What should you do in a ransomware attack?

Ransomware attacks are on the rise. These malicious software programs infect computer systems and restrict users’ access until a ransom is paid. Dealing with a ransomware attack can be stressful, but there are steps you can take to minimize the damage and restore your systems.

How does ransomware infect your computer?

Ransomware typically spreads through phishing emails containing malicious attachments or links. Users unknowingly enable the malware when they open attachments or click on links. Ransomware can also spread through compromised websites and vulnerable network connections.

Once activated, ransomware encrypts files on the infected system so users can no longer access them. It displays a ransom note demanding payment to decrypt the files. Payment is usually required in cryptocurrency, such as Bitcoin, to maintain anonymity.

What should you do if you’re infected with ransomware?

If you suspect your computer has been infected with ransomware, take the following steps immediately:

  • Disconnect from networks and the internet – This prevents the ransomware from spreading and encrypting files on other network devices.
  • Turn off the infected computer – This makes it harder for ransomware to operate and spread.
  • Isolate the infected computer – Separate it from other systems to prevent further infection.
  • Determine the scope of the infection – Check other computers, servers, shared drives, and backups for signs of encryption.
  • Consult cybersecurity help – Contact experienced IT security staff to assist with inspection and remediation.

Should you pay the ransom?

Most security experts advise against paying the ransom. Reasons not to pay include:

  • No guarantee files will be decrypted – Many ransomware variants delete files even after ransom is paid.
  • Paying encourages more attacks – Ransoms fund development of new ransomware and motivate criminals.
  • Other options may be available – Backup restoration or decryption tools could recover data without paying.

However, some organizations determine paying the ransom is their best option to retrieve lost data. Before considering payment, get advice from law enforcement and cybersecurity professionals.

How can you remove the ransomware?

Completely removing ransomware requires patience and technical expertise. Options include:

  • Restore from clean backups – Rollback to an uninfected backup to regain access to encrypted files.
  • Use ransomware decryption tools – Some decryption keys are available for free online.
  • Do a factory reset – Wipe the infected device and reinstall software from scratch.
  • Recover using file recovery software – Some data may be retrievable using forensic recovery techniques.
  • Reconstruct key files – Rebuild databases, configuration files, and other critical data manually.

Be cautious about continued use of infected systems in case ransomware left behind any dormant code or backdoors. Fully removing malware often requires reimaging and rebuilding devices.

How can you protect your organization from future ransomware attacks?

Strengthen your cyber defenses to reduce the risk of future ransomware attacks with these best practices:

  • Train employees on cybersecurity awareness – Educate staff to identify phishing attempts and other threats.
  • Keep software updated – Patch and upgrade programs promptly to eliminate vulnerabilities.
  • Strengthen network perimeter security – Use firewalls, email filtering, and endpoint protection systems.
  • Implement the principle of least privilege – Only provide user access to necessary systems.
  • Adopt multifactor authentication – Require additional credentials to allow access.
  • Back up data regularly – Maintain current backups offline to facilitate restoration.
  • Test incident response plans – Practice and refine response procedures through simulations.
  • Consider cyber insurance – Insurance can offset costs of recovery and ransom payments.

How can individuals protect themselves from ransomware?

End users should also take measures to avoid becoming infected with ransomware, including:

  • Avoiding suspicious links and attachments – Never open from unknown sources.
  • Using antivirus and anti-malware software – Install and maintain protections on all devices.
  • Keeping software updated – Download the latest patches and versions.
  • Backing up data – Store copies offline and test restores regularly.
  • Securing home Wi-Fi – Change default credentials and enable encryption.
  • Being wary of public computers – Don’t access sensitive accounts from shared devices.
  • Watching for phishing attempts – Verify sender addresses and hover over hyperlinks.

What information should you gather during an attack?

Capture the following information to assist with ransomware analysis and recovery:

  • Ransom note contents – Record the full text and instructions provided.
  • Ransom amount and currency – Note if the demand is in Bitcoin or another cryptocurrency.
  • Date and time of infection – Document when systems became unavailable.
  • Infection vector – Determine how the malware entered your network.
  • Network traffic – Analyze activity for connections to command servers.
  • Affected devices and accounts – List all systems and users impacted.
  • Malware samples – Isolate code and ransomware files where possible.

Providing this data to authorities and security firms aids investigation and remediation. However, only gather information using uncompromised systems to avoid tipping off attackers.

Who should you notify about a ransomware attack?

Promptly notify the appropriate internal and external parties in the event of an attack, such as:

  • C-suite and senior leadership
  • Board of directors
  • Legal counsel and compliance teams
  • Investors and shareholders (for public companies)
  • Cyber insurers
  • Law enforcement (FBI and Secret Service)
  • External IT support and security consultants
  • Crisis communications professionals
  • Technology services providers (internet, SaaS apps, etc.)
  • Industry reporting channels like MS-ISAC

Notify impacted customers and partners if their data may have been compromised. Prompt communication allows all parties to quickly take steps to support recovery efforts.

Should you communicate with the attackers?

Generally, security experts recommend against communicating directly with ransomware criminals. Reasons to avoid engagement include:

  • Talking identifies you as a willing victim for future attacks.
  • Any interaction provides information that can enable further extortion.
  • Payment discussions could be misinterpreted as negotiations.
  • Threat actors may disappear after payments without decrypting.

However, some discussions may help gather intelligence on the ransomware variant and criminals. Consult law enforcement and legal counsel before any attacker communications.

What will law enforcement do during the attack?

When notified, law enforcement will likely take the following steps during a ransomware response:

  • Document the incident details and gather evidence.
  • Analyze technical characteristics to identify the ransomware variant.
  • Determine if the attack requires a coordinated government response.
  • Provide mitigation and remediation recommendations.
  • Share ransom payment implications and legal risks.
  • Alert other potential targets to the active threat.
  • Trace financial transactions associated with ransom payments.
  • Identify the attack’s country of origin, if possible.

Law enforcement will investigate but cannot guarantee apprehension or decryption assistance. However, they provide an essential conduit for sharing threat intelligence.

What legal risks do organizations face during ransomware attacks?

Key legal issues to consider during a ransomware response include:

  • Notification obligations for data breaches involving personal information.
  • Compliance with applicable cybersecurity regulations.
  • Potential liability related to contractual service disruptions.
  • Payment demands raising sanctions or anti-money laundering concerns.
  • Concerns around unauthorized access to protected health information (PHI).
  • Impacts to intellectual property protection and proprietary information.
  • Preservation of electronically stored information for potential litigation.

Organizations should engage internal and external legal counsel to advise on required disclosures, regulatory matters, and legal risks associated with the attack and response measures.

What reporting obligations exist for ransomware attacks?

Entities suffering a ransomware attack may need to report details to various parties, including:

  • Data protection authorities – If personal data was compromised under GDPR or similar laws.
  • Industry regulators – For healthcare, finance, energy, and public utility companies.
  • Investors – Public companies may need to disclose material cyber incidents.
  • Insurance carriers – Cyber insurance policies generally require prompt breach notification.
  • Customers – Partners may need to be alerted to potential downstream impacts.

Organizations should determine reporting requirements and timeframes based on applicable laws and contracts specific to their industry and geographic location.

What are the pros and cons of working with a ransomware negotiator?

Pros Cons
  • Experienced communicating with threat actors
  • May obtain a decryptor when payments are made
  • Able to retrieve stolen data more often
  • Expensive fees reducing liklihood of payment
  • No guarantee of successful file decryption
  • May extend attack timeframes

Ransomware negotiators act as intermediaries between victims and attackers to secure data decryption. They may increase chances of recovering files but also have significant drawbacks. Organizations should weigh the costs and benefits when deciding whether to engage a negotiator.

What forensic activities are recommended after a ransomware attack?

Post-incident forensics help identify vulnerabilities leveraged by attackers and scope the systems compromised. Recommended actions include:

  • Conduct complete memory captures of infected devices.
  • Perform full packet captures of network traffic.
  • Analyze email archives for phishing lures enabling the breach.
  • Inspect logs from firewalls, endpoint detection, and other security tools.
  • Reconstruct timelines of attacker activity within the environment.
  • Search for compromised accounts and lateral movement between systems.
  • Gather ransomware samples from disk and system memory.
  • Retrieve deleted files using data recovery techniques.

Thorough forensic analysis is essential to understand what happened and prevent similar attacks. Consider engaging external experts if your organization lacks robust forensic capabilities.

What lessons should be learned from each ransomware attack?

Every ransomware attack offers opportunities for improvement. Be sure to:

  • Identify vulnerabilities and misconfigurations that enabled the breach.
  • Review security awareness and effectiveness of staff training.
  • Assess detection and response performance.
  • Determine gaps in data backups and restoration processes.
  • Improve network segmentation and access controls.
  • Update incident response playbooks based on lessons learned.
  • Strengthen relationships with cyber insurers and law enforcement.
  • Implement new technical defenses against observed attack methods.

Documenting deficiencies and applying improvements will strengthen resilience against future ransomware and other cyberattacks. Be proactive about learning opportunities presented by incidents.


Ransomware attacks can significantly impact operations and the bottom line if not handled appropriately. However, the damage can be minimized through preparedness, efficient response, and resilience best practices. Understanding what to do at each stage of a ransomware event is critical for organizations seeking to improve their cyber defenses and response capabilities.