What to Do When You Get Attacked by Ransomware: Everything You Need to Know

Posted by spyboy

Ransomware attacks can be devastating, locking you out of important files or systems and demanding a ransom in exchange for their return. Responding promptly and appropriately is critical to minimise damage, whether you are an individual, a business, or a government entity.

This article outlines the steps you should take if you become a victim of ransomware, explores the different types of ransomware, and provides advice on who to contact for help.

What is Ransomware?

Ransomware is a type of malicious software (malware) designed to block access to data or systems until a ransom is paid. Attackers typically demand payment in cryptocurrency to remain anonymous, but paying the ransom does not guarantee recovery of your data. In some cases, victims are scammed twice—once by the initial ransom and again by secondary demands after payment.

Immediate Steps to Take When Attacked by Ransomware

1. Disconnect the Infected Device

Isolate the machine immediately from the network to prevent the ransomware from spreading to other systems.
Unplug from the internet, Wi-Fi, or any network cables.
If you are in a corporate environment, notify the IT department right away so they can take immediate action across the network.

2. Identify the Type of Ransomware

Ransomware usually provides a ransom note with details about how to pay the ransom and restore your data.
Take screenshots of this message and save any associated files. Do not delete anything related to the attack, as these files may be useful for forensic analysis later.
Use a ransomware identification tool like ID Ransomware to detect the type of ransomware you are dealing with.

3. Do Not Pay the Ransom

Paying the ransom should be your last resort. There is no guarantee that the attacker will provide the decryption key after payment, and it may embolden them to attack again.
Criminal organizations use ransom payments to fund more cybercrime, and in many cases, attackers may leave backdoors open for future attacks.

4. Seek Professional Help

Contact cybersecurity professionals for advice on next steps. They can help you recover encrypted data, restore systems from backups, and mitigate damage.
Ransomware recovery specialists may be able to decrypt files without paying the ransom, depending on the ransomware strain.
In the case of corporate or government organizations, involve your IT department, security team, or third-party cybersecurity providers immediately.

5. Report the Attack

Reporting the attack to law enforcement is important to track ransomware trends and potentially recover files.
In the U.S., report the attack to the FBI’s Internet Crime Complaint Center (IC3) or CISA (Cybersecurity and Infrastructure Security Agency).
In the UK, you can contact Action Fraud or the National Cyber Security Centre (NCSC).

6. Utilize Backups

If you have backups of your data stored offline or in an isolated environment, you can restore your system without paying the ransom.
Ensure the backup system is disconnected from the network to avoid infecting the backup files.

7. Perform a Full System Audit

Even after the attack is addressed, the malware could still linger in your systems. Run thorough malware scans and remove all traces of the infection.
Use cybersecurity software to ensure there are no remaining vulnerabilities.

8. Strengthen Security Measures

Change passwords for all accounts and ensure that Multi-Factor Authentication (MFA) is in place wherever possible.
Patch all vulnerabilities by installing updates and applying security patches.
Enhance email security to filter out suspicious attachments and links, which are common vectors for ransomware attacks.

Types of Ransomware

Understanding the different types of ransomware can help you better assess the threat level and recovery options.

1. Crypto Ransomware

Encryption-based ransomware that locks your files, making them inaccessible unless you pay for the decryption key.
Examples: WannaCry, CryptoLocker, Locky.

2. Locker Ransomware

Prevents access to your device, often displaying a full-screen ransom message that blocks access to the desktop and files.
The data is usually not encrypted, but you cannot access the device without paying the ransom.
Examples: Reveton, WinLocker.

3. Scareware

Fake software that claims to have found problems on your computer and demands payment for fake services or solutions.
No real damage is done to the files, but the scare tactics aim to coerce you into paying.
Example: Fake antivirus programs or tech support pop-ups.

4. Doxware/Leakware

Threatens to release your personal or sensitive data unless a ransom is paid.
Common in attacks targeting corporations, celebrities, and public figures.

5. RaaS (Ransomware as a Service)

A growing trend where cybercriminals offer ransomware software and infrastructure to other attackers, often in exchange for a portion of the ransom.
RaaS is easy for non-technical criminals to deploy and can affect both small businesses and large enterprises.
Examples: DarkSide, REvil.

Whom to Contact for Help

1. Cybersecurity Firms

If you’re a business or government entity, contact a cybersecurity incident response firm immediately. Well-known firms include:
- FireEye Mandiant
- CrowdStrike
- Kroll
- Palo Alto Networks (Unit 42)

2. Law Enforcement

Involve local law enforcement or national cybersecurity agencies to ensure that the attack is reported.
FBI (USA): Contact the Internet Crime Complaint Center (IC3) or a local FBI field office.
NCSC (UK): The National Cyber Security Centre can provide resources for mitigation.

3. Your IT Department

If you’re in a corporate environment, notify your IT team immediately. They should be prepared to disconnect affected systems and launch a recovery plan.

4. Legal Counsel

If confidential or customer data is involved, consider contacting legal experts to understand your compliance obligations, particularly regarding data breaches.

How to Prevent Ransomware Attacks

The best way to deal with ransomware is to prevent the attack from happening in the first place. Here are a few strategies:

1. Regular Backups

Keep regular backups of all critical data and ensure those backups are stored in a secure, offline environment.
Test your backup restoration process to make sure it works in the event of an attack.

2. Patch Vulnerabilities

Always apply the latest updates to operating systems, software, and firmware to close vulnerabilities that ransomware could exploit.

3. Use Strong Authentication

Implement Multi-Factor Authentication (MFA) for user accounts to reduce the chances of unauthorized access.
Require strong, unique passwords and change them periodically.

4. Educate Employees

Provide training on phishing attacks and best security practices to reduce the risk of employees accidentally downloading ransomware.
Teach users to avoid clicking on suspicious links or downloading unexpected email attachments.

5. Email Filtering

Use email filtering software to block phishing attempts and malicious attachments.

6. Advanced Threat Protection

Use endpoint protection, firewalls, and network monitoring systems that can detect and block ransomware threats before they execute.

Final Thoughts

Ransomware attacks are increasing in both frequency and severity, affecting businesses, governments, and individuals worldwide. The key to managing a ransomware attack is to act quickly, avoid paying the ransom, and consult with professionals who can help with recovery. Prevention is always the best strategy, so ensure that you have strong security measures in place to minimize your risk.

If you are currently dealing with a ransomware attack, remember to stay calm, disconnect from the network, and seek professional help before taking any action. The decisions you make in the first few hours can significantly impact the outcome of the attack.