What to Do in a Ransomware Attack

Share This
“Ransomware urges us to go beyond reaction—proactive risk practices are absolutely essential against this threat” – Tab Bradshaw, Chief Operating Officer, Redpoint Cybersecurity

Getting a ransomware alert can be a frightening situation. Bad actors want you to feel intimidated, so these alerts are frightening by design. They’re also relying on a panic response to make you quickly pay without thought. Don’t fall for it. Instead, we’ll show you what to do in a ransomware attack.


How Ransomware Works

Ransomware actors usually hold your data hostage by encrypting it. The idea is that you will get a decryption key if you decide to pay the ransom. Encryption of your data is typically enacted by malware, which most frequently comes from phishing emails.

That’s the usual scenario, but different variations of ransomware exist. Another variation, called leakware or doxware, threatens to publicize sensitive data unless a ransom is paid.

Whatever the situation, being a victim of ransomware is a sticky spot to be in. The best way to react can be complex or sensitive depending on your specific circumstances. Keep in mind that this guide is general, and you may want to seek consultation for complex scenarios.


How to Spot a Ransomware Attack

Ransomware detection is usually easy, they want you to know they’re there. You will receive an alert as your ransom note once the attack has gone through.

However, before that happens, there may be some subtle signs that a bad actor is lingering in your system preparing to attack. Here’s a few possible ones.

Hunt the Hunter™ Before They Get a Chance to Target You

Sudden Slow Performance

A sharp, sudden decrease in network speed could indicate that malicious software is running in the background. However, make sure you’ve ruled out other possible reasons before you come to this conclusion.


Unusual File Activity

Sudden changes in the size of files, files that won’t open, or strange new file names could be signs that someone is in the process of encrypting your data. Check with your staff to see if someone on your team made these changes.


Unexpected System Reboots

If your system starts rebooting randomly, it could be a sign of a malware infection. These reboots could be attempts to install ransomware or disrupt normal system operations. If these random reboots happen consistently alongside other unusual activity, investigate immediately.


Unexpected Modifications to Your Security Settings

If your antivirus or firewall software is unexpectedly disabled or modified, someone might be preparing for an attack. Investigate why these modifications occurred and react accordingly.


Software Installing Itself Without Permission

Unrecognized software installing itself without permission is a huge red flag. Not only for ransomware, but for other kinds of malware infections as well.


What to Do During a Ransomware Attack

Law enforcement officials discourage people from paying in the event of a ransomware attack. This is because paying the criminals encourages the behavior and because only 65% of victims actually get their data back after they pay.

So, what should you do instead?


1. Isolate Infected Devices

To prevent the spread of ransomware within your network, disconnect infected devices as soon as you identify them.


2. Preserve Evidence

Take screenshots of ransom messages and keep a log of all actions taken. This evidence could be useful for future investigations.

Hear Redpoint’s own Violet Sullivan discuss cyber incident management and how ransomware has impacted cyber insurance over the past 5 years.


3. Report the Incident

Notify your local authorities about the attack. This will help you get the assistance you need, bring the perpetrators to justice, and may be a legal obligation. All 50 states have some form of data breach notification obligation, make sure you’re familiar with yours.


4. Get Professional Help

You don’t have to deal with this alone, nor should you. Seek cybersecurity professionals with ransomware mitigation experience. They can deal with bad guys while you focus on getting back on your feet.

5. Stay Calm

Like any emergency situation, it’s important to stay calm. While that may not be easy, it’s important to prevent yourself from making any rash decisions. Take solace knowing that there is help available and that the situation will be addressed.


Ransomware Recovery Steps

Post-ransomware removal, you’ll need to take a few steps so your affected systems can recover. Here are some steps you can take on your way to ransomware recovery.


Evaluate the Damage

Understand which parts of your system were affected and the scale of data loss. This will help you strategize your recovery process.


Restore Files From Backups

If you have been making regular backups of your data (as is strongly recommended), you can now restore your system to its state prior to the attack. Ensure that you are restoring your data to a clean system to prevent re-infection.


Analyze the Attack to Improve Your Defenses

Work with your IT team or cybersecurity partner to understand how the ransomware infected your systems and what can be done to prevent a similar incident in the future. Use this information to establish your prevention strategies.


Inform Your Stakeholders

If the ransomware attack led to a data breach involving customer or client information, you’ll need to inform the affected parties. This doesn’t mean you need to go public about the attack, but anyone who may have been affected has the right to know.


Seek Legal Advice if Necessary

If the attack resulted in significant damage or data loss, it might be worth seeking legal advice. You may have repercussions from your regulatory compliance agency if a missed requirement led to the attack. You may also choose to seek action against the perpetrator if possible.


Ransomware Prevention Strategies

Whether or not you’ve experienced an attack, prevention is your best friend. You can recover if it happens, but dealing with that situation isn’t pleasant. It’s a good idea to try your best to prevent it from occurring, here are some strategies on how you can do that (they’re also good cybersecurity practices in general).


More Data Protection Strategies You Should Know About


Regular Backups

If you’re not already doing so, start backing up your data on a separate storage device or cloud service. In the event of an attack, you’ll be able to quickly recover your data without paying ransom.


Software Updates

Regularly update your operating systems and all your software. Many ransomware attacks exploit known vulnerabilities in outdated software.


Access Controls

Limit who has access to your administrative accounts. If a user with administrative privileges gets infected, the ransomware has a higher chance of spreading throughout your system.


Phishing Protection

As mentioned, the majority of ransomware originates from a phishing email. Be wary of unusual emails, especially if they have downloadable attachments. You may also want to invest in email filters that stop these emails from hitting your corporate inboxes.



The more you know, the better you can protect yourself. This goes for your staff too. Regularly provide up-to-date cyber awareness training so hackers have less of a chance of exploiting you.


Fortify Your Ransomware Defenses

Cybercriminals are using increasingly sophisticated tactics every year. The tips in this article will help, but it’s a smart move to seek extra consultation in the face of this threat. Cybersecurity consultants keep up with new emerging tactics and can help tailor your recovery plan to your circumstances.

Redpoint Cybersecurity is a solid option for this consultation. Our experts have, on average, 22 years of military cybersecurity experience. That means we’re used to dealing with advanced threats and protecting high-stakes data. If the US government can trust us to protect them, so can you.

If you’re currently dealing with a ransomware attack, we can help right away. We have experience with ransomware negotiation. So, you don’t have to get your hands dirty or run the risk of making an unwise decision.

Contact us to learn more and get started.

Join Our Newsletter & Learn

Get our latest content delivered to your inbox.