What to Do When Ransomware Strikes


Ransomware attacks are on the rise. Even if you take the best security measures to prevent ransomware attacks, bad guys can successfully encrypt your files or lock your device. So, knowing what to do when ransomware strikes can keep you sorted when you see a ransom note on your device’s screen.

This article will explain everything you should know to withstand (and recover) a ransomware attack. Let’s dive in:

What Is Ransomware?

Ransomware is malicious software or malware that locks a device or encrypts data on it, preventing a user from accessing the device or data. The user is present then with a demand for ransom in exchange for unlocking the device or decrypting the data.

There are mainly two types of ransomware, targeting small business owners. One is Locker, which locks the device; and another is Crypto which encrypts the data on a device.

what to do when ransomware strikes

How Ransomware Attacks Small Businesses

There are multiple ways how ransomware infections can happen. Here are the top ransomware attack victors you should know to avoid being a victim of a ransomware attack:

  • Malicious email attachments
  • Compromised websites having hidden malicious code
  • Pop-ups
  • Smishing campaigns targeting instant messaging apps

Social engineering attacks, which can include any of the tactics mentioned above, are one of the most effective methods to install ransomware on victims’ devices.

What Is a Ransomware Response Plan?

A ransomware response plan outlines steps to be followed during a ransomware attack. It is like a standard operating procedure (SOP) your company will follow when there is a ransomware incident. A ransomware response plan also helps you better prepare for future attacks.

Companies with defined ransomware response plans are less likely to pay the ransom to get critical information and data back.

What to Do During Ransomware Attack

The following is a step-by-step process to follow during a ransomware attack:

1. Disconnect the Infected Device

In a ransomware attack, it’s essential to disconnect the infected computer system as soon as possible. Doing so prevents the ransomware from spreading to other devices on your network, limiting the damage done. It also prevents the attacker from continuing to gain access to your files and encrypting them.

If the infected system has any external storage drive connected, remove it from the system. Then, you should check other computer systems in your network for any sign of ransomware infection. It is good to turn off your shared computer network until you’re sure that other systems in the network are not affected.

2. Stay Calm and Composed

When a ransomware attack strikes your computer, it can be easy to panic and start frantically clicking buttons to fix the problem. However, this can worsen the situation and make it more difficult for IT professionals to remove the ransomware successfully.

It’s important to stay calm and composed during a ransomware attack. Take a deep breath and remember that panicking won’t solve anything. Immediately contact your IT department or an outside professional and follow their instructions carefully.

3. Inform Law Agencies

Reporting the attack to the appropriate law enforcement agencies not only helps with their investigation but can also lead to important information being shared with other organizations and individuals, providing crucial protection against similar attacks in the future.

In addition, if you contact a law enforcement agency, it can often result in recovery assistance or insurance benefits that could prove invaluable in getting your business back up and running.

4. Don’t Pay Ransom

While it may be tempting to pay the ransom and move on after a ransomware attack, it’s important to remember that doing so only fuels the fire for future attacks. And there is no guarantee that you will get your sensitive information or data back after you pay the ransom.

5. Change Passwords

When a ransomware attack happens, you should change all online and account passwords after disconnecting the infected device. This is because you don’t know how ransomware has entered the computer system and whether the hacker has stolen your login credentials. Once the ransomware infection is removed, you should change all your passwords again.

6. Search for a Decryption Tool

If the ransom note doesn’t tell the name of the ransomware, you can use a tool like Crypto Sheriff or ID Ransomware to know the strain of encrypting ransomware. Once you identify the ransomware strain, search the web for the appropriate decryption key. Many web resources have decryption tools for known ransomware.

You can check No More RansomAVG Decryption Tool, and Kaspersky Free Recovery Tools to determine if the decryption key is available.

7. Remove the Ransomware

You can use a reputed ransomware removal tool, such as Malwarebytes PremiumHitman Pro, or Bitdefender to remove the ransomware infection. You should hire a cybersecurity expert to remove the infection if you don’t have one.

After removing the ransomware, you should update the operating systems of all computers. Also, you should update all the software applications you use in your business.

8. Build Your System

You have removed the infection, updated operating systems, and installed software applications. Now, it is time to build your system again. Even if you can decrypt data, you should not use it. If it is possible, you should restore data from your backup. But before doing that, you should scan your backup for malware.

9. Find out the Attack Vector

Conduct after-action research to figure out how the ransomware attack happened. The first place to start is your team. Organize a team meeting and introspect to find the root cause of the infection – how the ransomware entered the computer system.

10. Take Measures to Prevent Future Attacks

Once you know the attack vector, you should take the necessary security measures to prevent future attacks. Most ransomware attacks happen due to human error. So, getting your employees trained and installing reliable ransomware protection software can prevent ransomware attacks and data breaches.

What Is the Best Defense Against a Ransomware Attack?

Your best defense against a ransomware attack is your employees because phishing is the leading cause of ransomware infection. So, train your employees on the best cybersecurity practices.

Cybersecurity training will help them successfully thwart a phishing attempt or any other social engineering attack. The best anti-virus or anti-malware software cannot protect your computer systems and important files if your employees are lax on cybersecurity.

What Is the First Step After a System Is Infected with Ransomware Malicious Software?

The first step after a system is infected with ransomware malicious software is to disconnect the infected device from the network and turn off its Internet connection. If there is any connected external hard drive to the infection device, remove it and check it for encrypted data.

How Is Remote Desktop Protocol Used in Ransomware?

Remote Desktop Protocol (RDP) is the most popular technology used by remote workers to connect with an organization’s server. Compromised remote desktop protocol connections are becoming a popular ransomware attack victor because the number of people working remotely is growing steadily.

Image: Depositphotos


More in: Comment ▼

Sandeep Babu Sandeep Babu is a cybersecurity writer. He writes about malware, data security, privacy, and other cybersecurity topics for SBT and other reputed platforms.

Comments are closed.