Ransomware and Beyond series

Ransomware Recovery: What to do if you’ve been targeted by a ransomware attack

By now, we’ve looked at several different aspects of the ever-present threat of ransomware: what it is, where it came from, how it works, how it enters networks, and how you can prevent it. Now it’s time to talk about the scenario no one wants to think about: being the victim of a ransomware attack.

The sad truth is that even the most stringent prevention measures sometimes aren’t enough to keep a ransomware attack from occurring. Once it happens, the best you can do is try to minimize damage and get to work restoring things as best you can.

Ransomware attackers bank on the fact that enduring a ransomware attack is a stressful and unpleasant situation for victims. The upside of that is every bit of preparedness you can gather ahead of time will take some of that power away from them. If you have a checklist of what to do in the event that you’re targeted by an attack, you’ll be at an advantage.

Step 1: Identify the attack

This one may seem obvious, but it’s important. Before you can take any further steps, you’ll have to determine that you were in fact targeted by a ransomware attack. As BakerHostetler outlines on its website, if you’ve been hit with ransomware, you’ll know it. Rather, it will make itself known, “typically in the form of a pop message or decryption instructions placed in the same directory as the encrypted files.”

Forbes suggests that you record the details of the ransom note if it appears on your screen, which may contain instructions on how to pay the ransom (if you choose to pay it), as well as key information that could help recovery teams determine which type of ransomware you’re dealing with.

Step 2: Take everything offline

Once you’ve determined that you’ve been hit with ransomware and recorded the necessary details, it’s time to act fast and disconnect everything immediately.

This includes unplugging your computer from the network if it’s hooked up to an Ethernet cable, turning off WiFi and Bluetooth connections, and disconnecting anything connected externally such as USB drives, external hard drives, or phones. You should also disable any shared drives and isolate your backups. The faster you do this, the less likely it is that ransomware will continue to spread through your network.

Step 3: Assess the damage

CISO recommends that once you’ve disconnected everything, it’s time to determine the scope of the infection. This involves checking mapped or shared drives and folders, network storage devices, external hard drives, USB storage devices, and cloud storage from a “known good, uninfected computer” for signs of encryption. Knowing the scope of the problem you’re dealing with will help you map out an action plan and know what to prioritize.

Step 4: Do an inventory of data and credentials

Next, you’ll need to figure out if any data or credentials have been stolen by the threat actors. As KnowBe4 outlines, there are a few different avenues you should check out.

First, check logs and data loss prevention (DLP) software for any signs of data leaks. Next, look for any large archival files that contain confidential data that could have been used as staging files. You should also look for malware, tools, and scripts that could have been used to copy your data.

Knowing exactly what has been compromised is important. Not only will it help you determine how to move forward in a recovery sense, but it will also determine your messaging about what has happened and how it’s impacted your business and other stakeholders.

Step 5: Classify the attack

Next, as CISO recommends, you’ll need to determine the ransomware strain you’re dealing with, whether it’s a Ryuk attack, CryptoWall, or some other strain entirely. This will help you figure out if there is a decryptor available, and how you might go about getting your data back.

Step 6: Build an action plan

If you’ve taken the time to run a tabletop exercise before the attack, this is where you’ll bring it to life. If not, you’re not done for—you’ll just have to act fast to make decisions and get things moving.

As KnowBe4 outlines in their ransomware checklist, you have a number of responses available to you. How you proceed depends on the type of ransomware you’re dealing with, how much damage it’s inflicted on your organization, and whether you are willing to pay the ransom or not.

Option 1: Not paying the ransom

If you are not planning on paying the ransom and you need to restore your files, KnowBe4 suggests that you locate your backups, remove the ransomware from your infected system, and restore the files from your backups.

If you are not able to restore your files from backups, you can try to decrypt your infected files. This involves determining the strain and version of ransomware, locating a decryptor, and then attempting to decrypt the files.

Finally, if decryption is not possible, you should remove the ransomware and backup your encrypted files so that they may be decrypted in the future.

Option 2: Paying the ransom

KnowBe4 also has a suggested protocol for if you decide to pay the ransom. But remember, before you work out the transaction, you may want to try to negotiate a lower ransom amount or a longer payment period.

Once that’s done, you can determine how you’ll pay the ransom (many are paid with Bitcoin, so this might also involve purchasing Bitcoin). From there, you’ll be able to re-connect your computer to the internet, pay the ransom, ensure all devices with encrypted files are connected to your computer, and then wait for decryption to begin.

Remember, you have options now

If we’re making it sound like dealing with a ransomware attack is easy or straightforward, it’s not. Your best course of action in any scenario is to do everything you can ahead of time to prevent ransomware. Put backups in place that will minimize damage, and have a solid action plan in place, should you ever be targeted by an attack.

Even for the best-prepared organizations, enduring a ransomware attack is stressful, costly, and at times confusing. The more you can do in times of calm to minimize the impact of an attack, the better.

Next article

Test your ransomware knowledge
Take the ransomware quiz and see if your knowledge is up to scratch
Sign up to the Ransomware and Beyond Series

We'll notify you when new articles are released

More from this series
6. Ransomware Prevention: What You Need to Know

Now we’re going to start talking about it from more of a tactical perspective— that is, what can you do to prevent a ransomware attack?

Read article
7. The Ultimate Ransomware Question: to Pay or Not to Pay the Ransom?

It may not be an age-old question, but it’s an important one nonetheless: if you’re targeted by a ransomware attack, should you pay up?

Read article
9. How to run a ransomware security simulation

In the effort to protect your organization from ransomware, which is more important: prevention or preparedness?.

Read article