News your company never wants to hear―you’ve been the victim of a ransomware attack, and now you’re wondering what to do next.

The first thing to keep in mind is you’re not alone. Over 17 percent of all cyberattacks involve ransomware—a type of malware that keeps a victim’s data or device locked unless the victim pays the hacker a ransom. Of the 1,350 organizations surveyed in a recent study, 78 percent suffered a successful ransomware attack.

Ransomware attacks use several methods to infect networks or devices, including tricking individuals into clicking malicious links using phishing emails and exploiting vulnerabilities in software and operating systems, such as remote access. Cybercriminals typically request ransom payments in Bitcoin and other hard-to-trace cryptocurrencies, providing victims with decryption keys on payment to unlock their devices.

The good news is that in the event of a ransomware attack, there are basic steps any organization can follow to help contain the attack, protect sensitive information, and ensure business continuity by minimizing downtime.

Initial Ransomware Response

Determine which systems were impacted, and immediately isolate them.

  • If several systems or subnets appear impacted, take the network offline at the switch level. It may not be feasible to disconnect individual systems during an incident.
  • Prioritize isolating critical systems that are essential to daily operations.
  • If taking the network temporarily offline is not immediately possible, locate the network cable (e.g., ethernet) and unplug affected devices from the network or remove them from Wi-Fi to contain the infection.
  • For cloud resources, take a snapshot of volumes to get a point in time copy for reviewing later for forensic investigation.
  • After an initial compromise, malicious actors may monitor your organization’s activity or communications to understand if their actions have been detected. Isolate systems in a coordinated manner and use out-of-band communication methods such as phone calls to avoid tipping off actors that they have been discovered and that mitigation actions are being undertaken. Not doing so could cause actors to move laterally to preserve their access or deploy ransomware widely prior to networks being taken offline.

Power down devices if you are unable to disconnect them from the network to avoid further spread of the ransomware infection.

  • Turn off maintenance tasks. Immediately disable automatic tasks—e.g., deleting temporary files or rotating logs—affected systems. These tasks might interfere with files and hamper ransomware investigation and recovery.
  • Disconnecting backups. Because many new types of ransomware target backups to make recovery harder, keep data backups offline. Limit access to backup systems until you’ve removed the infection.

Triage impacted systems for restoration and recovery.

  • Identify and prioritize critical systems for restoration on a clean network and confirm the nature of data housed on impacted systems.
  • Keep track of systems and devices that are not perceived to be impacted so they can be deprioritized for restoration and recovery. This enables your organization to get back to business in a more efficient manner.

Examine existing organizational detection or prevention systems (e.g., antivirus, EDR, IDS, Intrusion Prevention System) and logs.

  • Examine additional systems for malware involved in earlier stages of the attack.
  • Look for evidence of precursor “dropper” malware, such as Bumblebee, Dridex, Emotet, QakBot, or Anchor. A ransomware event may be evidence of a previous, unresolved network compromise.

Notify your security team.

  • Once you’ve disconnected the affected systems, notify your IT security team of the attack. In most cases, IT security professionals can advise on the next steps and activate your organization’s incident response plan, meaning your organization’s processes and technologies for detecting and responding to cyberattacks.

Containment and Eradication

Now that you’ve isolated affected devices, you’re likely eager to unlock your devices and recover your data. While eradicating ransomware infections can be complicated to manage, particularly the more advanced strains, the following steps can start you on the path to recovery.

  • Take a system image and memory capture of a sample of affected devices (e.g., workstations, servers, virtual servers, and cloud servers). Collect any relevant logs as well as samples of any “precursor” malware binaries and associated observables or indicators of compromise (e.g., suspected command and control IP addresses, suspicious registry entries, or other relevant files detected). Preserve evidence that is highly volatile in nature—or limited in retention—to prevent loss or tampering (e.g., system memory, Windows Security logs, data in firewall log buffers). 
  • Consult federal law enforcement, even if mitigation actions are possible, regarding possible decryptors available, as security researchers may have discovered encryption flaws for some ransomware variants and released decryption or other types of tools.
  • Identify and document the systems and accounts involved in the initial breach. This can include email accounts.
  • Based on the breach or compromise details determined above, contain associated systems that may be used for further or continued unauthorized access. Breaches often involve mass credential exfiltration. Securing networks and other information sources from continued credential-based unauthorized access may include: disabling virtual private networks, remote access servers, single sign-on resources, and cloud-based or other public-facing assets.
  • Work with your team and security experts to identify and eradicate the ransomware infection. 


If you’ve been lucky enough to remove the ransomware infection, it’s time to start the recovery process.

Start by updating your system passwords, then recover your data from backups. You should always aim to have three copies of your data in two different formats, with one copy stored offsite. This approach, known as the 3-2-1 rule, allows you to restore your data swiftly and avoid ransom payments.

Deciding whether to pay

Deciding whether to make a ransom payment is a complex decision. Most experts suggest you should only consider paying if you’ve tried all other options and the data loss would be significantly more harmful than the payment.

Regardless of your decision, you should always consult with law enforcement officials and cybersecurity professionals before moving forward.

Paying a ransom doesn’t guarantee you’ll regain access to your data or that the attackers will keep their promises—victims often pay the ransom, only to never receive the decryption key. Moreover, paying ransoms perpetuates cybercriminal activity and can further fund cybercrimes.

Preventing future ransomware attacks

Email security tools and anti-malware and antivirus software are critical first lines of defense against ransomware attacks.

Organizations also rely on advanced endpoint security tools like firewalls, VPNs, and multi-factor authentication as part of a broader data protection strategy to defend against data breaches.

To learn more contact us today at [email protected] or (248) 922-1150 and experience the ChoiceTel difference.