Ransomware Recovery: What to do if you’ve been targeted by a ransomware attack

Step 1: Identify the attack

This one may seem obvious, but it’s important. Before you can take any further steps, you’ll have to determine that you were in fact targeted by a ransomware attack. As BakerHostetler outlines on its website, if you’ve been hit with ransomware, you’ll know it. Rather, it will make itself known, “typically in the form of a pop message or decryption instructions placed in the same directory as the encrypted files.”

Forbes suggests that you record the details of the ransom note if it appears on your screen, which may contain instructions on how to pay the ransom (if you choose to pay it), as well as key information that could help recovery teams determine which type of ransomware you’re dealing with.

Step 2: Take everything offline

Once you’ve determined that you’ve been hit with ransomware and recorded the necessary details, it’s time to act fast and disconnect everything immediately.

This includes unplugging your computer from the network if it’s hooked up to an Ethernet cable, turning off WiFi and Bluetooth connections, and disconnecting anything connected externally such as USB drives, external hard drives, or phones. You should also disable any shared drives and isolate your backups. The faster you do this, the less likely it is that ransomware will continue to spread through your network.

Step 3: Assess the damage

CISO recommends that once you’ve disconnected everything, it’s time to determine the scope of the infection. This involves checking mapped or shared drives and folders, network storage devices, external hard drives, USB storage devices, and cloud storage from a “known good, uninfected computer” for signs of encryption. Knowing the scope of the problem you’re dealing with will help you map out an action plan and know what to prioritize.

Step 4: Do an inventory of data and credentials

Next, you’ll need to figure out if any data or credentials have been stolen by the threat actors. As KnowBe4 outlines, there are a few different avenues you should check out.

First, check logs and data loss prevention (DLP) software for any signs of data leaks. Next, look for any large archival files that contain confidential data that could have been used as staging files. You should also look for malware, tools, and scripts that could have been used to copy your data.

Knowing exactly what has been compromised is important. Not only will it help you determine how to move forward in a recovery sense, but it will also determine your messaging about what has happened and how it’s impacted your business and other stakeholders.

Step 5: Classify the attack

Next, as CISO recommends, you’ll need to determine the ransomware strain you’re dealing with, whether it’s a Ryuk attack, CryptoWall, or some other strain entirely. This will help you figure out if there is a decryptor available, and how you might go about getting your data back.

Step 6: Build an action plan

If you’ve taken the time to run a tabletop exercise before the attack, this is where you’ll bring it to life. If not, you’re not done for—you’ll just have to act fast to make decisions and get things moving.

As KnowBe4 outlines in their ransomware checklist, you have a number of responses available to you. How you proceed depends on the type of ransomware you’re dealing with, how much damage it’s inflicted on your organization, and whether you are willing to pay the ransom or not.

Option 1: Not paying the ransom

If you are not planning on paying the ransom and you need to restore your files, KnowBe4 suggests that you locate your backups, remove the ransomware from your infected system, and restore the files from your backups.

If you are not able to restore your files from backups, you can try to decrypt your infected files. This involves determining the strain and version of ransomware, locating a decryptor, and then attempting to decrypt the files.

Finally, if decryption is not possible, you should remove the ransomware and backup your encrypted files so that they may be decrypted in the future.

Option 2: Paying the ransom

KnowBe4 also has a suggested protocol for if you decide to pay the ransom. But remember, before you work out the transaction, you may want to try to negotiate a lower ransom amount or a longer payment period.

Once that’s done, you can determine how you’ll pay the ransom (many are paid with Bitcoin, so this might also involve purchasing Bitcoin). From there, you’ll be able to re-connect your computer to the internet, pay the ransom, ensure all devices with encrypted files are connected to your computer, and then wait for decryption to begin.