10 steps to follow after a ransomware attack
Imagine putting the finishing touches to an important work report when you suddenly lose access to all files. Or you get a weird error message asking you to send Bitcoin to decrypt your computer.
Whatever the scenario, a ransomware attack can be devastating for its victims. Let’s learn more about ransomware and the immediate actions you can take following a ransomware attack.
What is ransomware?
Ransomware is a malicious attack that leaves your data locked or encrypted by anonymous cybercriminals. Attackers provide instructions on how to decrypt the files, and victims can potentially recover their files after paying a hefty “ransom” in advance.
Certain activities can lead to a ransomware attack. To a large extent, two malicious tactics known as “social engineering” and “lateral movement” can be involved.
In some cases, cybercriminals can organize a ransomware attack in advance and execute it later, so that the actual attack can occur days after network infiltration.
Steps to follow after being affected by ransomware
Prevention is the best form of defense against ransomware. If you or your business doesn’t have strong preventative security measures in place, you can often find yourself in the middle of a ransomware attack.
A ransomware attack can be totally devastating. But if you act quickly immediately after a ransomware attack, you can mitigate some of the damage.
Here are 10 steps to take after a ransomware attack.
1. Stay calm and collected
It is difficult to stay calm and collected when you cannot access important files on your computer. But the first step to take after being affected by ransomware is to not panic and keep a cool head.
Most people are quick to pay the ransom before they analyze the seriousness of the situation they find themselves in. Remaining calm and taking a step back can sometimes open the door to negotiations with the abuser.
2. Take a photo of Note Ransomware
The second step is to immediately take a photo of the ransomware note on your screen via your smartphone or camera. If possible, also take a screenshot of the affected machine.
This will help you file a police report and speed up the recovery process.
3. Systems affected by quarantine
It is important to isolate affected systems as soon as possible. Ransomware typically scans the target network and spreads sideways to other systems.
It is best to keep affected systems separate from the network to contain the infection and prevent the spread of ransomware.
4. Look for decryption tools
Fortunately, there are plenty of decryption tools available online, in places like No more ransom.
If you already know the name of your ransomware strain, you can simply plug it into the website and search for the corresponding decryption. The list is not alphabetical and the site adds new decryption tools at the bottom of the list.
5. Disable maintenance tasks
You should immediately turn off automated maintenance tasks, such as deleting temporary files and rotating logs, on affected systems. This will prevent these tasks from interfering with files that could be useful for forensic analysis and investigation.
6. Disconnect backups
Most modern ransomware strains immediately attack backups to thwart recovery efforts.
Thus, it is imperative for you or your organization to secure your backups by separating them from the rest of the network. You should also lock out access to backup systems until the infection is removed.
7. Identify the attack variant
To determine the ransomware strain, you can use free services such as Emsisoft’s online ransomware identification tool or ID Ransomware.
These services allow users to download a sample of the encrypted file, any ransom note left behind, and contact information of the attacker, if applicable. Analysis of this information can identify the type of ransomware strain that impacted user’s files.
8. Reset passwords
Change all online and account passwords after you disconnect the affected systems from the network.
Once the ransomware is removed, you must change all system passwords again.
9. Report ransomware
As soon as you notice a ransomware attack, be sure to contact law enforcement.
Ransomware is a crime and should be reported to local law enforcement authorities or the FBI. Even though law enforcement can’t help you decrypt your files, they can at least help others avoid a similar fate.
10. Decide whether to pay or not
Deciding to pay for ransomware is not an easy decision and comes with pros and cons. Only pay for ransomware if you’ve exhausted all other options and the loss of data is more damaging to you or your business than paying the ransom.
Tips to Mitigate Ransomware Attacks
The growing prevalence of cybercrime is pushing organizations to rethink their security strategies. Here are some tips that can help you mitigate ransomware attacks.
- Restrict administrative privileges: Be careful when assigning administrative privileges, as the administrator account has access to everything, including changing configurations or bypassing critical security settings. Always use the principle of least privilege (PLOP) when granting any type of access.
- Patch applications: If you discover a security breach, fix it as soon as possible to prevent manipulation and abuse by hackers.
- Use the whitelist of applications: Application whitelisting is a proactive threat mitigation technique that allows pre-authorized programs to run while all others remain blocked by default. It helps identify illegal attempts to execute malicious code and also prevents unauthorized installations.
- Beware of emails: Email is the most vulnerable to ransomware, so it is imperative to strengthen email security. Secure email gateways ensure that all email communications are filtered, as well as enabling URL defenses and sandboxing of attachments to proactively identify threats. As much as email phishing scams should be avoided, you might as well pay attention to post-delivery protection.
- Provide security awareness training: Since human behavior is the root of all ransomware attacks, security awareness training is a must for all employees. This training is imperative because it teaches users to distinguish real threats from legitimate data.
- Use multi-factor authentication: Multi-Factor Authentication (MFA) adds an additional layer of security as it requires at least two pieces of evidence to log into remote access solutions, such as online banking or other privileged actions, which require security. sensitive information.
- Use daily backups: Regular data backups are an integral part of a disaster recovery plan. In the event of a ransomware attack, you can recover and access the saved data. You can still decrypt your original data by restoring successful backups.
In addition to being very careful, always remember that malware attacks, including ransomware, target unpatched and obsolete software. It is therefore important that all software running on your machine is up to date with all of the latest security updates in place.
Defend yourself against ransomware
If you are the victim of a ransomware attack, keep in mind that you can reduce its impact if you take quick and immediate action after the attack.
Although simple in concept, ransomware is relentless and damaging. But with due diligence and following good security hygiene, you can stop these malicious attacks before they cause significant damage.
A ransomware gang operating since 2019, Ragnarok is making the news again. But this time, maybe it’s for the right reasons …?
About the Author