What to Do When Your Business Is Hit with Ransomware

Don’t panic. Deliberate is fast, and with the clock ticking, you need to move precisely to limit the damage. Here are the steps to take when you are first hit with ransomware.

  1. Take the infected computers and servers off the network.
    • Leave the machines powered on but don’t allow the criminals to expand to other computers or file-sharing services. Temporarily locking network sharing and checking file servers to see how far the damage has spread is priority number one. You should be searching for newly-encrypted file extensions that are out of the ordinary like .cry, .zepto, or .locky.

  2. Find patient zero or the first person hit with the attack.
    • Ransomware can lock down a computer in minutes and start spreading quickly. If you can quickly determine the source and pull that person offline, you can limit the damage.

  3. Don’t immediately pay the ransom.
    • While we realize it is tempting to pay the amount requested and get back to it, we like most others don’t recommend paying the ransom. Whatever you decide, we wouldn’t encourage engaging with the criminals on your own.

  4. Take a picture of the screen or ransom note. 
    • If you don’t immediately see a lock screen, you can also look in folders for a new file, TXT or HTML, that says something like decrypt or instructions. You’ll need this later when you file a police report. 

  5. Determine the kind of ransomware.
    • You’ll need to know whether you are dealing with encrypting, screen-locking, or something pretending to be ransomware. There is usually a screen that makes it seem like you can’t access anything, but it is worth trying to access your files on your computer and the network. 

  6. Find out what is locked.
    • Is your data stored offsite and accessible? Are your applications working? Determine if your backups are available. If you can access your business applications and data through network backups – you can feel good about the decision not to negotiate. 

  7. Clean the machine with antivirus or anti-malware software to remove the ransomware.
    • Once you’ve taken this step, there is no going back and deciding to negotiate with the criminals for the release of your data. It does allow you to move on and start working on getting things back. 

  8. Determine the type of ransomware. 
    • There are a few online sites that will help you with this effort. Crypto-Sheriff and ID Ransomware are two popular sites that will let you upload the encrypted files and use those to figure out the exact version of the ransomware that hit you.

  9. Look for a decryption tool.
    • Sometimes the ransomware is poorly coded, and you find someone else that has cracked the code releasing decryptor tools. No More Ransomware is one site to check.

  10. Explore forensics and data recovery companies.
    • It is worth taking a little time to talk with these experts to see if they’ve encountered this ransomware and how they’ve handled it.

  11. Don’t negotiate on your own.
    • If everything fails and you’ve decided to pay the ransom, we recommend working with experts to negotiate. It isn’t a good idea for business leaders to start engaging with the criminals on their own.

  12. Don’t assume paying the ransom is the end of the situation.
    • You need to be sure your files are clean, and the criminal doesn’t have a backdoor into the system. It would be terrible to relive the experience in three months when the felon decides to slip in and repeat the process. 

Don’t assume that once you survive this attack, you are off the hook. If you don’t bolster your defenses, there is an equally good chance that you will be hit again. After the situation is resolved, you’ll want to begin working to boost your cyber security protections immediately. Our blog, How to be Cyber Secure in 2019, provides some important tips. Stay vigilant and be protected. When in doubt, we are here.

Contact BlackPoint IT