How to handle a ransomware attack in eight steps

When a strange message appears on your screen demanding you pay up or lose your data, what should you do?

Should you pay the ransom and hope the criminal returns your data, or should you take a different route?

Experts in cyber security warn that paying a ransom is not only unsafe – you have no guarantee that the attacker will return your data and leave you alone – but it encourages cyber criminals to continue doing it. So if you don’t want to pay the ransom but you do want your data, what else can you do?

You can follow these eight steps:

1. Be ready for an attack by automating your data backup

If your data is backed up at the point of a ransomware attack, then you can restore your backed up files and ditch the infected ones.

And if your backup routine is 1) automatic, 2) stores incremental versions of your data and 3) is scheduled daily, then you’ll never lose more data than what was generated since your last backup.

2. Make sure the attack is in fact ransomware

Sometimes an attack is malware pretending to be ransomware. If your staff know how to identify ransomware and who to alert, they’ll be able to stop it from spreading to other devices and kick-start the recovery process. Teaching your employees about ransomware is a valuable aspect of business continuity.

3. Disconnect the affected device/s from the Internet

Once you’re sure it’s a ransomware attack, take the affected computer offline and disconnect it from your network.

4. Tell your staff

Alert everyone to the attack as soon as possible, and let them know how you’re going to handle it. This is where having a disaster recovery plan in place pays off because the steps to follow are then laid out for you and recovery will be seamless using your restored backup files. 

Much of the ground work can laid, if you have a cyber security plan.

5. Identify the kind of ransomware attack

You need to work out what kind of ransomware you’ve been hit with so you know how to handle it. The online tool ID Ransomware will help you identify the ransomware by asking you to upload the ransom note and an encrypted file. It will then tell you if it’s screen-locking ransomware or encrypting ransomware.

This free service is useful for pointing you in the right direction, and telling you if there’s a known way of decrypting your files. If there’s no “known way” to decrypt the files, you’ll have to rely on your backups to restore your data.

6. Remove the ransomware

If the ransomware code has been cracked, you’ll be able to find a decrypter for it online. If there’s no decrypter, you’ll have to restore the affected devices to factory settings. In doing this, you’ll lose everything on your devices, but you’ll be able to gain access to all the business critical files and folders you’ve (hopefully) been backing up in a few hours.

NOTE: Determining which of your backups hasn’t been affected by ransomware can sometimes be a time-consuming process. It all depends on how far back your backups have been infected with ransomware. You’ll have to inspect your various backup sets (ransomware often renames your files) before determining which backup is “clean”.

Once you’ve worked out which backup set is clean, wipe your device and do a clean re-install of your operating system and applications – and only then restore the relevant backup. While you may view this as a lengthy process, it’ll be well worth it to prevent further attacks.

7. Install an effective EDR (electronic detection and response) solution

Cybersecurity solutions in the EDR category offer a vastly higher level of protection than traditional antivirus technology.

8. Make sure ALL the devices in your network have the latest security patches

Just a single unpatched computer in your network will render the entire environment insecure and an easy target for cyber criminals. It’s essential that all the devices in your network are updated with the most current operating system security patches.

You can test how resilient your business is by taking a cyber security trial.

Do you have proper data protection in place?

New all-in-one cyber security and backup product gives more peace of mind

Step 1 of 2

  • Sign up for your
    Free Trial

    Please complete the form to sign up for your free trial. For all our other products, please contact us for a consultation.

  • I have read and understand IronTree Internet Services (Pty) Ltd's privacy notice.

The reseller zone is currently out getting a facelift as we look to integrate it with our backup platform, as it stands you can overview your clients on our new backup console. If you don't know what console that is, please reach out to us.

  • Hidden
  • I have read and understand IronTree Internet Services (Pty) Ltd's privacy notice.

  • I have read and understand IronTree Internet Services (Pty) Ltd's privacy notice.

  • I have read and understand IronTree Internet Services (Pty) Ltd's privacy notice.

We are taking all necessary precautions around the COVID-19 situation. Our offices are closed and our team members have each been set up to work remotely in self-isolation at home. As far as possible IronTree will maintain business as usual. All our resources such as server platforms, transactional capacity, telephony and electronic communications, including video meeting facilities, have been configured in the cloud and are 100% operational. Please feel free to contact us if you require our assistance. Stay safe!
One of our team members will be happy to help answer any questions you have!
Just click the chat icon in the right-hand corner.