What to Do if You Are Compromised by Ransomware

Ransomware is malicious software that is designed to prevent access to your systems or data until you have paid the attackers a ransom.  Ransomware typically spreads via emails, infected websites, or your network can be hacked by remote access which is not properly secured.

If you are compromised by ransomware, what do you do?

1. Do not panic. Ransomware can be very intimidating, especially if it brings business to a halt.  You need to stay calm so that you can think clearly about your options.
2. Take a picture of any ransom note or encrypted files.  You can use this to try and determine what kind of ransomware you have been infected with.  You can use a tool such as ID Ransomware to assist you in determining what strain it is.  It may also tell you if there are any published decryption tools available.  https://id-ransomware.malwarehunterteam.com/
3. Do not reboot or turn off the infected machines, instead, disconnect them from the network to prevent the infection from spreading.  It is possible that the ransomware has not encrypted files that are in use as well as important system files.  If you reboot, there is no way to know if the server or workstation will be able to boot up again or if the encrypted files are altered in such a way which will prevent them from being decrypted.
4. Report it to your local police cyber crime department and FBI cybercrime.  Ransomware is treated very seriously, even if you are a small company; the police and FBI have highly trained technical resources around malware and can help you.  On some occasions they already have decryption tools to reverse the malware.  These tools are only available because law enforcement have made arrests in the past and have obtained the encryption keys to a few strains of ransomware.  Reporting it to law enforcement aids in bringing the criminals to justice.
5. If there isn’t a published decryption tool, determine if you want to restore from backup or pay the ransom.  Best case scenario is that you are taking regular backups and testing them to make sure that they restore successfully.  If this is the case, your best bet is to restore from backups.