What to do during a ransomware attack in 5 steps

Are you wondering what to do during a ransomware attack? The steps you take in the wake of ransomware incidents are crucial for your business continuity and even for the fate of your company.

If you’re frantically Googling “how to recover files from ransomware” or “what to do if you get ransomware,” you’ve come to the right place. From trying to decrypt the files to contacting law enforcement, here are five tips and best practices for what to do when ransomware strikes.

1. Restoring from backup

Maintaining regular backup systems, files, and applications is the best way to prevent ransomware incidents. It’s essential that these backups are stored in a separate location that the malware cannot reach, such as an offline system or cloud storage. Otherwise, many clever ransomware designers have found ways to discover a file's backups—and encrypt them, too.

Even if your IT environment becomes the victim of a ransomware attack, you can simply restore from backup and regain access in a matter of hours. While losing hours or days of work is less than ideal, it far surpasses the alternative of permanently losing access to your files and endpoints.

Keep Reading: What is XDR security and why should your business care?

2. Trying to recover the files

If you don’t have backups on hand, the next best option is to try to decrypt the files and systems that you’ve lost access to. Unfortunately, the question of how to recover files from ransomware can be quite hit-or-miss, depending on the ransomware strain.

Certain variants of ransomware have been “cracked,” allowing users to decrypt an encrypted file. With others, however, there’s no such luck. Websites such as Kaspersky’s No Ransom offer free ransomware decryption tools for specific ransomware strains, so it’s worth checking to see if yours is on the list.

Keep Reading: What is advanced persistent threat detection?

3. Deciding to pay the ransom

Without backups and no decryption key available, the next action you might consider after being hit by ransomware is paying the ransom. The ransom note will usually specify the amount required to regain access to your files, as well as where to send it (usually via a cryptocurrency such as Bitcoin).

Not only does paying the ransom encourage the attackers, but it may also not even be worth it. According to a 2021 study, just 29% of ransomware victims were able to restore all of their encrypted files and systems, while 50% lost at least some files even after payment. 

Related Solutions: Ransomware Readiness

4. Contacting the authorities

As you recover from a ransomware attack, contacting law enforcement agencies—from your local police department all the way up to the FBI—is a wise decision. It may even be a legal obligation, depending on the relevant laws and regulations that govern your organization, or a requirement on the part of your insurance company.

Reporting the incident to the authorities is particularly important if it impacts a large number of people, involves significant data loss, or affects industries such as healthcare, infrastructure, government, or national security. When making a report to law enforcement, be prepared with the salient facts of the incident: the date of the attack, the ransomware variant (usually visible in the ransom note), the method of infection (if known), the size of the ransom, the address where the attackers are requesting payment, etc.

Keep Reading: What is a threat actor in cybersecurity?

5. Protecting against future cyber attacks

Last but not least, being able to guard against future malware attacks is a crucial step for how to recover from ransomware. If you want to protect your organization from the same fate again, follow the guidance below:

  • Shore up your incident response plans for responding to and remedying a malware attack. Use techniques such as tabletop exercises to simulate your ransomware response and identify points of improvement.
  • Understand the most common points of entry for ransomware. Phishing emails and Microsoft’s Remote Desktop Protocol, which allows IT administrators to access a computer remotely, are the most frequent ransomware attack vectors.
  • Install the latest security upgrades and patches. Out-of-date systems are a tempting target for ransomware attackers who know exactly which vulnerabilities they can exploit.

How to get started with ransomware defense

Knowing what to do during a ransomware attack is critical so that your business can get back on track as soon as possible. Even more important than what to do if you get ransomware, however, is understanding how to defend against ransomware infection in the first place.

That’s precisely where we come in. UncommonX is a skilled and experienced cyber security managed detection and response provider that helps our clients guard against the latest IT threats, including ransomware. Our BOSS XDR software helps with threat intelligence, management, detection, and response, ensuring that you can contain incidents as soon as possible and even prevent them before they begin.

Ready to learn about the benefits of BOSS XDR for your business? Contact our team of IT security experts today to discuss your needs and objectives or to get a demo of the BOSS XDR solution.

About the Author

At the center of our U.S.-based Security Operations Center (SOC) is a distinctly skilled team of security architects, engineers, analysts, and data scientists. Each is an expert in their respective field and dedicated to protecting our customers 24/7.