals use various methods to infiltrate networks with ransomware, including:

  • Phishing emails with infected attachments
  • Compromised websites that download malware
  • Remote desktop protocol (RDP) brute force attacks
  • Software vulnerabilities that enable execution of malicious code
  • Droppers or downloaders installed by other malware

Once on a system, ransomware uses encryption algorithms to lock files and often spreads across networks for maximum impact. Some strains delete or steal data even if ransom is paid.

Most devastating recent ransomware strains

Major ransomware strains from the past several years include:

WannaCry (2017) – Infected 300,000 systems across 150 countries
– Disabled UK National Health Service hospitals
– Used EternalBlue exploit
NotPetya (2017) – Masked as ransomware but was wiper malware
– Crippled global firms including Maersk, Merck, FedEx
Ryuk (2018) – Attacked municipal networks, hospitals, schools
– Extorted over $150 million from victims
Sodinokibi (2019) – Also known as REvil, hit 400+ firms worldwide
– Compromised celebrity law firm Grubman Shire Meiselas & Sacks

Average ransom amounts

The average ransom payment has skyrocketed, exceeding $200,000 in some quarters according to research:

Q4 2019 $84,116
Q1 2020 $111,605
Q2 2020 $178,254
Q3 2020 $233,817

However, only 65% of ransomware victims managed to recover their data after paying up, according to Sophos.

Most affected industries

Examples of industries most impacted by ransomware attacks include:

  • Education
  • Healthcare
  • State and local government
  • Transportation and shipping
  • Financial services
  • Manufacturing
  • Technology

These industries tend to have complex networks, valuable data and insufficient cybersecurity budgets and awareness. Healthcare organizations are often underprepared and overworked.

Warning signs you may be under attack

Signs a ransomware attack may be underway include:

  • System slowdowns, crashes and reboots
  • Encryption progress bars display on files
  • Folders, files and icons disappear
  • Error messages about corrupt or inaccessible files
  • Ransom notes appear on screens demanding payment
  • Programs and services stop functioning

At this point, the malware is actively encrypting and spreading. Disconnect infected devices immediately.

How to prevent ransomware

Steps to protect yourself and your organization from ransomware include:

  • Back up data regularly and keep some backups offline
  • Install, update and properly configure antivirus and anti-malware software
  • Be extremely cautious of phishing emails and do not open attachments or click links from unknown senders
  • Enable spam filters and multi-factor authentication
  • Only download software from trusted sources; do not “sideload”
  • Patch and update operating systems, software and firmware
  • Segment networks and limit excessive user privileges
  • Disable RDP if not absolutely needed or put behind VPN
  • Educate employees on cybersecurity best practices

Should ransomware attacks be reported?

Absolutely. Ransomware attacks should be reported to:

  • Local law enforcement
  • FBI or Secret Service Cybersecurity field offices
  • U.S. Treasury Department (for attacks on critical infrastructure)
  • Internet Crime Complaint Center (IC3)

Reporting helps authorities track ransomware attackers, trends and global threats. It also helps you demonstrate due diligence to customers and compliance enforcers.

Will cyber insurance cover ransomware?

Most cyber insurance policies cover some ransomware-related losses, including:

  • Extortion payments (although not recommended)
  • Cost of investigation
  • Restoration of compromised data
  • Business interruption losses
  • Crisis management services
  • Cyber extortion expenses
  • Computer forensic expenses
  • Public relations services

However, insurers are increasingly limiting coverage for firms with poor security controls. Maintaining backups and prompt attack reporting also help ensure coverage.

Using ransomware decryptors

Security researchers sometimes develop free decryption tools for specific ransomware strains. Two options include:

  • NoMoreRansom.org – Collaboration between Europol, law enforcement and researchers with over 140 free decryptors.
  • Avast Decryption Tools – Free decryption tools for strains such as Shade, HiddenTear, Jigsaw and more.

Decryptors are not available for all strains. Little hope exists for unlocking files without the attacker’s private key. Still, decryptors are worth checking for newly emerging ransomware.

Should you pay the ransom?

Most experts recommend not paying ransoms for the following reasons:

  • No guarantee you’ll get decryption key
  • Attackers often increase demands after initial payment
  • Paying encourages more attacks
  • Ransom funds support criminal activities
  • Payment may violate laws against supporting terrorism

However, some organizations calculate that paying is cheaper than losing critical data and productivity. Weigh the risks carefully before deciding.


Ransomware attacks can be devastating but proper preparation and response limits the damage. Isolate infections immediately, assess the impact, restore from clean backups and harden defenses across the board. With vigilance and sound security practices, you can minimize both the frequency and consequences of ransomware attacks.