A ransomware attack just hit you. You see a pop up on your screen telling you that your network has been infected and all your files are encrypted. You are being asked to pay a hefty ransom amount to regain access. Questions are racing through your head, and you need to know: what ransomware incident response actions should you take immediately after an attack?
At Proven Data, we have helped thousands of clients navigate a data crisis. While guiding clients through the painstaking process of ransomware incident response, it’s fair to say we’ve learned a few things when it comes to specific actions you should take immediately after a ransomware attack.
This article will give a step-by-step breakdown of the six ransomware response actions you can take immediately upon discovering you are the victim of a ransomware attack.
By the end of this article, you will:
- Know the steps to take to stop a ransomware attack
- Learn the options you have for ransomware recovery
- Learn the next steps you need to take to recover your files
How to mitigate a ransomware attack
Time is critical when your files are encrypted by ransomware. Below you will find a breakdown of the most vital ransomware incident response actions you can take to stop the infection’s spread and mitigate any further damage.
1. Do not shut down your infected device
Shutting down your infected device may erase critical data and evidence needed for the ransomware evaluation and forensic investigation. It may also cause files to become permanently corrupted if they are in the process of encrypting.
2. Disconnect the infected device from your network
Immediately disconnect your infected device from any network, Wi-Fi, or Bluetooth connection only if you believe the ransomware has completed the encryption process. Prematurely disconnecting your device can cause potential corruption issues. Remove any external drives or USB connected to the infected machine to stop the ransomware from spreading.
3. Do not delete any of the encrypted files or ransom notes
Deleting encrypted files or ransom notes will lower your chances of successful ransomware recovery. There is no guarantee that your files will be decrypted, but keeping ransomware infected files gives your data a better chance of recovery.
You must keep copies of the encrypted files if required to determine a low probability of compromise on legally protected data like Personally Identifiable Information (PII). A ransomware forensic investigation can help you uncover the evidence you need.
Additionally, saving the ransom note can have crucial identification information necessary to determine the ransomware variant and decryption chances.
Deleting files or moving ahead with recovery actions before preserving device images, logs, and additional evidence can destroy necessary evidence required for forensic analysis.
4. Document all information pertaining to the ransomware attack
Detailed documentation should always be a part of your ransomware incident response plan. Create a document detailing as much information as you can collect about the ransomware attack, including:
- Photo or copy of the ransom demand note/splash screen
- Ransomware variant name if known
- The file extension of encrypted files
- The approximate date and time of the attack
- The file naming scheme for the ransom note/readme file left by attacker
- Any email addresses or URL or other method provided by the attacker for communications
- Required payment method/bitcoin addresses provided by the attacker
- Ransom amount demanded if known
5. Backup encrypted files before any recovery attempts
Backing up your encrypted files is a critical step to take before you pursue ransomware recovery.
It is important to preserve ransomware encrypted files gives you a chance of decryption in the future.
Ransomware groups sometimes cease operations and release decryption keys. If you have a backup of the encrypted files, this may allow you to recover your files in the future.
To create a backup, you need to:
1) Scan the infected devices with an antivirus product
2) Quarantine/remove the ransomware
3) Initiate the backups by copying the encrypted data to an external drive
6. Report the attack to law enforcement
Regardless of what method you use to recover from ransomware, you should always report a ransomware attack to law enforcement.
Law enforcement agencies not only have resources and information they can share with you on how to recover but reporting your ransomware attack right away can ensure you do not get penalized if you are forced to pay the ransom demand.
Certain ransomware attackers are sanctioned for posing a risk to national security, and victims will be punished for paying ransom demands to sanctioned entities.
Full reporting and cooperation with law enforcement is considered a mitigating factor in determining the extent to which fines will be enforced and should always be a part of your ransomware incident response plan.
How can I recover from ransomware?
Now that you have contained the initial ransomware attack by following these critical ransomware incident response steps, you need to know how to recover from ransomware and regain access to your encrypted files.
There are four common methods to recover files from a ransomware attack:
- Recover files with a backup off-site or offline backup, Window Shadow Copies or on-site backups
- Recreate the data from paper copies, email exchanges and attachments
- Break the ransomware encryption utilizing a malware researcher, or use a publicly available decrypter
- Pay the ransom to decrypt ransomware file if the encryption is too strong
What are the next steps to get my data back?
It’s time to get your ransomware encrypted files back. If you are interested in pursuing ransomware recovery services, the team of ransomware recovery specialists at Proven Data have the experience you need to help you successfully navigate your ransomware incident.