What Should You Do During a Ransomware Attack? [Tips and Explanations]

Submitted by Erica Kastner on Tue, 02/ 11/ 20 - 12: 17 PM

How to Respond to a Ransomware Attack


Major news outlets, from CNN to Forbes to the New York Times, have been reporting recently on the growing and shifting threat of ransomware. Just last week, the New York Times reported on the continued growth of ransomware attacks, citing a report from Emsisoft revealing that ransomware attacks increased 41 percent from 2018 to 2019. What should you do if you suddenly become the victim of a ransomware attack? Keep reading for tips on what to do immediately following a ransomware attack and more.

Quick summary: What should you do during a ransomware attack? Here's 5 quick tips:

  • If the attack has targeted a single device, remove it from the network.

  • Take your latest backup from before the attack offline.

  • Contact law enforcement immediately.

  • Assess the damage. 

  • Never pay the ransom.

For more information on each tip, keep reading!


Not enough time? Jump to:

What Should You Do During a Ransomware Attack

How Ransomware Threatens Us All

Why You Shouldn't Pay the Ransom

How to Prevent Ransomware Attacks

What Should You Do During a Ransomware Attack

How to Prevent a Ransomware Attack

Let's say that you end up becoming a victim of a ransomware attack. In the moments immediately following the attack, before you decide whether to pay the ransom or not, what should you do? According to a report released by the FBI, there are a few actions you should take.

Sometimes, especially in the event of an employee who fell for a phishing scheme and accidentally downloaded ransomware, you can isolate an attack to a single device before it affects the entire network.

If you find that the attack started on a single device, remove it from the network before the ransomware spreads to shared drives and other devices. For devices that have not yet been infected, power them off and remove them from the network. 

Additionally, take your latest backup from before the attack offline so that you can try to recover files before the ransomware encrypts them. If you have a recent backup available from right before the attack, you can possibly recover your files and avoid paying the ransom.

Once you discover that your network has been breached, you should contact law enforcement immediately. If possible, try to collect portions of the ransomed data to present as evidence to both law enforcement and any IT staff working to recover your network.

While waiting on law enforcement, assess the extent and scope of the damage to your network. Take stock of any files you think may have been accessed or encrypted. This will assist you in preparing a risk management plan moving forward.

Finally, never pay the ransom. Paying the ransom doesn't guarantee that you will get your files back and be left alone forever. 

RELATED: How to Deal With a Ransomware Attack

How Ransomware Threatens Us All 

What to Do in a Ransomware Attack

Hackers don't discriminate when it comes to the types of businesses and systems they target. Government agencies, which many assume to have some of the most secure networks in the country, can and do fall victim to data breaches and cyber attacks.

Forbes just recently reported on how cyber attacks on government agencies are actually becoming more and more common because their interactions with third-party agencies and network configuration make the possibility of a widespread attack easier. 

Electronic Warfare Associates, a government contractor with clients like the Department of Defense, the Department of Justice, and the Department of Homeland Security fell victim to a ransomware attack right at the end of January this year. 

Even our voting systems are open to hacking, as seen by an 11-year-old who, at a hackathon in 2018, breached a replica of a Florida online voting system and changed the results of the fake election in just ten minutes.

If these systems can be hacked, what does that say about how safe the rest of our networks are?

Small businesses especially need to consider the potentially dire consequences of a ransomware attack. Take Dr. Shayla Kasel's medical practice, which was the victim of a ransomware attack last August, as an example.

According to the New York Times, Kasel's office closed permanently after refusing to pay the ransom, realizing that their files were permanently inaccessible, the cost to fix their network and get their files back was too great, and the threat of lawsuits from customers whose data had been breached was too high. 

Unlike large businesses who have the money to install a strong cyber security infrastructure, small businesses usually don't have the budget to do so. Hackers also know that small businesses probably don't have the money necessary to fight back against a ransomware attack.

This is why they'll attack a small business − if the ransom is low enough, a business would rather pay the ransom then pay an IT team to thwart the attack. However, deciding to pay the ransom doesn't mean that all your problems are solved. 

RELATED: Can Businesses Be Sued for Data Breaches?

Why You Shouldn't Pay the Ransom

Paying the Ransom Doesn't Guarantee Anything

How to Respond to a Ransomware Attack

When you are faced with a ransomware attack, you have two choices: pay the ransom and hope that your files are returned, or, not pay the ransom and instead use an IT team to thwart the attack for you, which can be costly and, at times, unsuccessful.

However, according to a report from the CyberEdge Group, a cyber security research and marketing firm, only 19% of the ransomware attack victims they surveyed who chose to pay the ransom got their files back.

When dealing with anonymous hackers, paying the ransom doesn't guarantee that your files will be returned and that you will be left alone forever. A hacker's word means about as much as a pinky promise, which is why you shouldn't trust them.

A hacker could just as easily increase the ransom once they know that you'll pay, or take your money and disappear without returning your files. 

Both sides of the debate over to pay or not pay have their pros and cons, but at least with an IT team, you have more than a 19% guarantee that your files will be returned. Additionally, paying the ransom can leave the door open for repeat attacks down the road. 

You Could Become a Repeat Victim

What to Do in a Ransomware Attack

If a hacker has already gained access to your network, who's to say that they wouldn't attack you again? Paying a hacker doesn't guarantee that they will leave you alone forever.

A hacker who has previously accessed your network could assess it for weak spots and attack it later, maybe by using a more advanced phishing email to plant new ransomware. 

Hackers could also carry out repeat attacks because they know the odds of facing criminal charges are low if they attack from another country. Unless the attack is of historic proportions, a hacker will likely not be extradited and tried in court.

Take the 2017 Equifax data breach as an example of one of the few times that foreign hackers face consequences for their actions. In 2017, Equifax, one of the largest consumer credit reporting agencies in the country, experienced a data breach that affected over 150 million customers. Recently, CNN reported that four members of the Chinese military were officially charged with the hack. 

In this high-profile case, the criminals may end up getting extradited and tried in court, but this situation plays out very differently for smaller attacks that don't command the attention of national media.

Small businesses and individuals that are attacked will likely face an uphill battle in the court system. Hackers in foreign countries know that they are unlikely to face criminal charges for overseas attacks, which can embolden them to continue to carry out repeated attacks, especially on small businesses and individuals.

Because small businesses can be easier targets for ransomware attacks due to less resources to fight back, they especially need to step up their cyber security measures to avoid becoming a victim.

How to Prevent Ransomware Attacks

How to Prevent Ransomware Attacks

Though the threat of ransomware is growing, thankfully, there are a few simple ways that you can protect your network and prevent ransomware attacks. 

Know How to Spot a Phishing Attack

The number one way to prevent ransomware attacks is by learning how to spot and avoid falling for a phishing scheme.

While computers are designed to not make mistakes, hackers know that humans are prone to errors. That is why they exploit human error to gain access to a network and deploy ransomware. 

Phishing attacks involve a hacker sending an email containing a ransomware-loaded link to a potential victim. The email can either contain an enticing offer, such as "Click this link for a free cruise!' or can be faked to resemble a legitimate company. For instance, a hacker posing as Google could email a victim telling them to click a link to update their email storage. 

Always be wary of emails from people you don't know telling you to click a link. If you want to see if an email is a phishing email, you can look at the address that the email is from. For instance, a phishing email posing as Google that has the email address "security@g0ogle.microsoft.com" is probably a fake address.

Make sure that the address is spelled correctly too with no character substitutions. While an address from "@microsoft.com" might be legitimate, an email from "@mIcr0soft.com" is probably a phishing attempt.

Another way to test a phishing email is to try and find the page the email is referencing without clicking the link. For instance, if the email is from Microsoft and is telling you to update your storage, try doing that through the official Microsoft website instead of through the link. If you can't find such a page, then the email is most likely a phishing attempt.

In general, most legitimate emails don't ask you to click a link to validate or update information, so your internal warning signals should flash as soon as you see this. If you feel suspicious about an email, try calling the company who it's from to ask about the email, along with other verification methods.

Institute a Password Policy

Weak passwords are one of the easiest ways to gain access to your network and install ransomware. Consider strengthening your passwords and protecting where they're stored to better leverage your cyber security.

A main focus of any password policy should be to limit how much you write down your passwords, whether they're on a sticky note, an Excel spreadsheet, or in the Notes app on your phone. Writing a password down anywhere leaves it susceptible to being found by hackers. 

If you have too many passwords to remember, consider a secure password-storing program such as MyGlue. These programs securely store all your passwords in one place, keeping you from having to remember all your passwords on your own.

To maintain strong passwords, consider creating passwords that don't use easy-to-find information such as birthdays or your children's names. When creating a password, make sure it's long and complex. 

Additionally, install two-factor authentication on your devices if possible, seeing as it's a widely used secure method of protecting accounts. 

Consider Managed IT Services

How to Prevent Ransomware Attacks

If you are a business, you might not have the time to institute all these changes, especially if you only have an in-house IT manager or another employee managing your cyber security.

Managed IT services can help put all of the above suggestions and more into action. They layer your cyber security infrastructure with the latest security software and hardware, and then employ a team of IT experts to address any threats or issues that pop up.

A managed services provider can use dark web scans and network scanning tools to address existing security gaps. To take the burden of updating software off of you, a managed services provider can update all cyber security software for you and install necessary security patches.

Additionally, they can conduct phishing tests to find employees who fall for phishing traps, and then educate those employees on how to recognize and avoid phishing attacks.

To take phishing prevention a step further, a managed services provider can enable email filtering services to stop phishing emails in their tracks. 

Managed IT services can help you create a password policy and role-based security that works for your business too. In the event that a ransomware attack happens or your network goes down, they can reduce downtime by quickly recovering data due to their use of frequent and secure backups.

Don't wait until you're the victim of a ransomware attack to improve your cyber security. 

RELATED: How to Prevent Ransomware Attacks [8 Quick Tips]

Get Your Questions Answered Now

Posted by Erica Kastner


cyber security best practices, cybersecurity, small business cyber security solutions, ransomware and phishing