What to do in case of a ransomware attack

A ransomware attack is one of the biggest threats digital users face. In this article we look at what happens during a ransomware attack, as well as what steps you can take to protect your business immediately after being hit.

How to deal with a ransomware attack

Ransomware cyber attacks pose a huge threat to any organization or business. In fact, in 90% of cases companies report having suffered a negative impact after a ransomware attack and that on average it takes a month to recover. It is clear that ransomware is very dangerous for any business.

Furthermore, they are also a growing vector of cyber threats: by 2031, companies are expected to experience a ransomware attack every two seconds (up from 11 seconds in 2021).

What is a ransomware attack?

Ransomware is a type of malware that encrypts a user or company’s data so that it can no longer be accessed . A ransom ( average $570,000 ) is typically demanded to regain access to the data , and upon payment, decryption keys are released to allow the data to be viewed again.

An attacker typically chooses to target a company based on two factors :


For example, if the company has a small security team, lacks adequate IT resources, or is a data-intensive/data-intensive organization.

Potential Financial Gain

Companies that need immediate access to their files and are more likely to pay a ransom quickly, such as lawyers or government agencies.

Bad actors can access your organization’s data through various tactics , including:

Phishing: Using social engineering techniques to trick users into taking an action, such as clicking a malicious link in an email.

Remote access: Involves scanning the Internet for open ports, such as the remote desktop protocol, and acquiring valid authentication credentials remotely.

Privileged account compromise: Uses administrator accounts to access multiple systems and sensitive data.

Known software or application vulnerabilities: Exploiting known vulnerabilities for which patches were available to address the issue, but were not applied.

Before encrypting the data, hackers may also choose to make copies and threaten to disclose them if the ransom is not paid within the deadline. This is the so-called “double extortion”.

Once ransomware begins encryption, the infection process is rapid : on average, ransomware can encrypt nearly 100,000 files totaling 54.93 GB in just 42 minutes and 52 seconds . This is why speed of action is essential when it comes to acting following an attack.

What to do in case of a ransomware attack

As soon as you realize you are the victim of a ransomware attack – usually a notification appears on the screen – it is essential to isolate the infected device . Remove network cables, USB ports and dongles, disable WiFi and Bluetooth to prevent the device from making connections that could cause the threat to spread.

In the initial moments, it is important not to panic and remain calm while assessing the situation, despite the tension and pressure. To achieve this objective, ransomware attack simulations can be carried out , with which the company can practice reacting to a threat, so that employees are familiar with the steps to contain the attack in an effective and timely manner.

Below are some tips and best practices to follow to manage a ransomware attack .

Communication management

It is important that all communications are centrally orchestrated within the organization to avoid communicating misinformation or creating confusion. It may be useful to include a directive in your communications plan not to leak information to the press and not to post anything on social media. Press releases must be carefully prepared to avoid upsetting shareholders, stakeholders and the market in general.

Once the attack is identified, all company employees must be notified of the threat. If someone suspects that their device is infected, they must take steps to isolate it from the network immediately. Best practices also say that users should reset all their credentials, especially for administrator accounts, to prevent cybercriminals from collecting valuable data, which could also be used to launch further attacks.

Identifying the type of ransomware

Using your device’s malware scanning tool or your company’s Security Operations Center , run a malware scan to identify the type of ransomware used to launch the attack, so you can determine the appropriate countermeasures to take.

Additionally, it is useful to write down various information related to the attack, including: the date, time, file details, early signs of the ransomware attack, affected devices, what you were doing immediately before. Furthermore, you might also take photos of suspicious programs, files, and pop-ups.

All this information will be used in the ransomware identification tool to determine the type of attack the company has suffered and the remediation measures to be taken.

Ransom payment

Cybersecurity professionals and federal agencies agree: Don’t pay the ransom .

Research indicates that only 3 out of 5 organizations have regained access to their data/systems , so there is no guarantee that you will gain access to your data or computer even after paying the ransom. Furthermore, even if the data is recovered, there is no guarantee that it is safe: 18% of ransomware victims who paid the demand still had their sensitive data published by attackers on the dark web.

Removing ransomware from devices

Unfortunately, removing ransomware from infected devices isn’t as simple as clicking a “delete” button. In many cases, you need to perform a full factory reset, which is irreversible and carries the risk of data loss. Therefore, it is always better to contact a professional capable of using the appropriate decryption tools and safely restoring the device’s operation.

Recovering data from backups

Having an up-to-date backup is the most effective way to restore data after a ransomware attack. The best practice is to follow the ” 3-2-1 rule “: 3 copies of the data, stored in 2 different places, 1 of which is offline.

When restoring data, it is a good idea to first scan the data for malware and ensure that backups only come from safe devices to avoid re-infection.

Reporting the attack

Once your business is back online, you need to report the ransomware attack to the relevant authorities , such as the Postal Police in Italy, the CISA in the US or the NCSC in the UK. This information is invaluable in helping agencies track the evolution of ransomware attacks and stop cybercriminals, provide assistance and prevent further spread.

Also, Read:

Protect yourself from future ransomware attacks

End-user behavior can be one of the best deterrents available when dealing with a ransomware threat. Train employees, provide them with basic knowledge and continually emphasize the importance of training to ensure the following behaviors are applied:

  • update your device and enable automatic updates
  • enable multi-factor authentication
  • perform regular backups
  • Control who can access what on your devices
  • enable protection against ransomware

Contact Ontrack for ransomware compromised data recovery

Each ransomware attack is unique and varies in complexity, although it is always possible to evaluate data recovery success for each specific case. At Ontrack we have developed a proprietary data recovery toolset: we currently have encryption capabilities for 138 types of ransomware and are constantly monitoring 271 different variants.

We have laboratories located around the world and our specialists are available 24/7 to provide help and support in case of any data loss scenario.

Mehran Khan

Mehran Khan is a tech enthusiast who also has a great passion in writing. During his 8 years of career, he has covered news, features, and evergreen content on multiple platforms. Apart from keeping a close eye on emerging tech developments, he likes wasting time at the gym.