It’s the news no organization wants to hear―you’ve been the victim of a ransomware attack, and now you’re wondering what to do next. 

The first thing to keep in mind is you’re not alone. Over 17 percent of all cyberattacks involve ransomware—a type of malware that keeps a victim’s data or device locked unless the victim pays the hacker a ransom. Of the 1,350 organizations surveyed in a recent study, 78 percent suffered a successful ransomware attack (link resides outside ibm.com).

Ransomware attacks use several methods, or vectors, to infect networks or devices, including tricking individuals into clicking malicious links using phishing emails and exploiting vulnerabilities in software and operating systems, such as remote access. Cybercriminals typically request ransom payments in Bitcoin and other hard-to-trace cryptocurrencies, providing victims with decryption keys on payment to unlock their devices.

The good news is that in the event of a ransomware attack, there are basic steps any organization can follow to help contain the attack, protect sensitive information, and ensure business continuity by minimizing downtime.

Initial response

Isolate affected systems 

Because the most common ransomware variants scan networks for vulnerabilities to propagate laterally, it’s critical that affected systems are isolated as quickly as possible. Disconnect ethernet and disable WiFi, Bluetooth and any other network capabilities for any infected or potentially infected device.

Two other steps to consider: 

• Turning off maintenance tasks. Immediately disable automatic tasks—e.g., deleting temporary files or rotating logs—affected systems. These tasks might interfere with files and hamper ransomware investigation and recovery. 
• Disconnecting backups. Because many new types of ransomware target backups to make recovery harder, keep data backups offline. Limit access to backup systems until you’ve removed the infection.

Photograph the ransom note

Before moving forward with anything else, take a photo of the ransom note—ideally by photographing the screen of the affected device with a separate device like a smartphone or camera. The photo will expedite the recovery process and help when filing a police report or a possible claim with your insurance company.

Notify the security team

Once you’ve disconnected the affected systems, notify your IT security team of the attack. In most cases, IT security professionals can advise on the next steps and activate your organization’s incident response plan, meaning your organization’s processes and technologies for detecting and responding to cyberattacks.

Don’t restart affected devices

When dealing with ransomware, avoid restarting infected devices. Hackers know this might be your first instinct, and some types of ransomware notice restart attempts and cause additional harm, like damaging Windows or deleting encrypted files. Rebooting can also make it harder to investigate ransomware attacks—valuable clues are stored in the computer’s memory, which gets wiped during a restart. 

Instead, put the affected systems into hibernation. This will save all data in memory to a reference file on the device’s hard drive, preserving it for future analysis.

Eradication 

Now that you’ve isolated affected devices, you’re likely eager to unlock your devices and recover your data. While eradicating ransomware infections can be complicated to manage, particularly the more advanced strains, the following steps can start you on the path to recovery. 

Determine the attack variant

Several free tools can help identify the type of ransomware infecting your devices. Knowing the specific strain can help you understand several key factors, including how it spreads, what files it locks, and how you might remove it. Just upload a sample of the encrypted file and, if you have them, a ransom note and the attacker’s contact information. 

The two most common types of ransomware are screen lockers and encryptors. Screen lockers lock your system but keep your files safe until you pay, whereas encryptors are more challenging to address since they find and encrypt all your sensitive data and only decrypt it after you make the ransom payment. 

Search for decryption tools

Once you’ve identified the ransomware strain, consider looking for decryption tools. There are also free tools to help with this step, including sites like No More Ransom. Simply plug in the name of the ransomware strain and search for the matching decryption. 

Download the Definitive Guide to Ransomware

Recovery 

If you’ve been lucky enough to remove the ransomware infection, it’s time to start the recovery process.

Start by updating your system passwords, then recover your data from backups. You should always aim to have three copies of your data in two different formats, with one copy stored offsite. This approach, known as the 3-2-1 rule, allows you to restore your data swiftly and avoid ransom payments. 

Following the attack, you should also consider conducting a security audit and updating all systems. Keeping systems up to date helps prevent hackers from exploiting vulnerabilities found in older software, and regular patching keeps your machines current, stable, and resistant to malware threats. You may also want to refine your incident response plan with any lessons learned and make sure you’ve communicated the incident sufficiently to all necessary stakeholders. 

Notifying authorities 

Because ransomware is extortion and a crime, you should always report ransomware attacks to law enforcement officials or the FBI. 

The authorities might be able to help decrypt your files if your recovery efforts don’t work. But even if they can’t save your data, it’s critical for them to catalog cybercriminal activity and, hopefully, help others avoid similar fates. 

Some victims of ransomware attacks may also be legally required to report ransomware infections. For example, HIPAA compliance generally requires healthcare entities to report any data breach, including ransomware attacks, to the Department of Health and Human Services.

Deciding whether to pay 

Deciding whether to make a ransom payment is a complex decision. Most experts suggest you should only consider paying if you’ve tried all other options and the data loss would be significantly more harmful than the payment.

Regardless of your decision, you should always consult with law enforcement officials and cybersecurity professionals before moving forward.

Paying a ransom doesn’t guarantee you’ll regain access to your data or that the attackers will keep their promises—victims often pay the ransom, only to never receive the decryption key. Moreover, paying ransoms perpetuates cybercriminal activity and can further fund cybercrimes.

Preventing future ransomware attacks

Email security tools and anti-malware and antivirus software are critical first lines of defense against ransomware attacks.

Organizations also rely on advanced endpoint security tools like firewalls, VPNs, and multi-factor authentication as part of a broader data protection strategy to defend against data breaches.

However, no cybersecurity system is complete without state-of-the-art threat detection and incident response capabilities to catch cybercriminals in real time and mitigate the impact of successful cyberattacks.

IBM Security® QRadar® SIEM applies machine learning and user behavior analytics (UBA) to network traffic alongside traditional logs for smarter threat detection and faster remediation. In a recent Forrester study, QRadar SIEM helped security analysts save more than 14,000 hours over three years by identifying false positives, reducing time spent investigating incidents by 90%, and reducing their risk of experiencing a serious security breach by 60%.* With QRadar SIEM, resource-strained security teams have the visibility and analytics they need to detect threats rapidly and take immediate, informed action to minimize the effects of an attack.

*The Total Economic ImpactTM of IBM Security QRadar SIEM is a commissioned study conducted by Forrester Consulting on behalf of IBM, April, 2023. Based on projected results of a composite organization modeled from 4 interviewed IBM customers. Actual results will vary based on client configurations and conditions and, therefore, generally expected results cannot be provided.