What to do after a ransomware attack

It started as a normal day at work. You send a few emails, drink some coffee, and attend a few meetings. But then things take a turn for the worse. Your flustered finance colleague tells you they aren’t able to access your customer database and a strange message is displaying on the screen. It’s happened. You’ve been ransomware attacked.

But what do you do next? There’s plenty of information out there on how to prevent ransomware attacks from happening, but less on what to do if the worst does happen. So, here are our top tips for what to do next.

1. Take a deep breath and assess the damage 

This might sound obvious or slightly patronising, but it can be very difficult to stay cool and collected in the event of a breach. Many victims rush into paying the ransom straight away, giving them no wiggle room for negotiations with the attacker. 

So, first things first, take a moment to collect yourself, the hard work starts here. Once you’re ready, start assessing the damage. Has an attack definitely happened? Do you know which systems or files have been compromised? How far have the hackers got? These are all questions you’ll need to know the answer to.

Your next course of action will likely go in one of two directions. If your organisation has an incident response plan, follow that. If it doesn’t, don’t worry, you can follow the next steps on this list. 

2. Collect evidence 

This step shouldn’t take more than a few seconds, but it’s very important. You should immediately take a photo of the ransomware note. It doesn’t matter how you do it, a screenshot or a photo on your smartphone will work, but the key thing is to document the breach. This will help you in contacting your insurers and filing a police report.

3. Isolate the breach

Once it’s in, ransomware is designed to spread like wildfire across a network. To stop it from infecting every system in your business, you need to isolate the breach. 

That might sound complicated or techy, but it’s actually very simple. The easiest thing to do is disconnect the infected system(s) from your network so the ransomware can’t spread anywhere else. Doing this can stop a relatively minor breach from becoming business-threatening. 

4. Disconnect backups 

We’ve written at length on the importance of data backups before. And a successful ransomware attack is where they really come into their own. In the best-case scenario, it could save you from having to pay a ransom at all.

Unfortunately, cybercriminals know this. So most modern ransomware strains are coded to go after any backups you have. This means it’s important to secure your backups by disconnecting them from the rest of your network. And to be extra safe, we recommend locking down access to your backups until the infection has passed. 

5. Notify insurers and your IT provider

This step will be different for everyone, depending on whether you have cyber insurance or outsource any element of your IT to a third party. However, if you do have either, now’s the time to report the breach. You’ve completed the vital first steps to contain the threat and it’s time to bring in some help.

Your insurer needs to know for obvious reasons but both should be able to help you with the next steps. Many insurers are happy to put you in touch with experts and your IT provider should also be able to lend a hand.

At this point, it’s also worth notifying law enforcement and the ICO. Your insurers may require a police report to proceed and it can also help save other organisations from the same fate.

6. Identify the strain of ransomware

Unless you’re extremely unlucky, it’s unlikely your business is the first to be hit with whatever strain it’s been infected with. And this means it should be fairly easy to identify.

Free services like ID Ransomware allow you to upload a sample of your encrypted file(s), the ransom note, and the hacker’s contact info. They’ll then analyse this information and identify who or what has attacked you.

This is important for two reasons. First, who you’re dealing with will help inform your decision on whether to pay. Second, knowing what you’re dealing with is vital when you come to attempt to decrypt your files.

7. Try decrypting your files

Once you know the type of ransomware you’ve been infected with, it’s time to have a go at decrypting your files. This might be easier with the help of a cyber expert, but it’s not too difficult to do yourself. 

There are plenty of decryption tools available online. No More Ransom has a great selection of tools to decrypt most types of ransomware. All you need to do is find the strain you’ve been hit with from the list, download it and follow the installation process. The site is updated regularly, so even if you have been struck by a newer form of ransomware there should be something to help. 

Of course, this won’t always work. Ransomware is ever-evolving, with the bad guys constantly adding extra features. But it’s always worth a try.  

8. Reset passwords

You might have already done this step earlier on in the process. If so, give yourself a hearty pat on the back. If not, it’s time to reset all your business’s passwords. This is something you should be doing regularly anyway, but it can stop hackers from gaining access to other non-infected systems and attacking those too.

And, once the infection is completely removed, don’t forget to change them again.

9. Decide whether to pay or not 

Finally, we come to the trickiest part. Should you pay the ransom?

Sadly, there’s no absolute answer either way. Whether or not you decide to pay is completely conditional depending on the scenario you find yourself in. If you’ve managed to decrypt your files and the data the hackers have isn’t sensitive, you probably don’t need to pay.

Likewise, your insurer may instruct you not to pay. Cyber insurers are currently split upon ransomware best practices after years of near unanimity.

In other cases, paying might be the best option. For example, when the hackers have access to sensitive customer or financial data.

10. One last thing…

You may have noticed we haven’t mentioned communications to partners or customers. We’ve left this until last because, like paying the ransom, the decision is situation based.

If customer data has been stolen, then you need to inform clients and partners so they can secure their accounts. However, if the breach has only affected internal data, you may not need to communicate that to clients. 

Like the incident response plan we mentioned earlier, it’s well worth having an emergency communications plan ready to go in case you do get attacked.

To find out more about the threats facing businesses, read our guide, The State of UK SME Cybersecurity. It’s full of useful insights on the risks small businesses face and what can be done to counter them. Get your copy here.

State of SME cybersecurity