What to do after ransomware attack?

10 Things You Should Do After a Ransomware Attack : Step by Step Guide 2023


1. Stay Calm and Think Rationally

Feeling anger or fear as your initial response is completely normal. You’re angry because somebody is trying to extort your company, while fear might stem from the hackers’ threats to expose private or potentially embarrassing information if payment isn’t made. However, it’s essential that you stay calm. You don’t want to do something irrational that could have negative long-term consequences for you or your device.


2. Take a Photo of the Ransomware Message

Remember that ransomware is a crime. In fact, hackers who distribute ransomware and extort less than $1,000 from their victims can still be charged with a felony. Before reporting an attack, it’s a good idea to take a picture of the ransomware message displayed on your device. You can do this with a smartphone, camera, or via screenshot, if possible.


3. Isolate the Infected Systems

The first step is to contain the attack. Disconnect affected systems from the network to prevent further spread of the ransomware. This isolation is essential to protect other connected devices and limit the scope of the attack.


4. Notify the Relevant Authorities

Reporting the attack to the appropriate authorities is a legal and ethical obligation. Contact your local law enforcement agency or a dedicated cybersecurity reporting hotline. This step can help in tracking down the perpetrators and gathering evidence for potential legal action. Did you know that as per NIS2 directive, affected organisations must report the incident to the designated authority within 24 hours of becoming aware of the incident, followed by a final report within one month?


5. Engage Your Incident Response Team

Activate your incident response team immediately. This team should include IT professionals, cybersecurity experts, legal advisors, and communication specialists. Their combined expertise will be vital in orchestrating an effective response.
Don’t have any incident response plan? Here is a guide for OT incident response plan.


6. Assess the Extent of the Damage

Conduct a thorough assessment to determine the extent of the damage caused by the ransomware. Identify compromised systems, affected data, and potential vulnerabilities that were exploited. This information will guide the recovery process.


7. Identify the Ransomware Variant

Understanding the specific ransomware variant is crucial for formulating an effective recovery strategy. Different strains may require different decryption methods or mitigation techniques. Analyze any ransom notes or communication from the attackers to gather intelligence.


8. Restore from Backups

If you have up-to-date backups, restoring systems and data from a clean backup is often the most efficient way to recover. Ensure that the backups are free from any infection before proceeding with the restoration process.


9. Engage a Cybersecurity Forensics Expert

Hiring a cybersecurity forensics expert can provide valuable insights into the attack’s origin, methods, and potential weaknesses in your security infrastructure. This information can be used to bolster your defenses and prevent future incidents.


10. Patch and Update Systems

After the attack, it’s crucial to address any vulnerabilities that were exploited. Apply security patches and updates to all software, operating systems, and network infrastructure to prevent similar incidents in the future.


If you need to recover from a ransomware attack, you can contact us for expert advise and response team.