Dealing with a ransomware attack

Written By: Tim Black

Date Published: 30 August, 2022 11:57:58 AM GMT-04:00

Dealing with a ransomware attack

A ransomware attack is one of the biggest threats facing online users. In this article, we explore what happens during a ransomware attack, and the steps you need to take to secure your organization in the aftermath.

How to deal with a ransomware attack

Ransomware attacks are a huge threat to organizations because 90% impact their ability to operate, and on average it takes a month to recover from the attack. They’re highly disruptive to business, and it’s a threat vector on the rise. By 2031 it’s expected that businesses will fall victim to a ransomware attack every other second (up from every 11 seconds in 2021).

What is a ransomware attack?

Ransomware is a type of malware that encrypts an organization’s data so it can no longer be accessed. A ransom is demanded – the average is $570,000 – and upon payment, the decryption keys should be issued so the organization regains access.

While no specific vertical sector is safe from the effects of ransomware, a bad actor will typically choose to target an organization based on two factors:

Opportunity: for example, if the business has a small security team, lacks IT resources, or is a data-rich organization.

Potential financial gain: businesses that require immediate access to their files and are more likely to pay a ransom quickly – such as lawyers or government agencies.

Bad actors can gain access to organizational data via various tactics, including:

Phishing: using social engineering techniques to trick users into doing something, such as clicking a malicious link in an email.

Remote access: scanning the internet for open ports, such as remote desktop protocol, and capturing valid credentials to authenticate by the remote access solution.

Privileged account compromise: taking advantage of admin accounts to access more systems and sensitive data.

Known software or application vulnerabilities: exploiting known vulnerabilities where patches were available to fix the issue but not applied.

Before encrypting the data, a bad actor may choose to take copies and threaten to leak them if the ransom is not paid in a timely manner. This is known as ‘double extortion’. Once encryption begins, it’s a fast process - the median ransomware variant can encrypt nearly 100,000 files totaling 54.93 GB in just 42 minutes and 52 seconds – which is why speed is of the essence when it comes to taking action following an attack.

What to do in the event of a ransomware attack

As soon as you know you have been hit by a ransomware attack – usually because a big notification will flash up on the screen – it’s essential to isolate the infected device. Remove network and data cables, USBs and dongles, and disable WiFi and Bluetooth to stop the device from making any connection that could cause the threat to spread.

In these initial moments, adrenaline is likely to kick in, alongside feelings of shock, anger, and fear. It’s important not to panic and remain calm while assessing the situation. One way to achieve this is through ransomware simulations where the business practices how it would react following an attack, so that individuals are familiar with the steps to contain the breach in a calm and timely manner:

Notify the business/contacts

It’s important that all communications are orchestrated by a central point within the organization to prevent any misinformation or confusion. This should include a directive to not speak to anyone in the media or publish anything on social media. PR announcements need to be carefully prepared to avoid unsettling shareholders, stakeholders, and the wider market.

Once an attack is known, everyone in the business must be alerted to the threat. If anyone suspects their device is infected, they must take steps to isolate it from the network immediately. Best practice also says that users should reset all their credentials – especially for privileged accounts – to prevent the bad actor from harvesting valuable data that could be used to launch further attacks.

Identify the type of ransomware

Using the malware scanning tool on the device, or through the organization's Security Operations Centre, run a malware scan to help identify what ransomware was used, as this will help determine the remediation actions that need to be taken.

Additionally, make notes about the attack including the date, time, file details, first signs of ransomware, affected devices, what you were doing immediately before the attack, and when your device was connected. Also, take photos and record suspicious programs, files, and pop-ups.

All this information then feeds into the ransomware identification tool to help determine what the business was hit with, and the remediation actions you need to take now.

Paying the ransom

Cyber security professionals and federal agencies agree: do not pay the ransom.

Research indicates that only 3 in 5 organizations regained access to data/systems, so there’s no guarantee that you will get access to your data or computer. Also, even if you do get your data back, there’s no guarantee it’s safe - 18% of ransomware victims who paid the demand still had their sensitive data exposed by bad actors on the dark web.

Remove the ransomware from your devices

Unfortunately, removing ransomware from devices isn’t as simple as clicking ‘delete’. In many cases, it requires a complete factory reset, which is irreversible and runs the risk of data loss. Therefore, it’s always best to seek the support of a professional who can use appropriate decryption tools and safely restore you back to business-as-usual.

Recovering data from backups

Maintaining an up-to-date backup is the most effective way of recovering from a ransomware attack. A best practice is to follow the ‘3-2-1 rule’ – 3 copies of the data, stored in 2 different locations, of which 1 is offline.

When it comes to restoring data, scan your data for malware first, and ensure backups are only connected to known clean devices to prevent re-infection.

Report the attack

Once your business is back online you should report the ransomware attack to the relevant authorities – for example, the CISA in the US or the NCSC in the UK. This intelligence is invaluable to helping agencies track how ransomware attacks are developing to stop the cybercriminals, assist with remediation tools, and prevent the spread further.

Protect yourself from future ransomware attacks

End-user behavior can be one of the best threat deterrents at your disposal when it comes to tackling the threat of ransomware. Provide training on the basics and continuously reinforce their importance to ensure these behaviours are followed:

  • Updating your device and turning on automatic updates.
  • Enabling multi-factor authentication.
  • Performing regular backups.
  • Controlling who can access what on your devices.
  • Turning on ransomware protection.

Contact Ontrack for Ransomware Recovery

Every ransomware attack is unique and varies in complexity, but data recovery is possible. At Ontrack, we have developed a specialized collection of proprietary tools to recover data - we currently have encryption abilities on 138 types of ransomware and continuously track 271 different variants.

With labs located around the world, our specialists are available 24/7 to provide help and support in the event of a worst-case scenario.

Read our definitive Ransomware guide

Read why 600k+ people and businesses have trusted Ontrack to recover their data


Ransomware Recovery


KLDiscovery Ontrack Pte Ltd, 148 Electric Road 12/F, Unit 1203A, North Point, Hong Kong (see all locations)