How to Deal with a Ransomware Attack

Submitted by Daniel Gray on Tue, 02/ 25/ 20 - 12: 00 PM

How to Deal with a Ransomware Attack


In the moments following a ransomware attack, the actions you take can determine how widespread the damage is, how much the attack will cost your company, and which damages you could be liable for. Read more to learn the immediate steps you should take following a ransomware attack and how you can prevent repeat attacks.

Not enough time? Jump to:

How to Respond to a Ransomware Attack

How to Prevent Ransomware Attacks

How to Respond to a Ransomware Attack

The following tips, in part sourced from an FBI guidebook on ransomware response, are a comprehensive approach to minimizing damage and mitigating risk within your network.

Immediate First Steps

How to Respond to a Ransomware Attack

Take All Unaffected Devices in Your Network Offline

The first thing you should do once one or more of your computers in your network is compromised is to take all other devices that are connected to your network offline to contain the spread of the ransomware. 

If just one computer on your network is infected with ransomware, the ransomware could quickly spread to other computers, potentially putting your entire network at risk.

Contact the Police/FBI

Once you have contained the spread of the ransomware, you need to contact the authorities. They are trained in how to handle ransom situations and can give you advice on next steps.

They can also use their resources to help you fight back against the ransomware and carefully document the incident for legal purposes. 

Contact a Cyber Insurance Company

If you have a cyber security insurance policy, you should contact the company about next steps in terms of how to assess any damages and file a claim.

Cyber insurance companies should be contacted before you start to assess damages and remediate the issue, seeing as they have forensic analysis tools that can help you answer crucial questions about the attack.

Additionally, in the event that your business is sued by customers over the data breach, or are in violation of any data regulations like HIPAA, your provider can offer advice on the best next steps on risk management.

Assess the Damage

If you have any secure documents containing legal, financial, or medical information that you suspect have been stolen during the ransomware attack, you could potentially be on the hook for any subsequent data breach lawsuits from clients or customers. 

Take stock of what files you think may have been taken. Even if you get your files back, they have already been compromised because a hacker accessed them. You should prepare a risk management plan to ensure that any personal information that's been accessed is protected moving forward. 

RELATED: Can Businesses Be Sued for Data Breaches?

Never Pay the Ransom

During a ransomware attack, you have two options: pay the ransom or not pay and try to get your files back on your own.

Many experts suggest that you should never pay the ransom for several reasons. For instance, choosing to pay the ransom doesn't guarantee that you will get your files back and be left alone forever. 

A hacker could take your money and disappear with your files forever. Or, since they know how to exploit your network, they could also come back later to attack your network again. Paying a ransom might guarantee the safe return of your files but you don't want to take that risk.

How to Remove the Ransomware

How to Remove Ransomware

Use No More Ransom

Depending on the strain of ransomware used in the attack, you may be able to remove it yourself without calling on external IT support or paying the ransom.

No More Ransom is a collaborative ransomware removal project between big cyber security companies such as McAfee and Kaspersky. These companies became concerned with the spike in ransomware attacks over the past decade.

They realized that, especially if an individual or small business is attacked, the resources necessary to successfully fight back against an attack are costly. This can drive ransomware attack victims to pay the hackers.

No More Ransom was created as a platform to offer free ransomware removal tools for certain strains. Using these tools can save you the money that would have been paid for the ransom or for extensive IT support to thwart the attack.

Restore from Most Recent Backup

If your company consistently backs up its data, recovering your stolen files could be as simple as restoring your network to the most recent backup from before the attack.

Though this will not fix the security flaws in your network, restoring from a recent backup can let you access all the files that became encrypted following the attack. Once you have your files, the hacker does not have nearly as much power to demand a ransom.

Hire an IT Professional

If you feel that attack remediation extends beyond the scope of your company's capabilities, especially if you don't have an internal IT staff, reach out to an external IT services company. 

An external team can remove any ransomware from your network, especially if you cannot recover your files or the attack was widespread. After working to remove the ransomware, they can take extra steps to boost your cyber security so that the chance of a future attack lessens.

How to Prevent Ransomware Attacks

How to Prevent Ransomware Attacks

Preventing ransomware attacks is easier than you think. By taking a few simple steps to strengthen your cyber security now, you can can lessen the chance that your company's data will be held hostage in the future.

Scan Your Network and the Dark Web

The first step in patching security gaps is knowing where and what they are. Thankfully, network security scanning tools can help you uncover open ports on your network.

If you are a business, some ports may need to stay open so computers within a network can communicate with each other. However, certain ports, like the ones on your printers and copiers, can create security gaps that hackers can take advantage of. 

While network scanning tools help you find weak points within your network, dark web scans let you see what company information is currently on the dark web.

Dark web scans can help you find out what accounts and associated passwords are on the dark web. If a hacker has access to this information, they can use it to distribute phishing emails or log into accounts containing sensitive information that can then be held for ransom.

Conducting a dark web scan shows you which passwords you need to change, and which compromised programs/files need to be fixed. 

Know How to Spot a Phishing Attack

While computers are designed to function perfectly and without errors, hackers know that humans are prone to errors. That is why they exploit human error to gain access to a network and deploy ransomware. A popular way that hackers break into your network is through phishing attacks.

Phishing attacks involve a hacker sending an email containing a malware-loaded link to a potential victim. The email can either contain an enticing offer, such as "Click this link for a free cruise!' or can be faked to resemble a legitimate company. For instance, a hacker posing as Google could email a victim telling them to click a link to update their email storage. 

Always be wary of emails from people you don't know telling you to click a link. If you want to see if an email is a phishing email, you can look at the address that the email is from. For instance, a phishing email posing as Facebook that has the email address "" is probably a fake address.

Make sure that the address is spelled correctly too with no character substitutions. While an address from "" might be legitimate, an email from "" is probably a phishing attempt.

Another way to test a phishing email is to try and find the page the email is referencing without clicking the link. For instance, if the email is from Microsoft and is telling you to update your storage, try doing that through the official Microsoft website instead of through the link. If you can't find such a page, then the email is most likely a phishing attempt.

In general, most legitimate emails don't ask you to click a link to validate or update information, so your internal warning signals should flash as soon as you see this. If you feel suspicious about an email, try calling the company who it's from to ask about the email, along with other verification methods.

RELATED: What is Phishing? [Types and Tips to Prevent]

Consider Managed IT Services

How to Prevent Ransomware Attacks

If you are a business, you might not have the time to institute all these changes, especially if you only have an in-house IT manager or another employee managing your cyber security.

Managed IT services can help put all of the above suggestions and more into action. Managed IT services layers your cyber security infrastructure and then employs a team of IT experts to address any threats or issues that pop up.

A managed services provider can use dark web scans and network scanning tools to address existing security gaps. Then, they can install layers of cyber security hardware and software, such as firewalls, anti-virus software, and anti-ransomware software.

They can conduct phishing tests to find employees who fall for phishing traps, and then educate those employees on how to recognize and avoid phishing attacks. To take phishing prevention a step further, a managed services provider can enable email filtering services to stop phishing emails in their tracks. 

In the event that a ransomware attack happens or your network goes down, they can reduce downtime by quickly recovering data due to their use of frequent and secure backups.

Don't wait until you're the victim of a ransomware attack to improve your cyber security. 

RELATED: How to Prevent Ransomware Attacks [8 Quick Tips]

Get Your Questions Answered Now

Posted by Daniel Gray


ransomware and phishing