Imagine yourself putting the final touches on an important work report when you suddenly lose access to all the files. Or you get an eerie error message asking you to send Bitcoin to decrypt your computer.

No matter what the scenario is, a ransomware attack can be devastating for its victims. Let's learn more about ransomware and the immediate steps you can take following a ransomware attack.

What Is Ransomware?

Ransomware is a malicious attack that leaves your data locked or encrypted by anonymous cybercriminals. The attackers provide instructions on how to decrypt the files, and the victims can eventually have their files back after paying a hefty “ransom” upfront.

Certain activities can lead up to a ransomware attack. To a large extent, two malicious tactics, known as "social engineering" and "lateral movement", can be the culprit.

In some cases, cybercriminals may stage a ransomware attack in advance and execute it later on, so that the actual attack might happen days after the network infiltration.

Related: What Is Social Engineering? Here's How You Could Be Hacked

Steps to Take After Getting Hit by Ransomware

Man sitting in front of a computer that has ransomware.

Prevention is the best form of defense when it comes to ransomware. If you or your company does not have robust preventative security measures in place, you can often find yourself in the midst of a ransomware attack.

A ransomware attack can be utterly devastating. But if you act promptly immediately after a ransomware attack, you can mitigate some of the damage.

Here are 10 steps you should take following a ransomware attack.

1. Stay Calm and Collected

It's difficult to stay calm and composed when you cannot access important files on your computer. But the first step to take after getting hit by ransomware is to not panic and stay level-headed.

Most people rush into paying the ransom before analyzing the gravity of the situation they are in. Staying calm and taking a step back can sometimes open doors for negotiations with the attacker.

2. Take a Photo of the Ransomware Note

The second step is to immediately take a picture of the ransomware note on your screen through your smartphone or a camera. If possible, take a screenshot on the affected machine as well.

This will help you in filing a police report and will expedite the process of recovery.

3. Quarantine Affected Systems

It's important to isolate the affected systems as soon as possible. Ransomware typically scans the target network and propagates laterally to other systems.

It's best to sever the affected systems from the network to contain the infection and stop the ransomware from spreading.

4. Look for Decryption Tools

Fortunately, there are many decryption tools available online, in places such as No More Ransom.

If you already know the name of your ransomware strain, then you can simply plug it into the website and search for the matching decryption. The list is not alphabetical, and the site adds new decryption tools to the bottom of the list.

5. Disable Maintenance Tasks

You should immediately disable automated maintenance tasks, such as temporary file removal and log rotation, on affected systems. This will prevent these tasks from interfering with files that might be useful for forensics and investigation analysis.

6. Disconnect Backups

Most modern ransomware strains immediately go after backups to thwart recovery efforts.

Thus, it is imperative for you or your organization to secure your backups by severing them from the rest of the network. You should also lock down access to backup systems until after the infection gets removed.

7. Identify the Attack Variant

To determine the ransomware strain, you can use free services such as Emsisoft’s online ransomware identification tool or ID Ransomware.

These services allow users to upload a sample of the encrypted file, any ransom note left behind, and the attacker's contact information, if available. The analysis of this information can identify the type of ransomware strain that has impacted the user's files.

8. Reset Passwords

Change all online and account passwords once you have disconnected the affected systems from the network.

After the ransomware gets removed, you should once again change all the system passwords.

9. Report the Ransomware

The moment you notice a ransomware attack, be sure to contact law enforcement.

Ransomware is a crime and should be reported to local law enforcement authorities or the FBI. Even if law enforcement cannot help with getting your files decrypted, they can at least help others avoid a similar fate.

10. Decide Whether to Pay or Not

Deciding to pay for ransomware is not an easy decision and comes with its pros and cons. Only pay for ransomware if you have exhausted all other options and the loss of data is more damaging to you or your company than paying the ransom.

Tips to Mitigate Ransomware Attacks

swapping decryption key for money

The increasing prevalence of cybercrime is pushing organizations to rethink their security strategies. Here are some tips that can help you mitigate ransomware attacks.

  • Restrict administrative privileges: Use caution when handing out administrative privileges as the admin account has access to everything, including changing configurations or bypassing critical security settings. Always employ the Principle of Least Privilege (PLOP) when granting any type of access.
  • Patch applications: If you discover a security flaw, patch it as soon as possible to prevent manipulation and abuse by hackers.
  • Use application whitelisting: Application whitelisting is a proactive threat mitigation technique that allows pre-authorized programs to run while all the others stay blocked by default. It helps in identifying illegal attempts to execute malicious code and also prevents unauthorized installations.
  • Be wary of emails: Emails are the most vulnerable to ransomware, so it is imperative to ramp up email security. Secure email gateways ensure all email communications get filtered along with activation of URL defenses and attachment sandboxing to identify threats proactively. As much as email phishing scams need prevention, also pay attention to post-delivery protection.
  • Provide security awareness training: Since human behavior initiates all ransomware attacks, providing security awareness training is a must for all employees. This training is imperative as it teaches users to distinguish real threats from legitimate data.
  • Use MFA: Multi-factor authentication (MFA) adds an extra layer of security as it requires two or more pieces of evidence to log into remote access solutions, like online banking or other privileged actions, that need sensitive information.
  • Employ daily backups: Regular data backups are an integral part of a disaster recovery plan. In the event of a ransomware attack, you can recover and access backed-up data. You can always decrypt your original data by restoring successful backups.

Besides being extra careful, always remember that malware attacks, including ransomware, target unpatched and obsolete software. So, it's important that all software running on your machine is up-to-date with all the latest security updates in place.

Defend Yourself Against Ransomware

If you are a victim of a ransomware attack, keep in mind that you can reduce its impact if you take prompt and immediate action following the attack.

While simple in concept, ransomware is relentless and damaging. But with due diligence and by following good security hygiene, you can stop these malicious attacks before they can cause significant damage.