This article will give a step-by-step breakdown of the six ransomware response actions you should take immediately upon discovering you are the victim of a ransomware attack.
By the end of this article, you will:
- Know the steps to take to stop a ransomware attack
- Learn the options you have for ransomware recovery
- Learn the next steps you need to take to recover your files
After a ransomware attack, victims may wonder what ransomware incident response actions should they immediately take.
The first actions following a cyber attack will define your company’s future. If you have a good incident response plan, you’ll be able to reduce the recovery time. Also, how businesses handle ransomware attacks affects clients’ and users’ evaluations.
Ransomware incident response actions
Time is critical when your files are encrypted by ransomware. You must take the right measures and follow proper actions to respond to the incident.
Important: these are not the steps to build an incident response plan. But these response actions can be part of your plan.
1. Do not shut down your infected device
Shutting down your infected device may erase critical data and evidence needed for the ransomware evaluation and forensic investigation. It can also make your files permanently corrupted if they are in the process of encrypting.
2. Disconnect the infected device from your network
Immediately disconnect your infected device from any network, Wi-Fi, or Bluetooth connection. Also, remove any external drives or USBs connected to the infected machine.
You must do it to stop the ransomware from spreading.
3. Do not delete any of the encrypted files or ransom notes
Deleting encrypted files or ransom notes will lower your chances of successful ransomware recovery. There is no guarantee that your files will be decrypted, but keeping ransomware-infected files gives your data a better chance of recovery.
You must keep copies of the encrypted files if required to determine a low probability of compromise on legally protected data like Personally Identifiable Information (PII). A ransomware forensic investigation can help you uncover the evidence you need.
Additionally, saving the ransom note can have crucial identification information necessary to determine the ransomware variant and decryption chances.
4. Document all information about the ransomware attack
Detailed documentation should always be a part of your ransomware incident response plan. Create a document detailing as much information as you can collect about the ransomware attack, including:
- Photo or copy of the ransom demand note
- Ransomware variant name
- The file extension of encrypted files
- The approximate date and time of the attack
- The file naming scheme for the ransom note file
- Any email addresses or URLs or other methods provided by the attacker for communications
- Required payment method
- Ransom amount demanded if known
5. Backup encrypted files before any recovery attempts
Backing up your encrypted files is a critical step to take before you pursue ransomware recovery.
It is important to preserve ransomware-encrypted files gives you a chance of decryption in the future.
Ransomware groups sometimes cease operations and release decryption keys. If you have a backup of the encrypted files, this may allow you to recover your files in the future.
To create a backup, you need to: 1) Scan the infected devices 2) Quarantine or remove the ransomware
3) Initiate the backups by copying the encrypted data to an external drive
6. Report the attack to law enforcement
You should always report a ransomware attack to law enforcement. Full reporting and cooperation with law enforcement is considered mitigating factor in determining the extent to which fines will be enforced and should always be a part of your ransomware incident response plan.
The proper authorities will investigate the attack in an attempt to bring down the hacker gang. And you must not pay the ransom as some hackers might use the money for terrorist groups. For this reason, victims will be punished for paying ransom demands to sanctioned entities.
What are the next steps to get my data back?
There are four common methods to recover files after a ransomware attack:
- Recover files with a backup
- Recreate the data from paper copies, email exchanges, and attachments
- Break the ransomware encryption utilizing a malware researcher, or use a publicly available decrypter
- Contacting a ransomware data recovery service
It’s time to get your ransomware-encrypted files back. If you are interested in pursuing ransomware recovery services, the team of ransomware recovery specialists at Proven Data is ready 24/7. Our experts have the experience you need to help you successfully navigate your ransomware incident.
Need ransomware recovery now?
Contact a ransomware recovery specialist today
Start the ransomware recovery process