Steps to Recovery: What to Do After a Ransomware Attack

There has been a significant increase in ransomware attacks with advancing methods in recent years. A Threat Landscape Report showed a 485% increase in the number of global ransomware attacks in 2020. Similarly, the Internet Crime Complaint Center of the FBI reported receiving more than 2400 ransomware complaints in 2021.

In addition, a Cyber Security Ventures study suggested an increase in ransomware attacks frequency to 11 seconds in 2021. This is up from 40 seconds in 2016 and 14 seconds in 2019. Such attacks on corporate and personal networks encrypt sensitive data, costing businesses millions of dollars.

The recent shift to remote working models propagated by the global pandemic also supports this trend. Cybercriminals have taken advantage of this, attacking users who work outside corporate firewalls. The first step to mitigating Ransomware attacks is understanding how these attacks occur.

How Does a Ransomware Attack Work?

Like most cyber security threats, ransomware attacks spread through social engineering efforts, such as phishing emails and spam. They can also infect your network and systems by downloading infected files or visiting infected websites.

Once in your network, the ransomware locks all your files using strong encryption. The attacker can then demand a ransom, a specific cash amount, to decrypt the locked files or restore normal operations of the infected systems. There are many types of ransomware, with cryptoware, which encrypts data, being the common type. However, hackers can use other types, such as:
  • Mobile device ransomware – Infects smartphones mostly through downloads
  • Non-encrypting or lock screen ransomware – Doesn’t encrypt data. It instead restricts access to specific files.
  • Leakwire – Attackers steal compromising data and threaten to make it public unless a ransom is paid.
Adopting various prevention measures is the best way to prevent or mitigate Ransomware attacks.

What to Do Immediately After the Attack

If preventive measures fail, follow the following steps to recover from a ransomware attack:

1. Isolate the infection

The rate or speed at which you detect ransomware is crucial to preventing further damage from the attack. You should begin by isolating any computer or storage device suspected to be infected. Disconnect it from your network, either Wi-Fi or wired, and other external storage units.

Modern ransomware types, such as WannaCry and CryptoLocker, have worms that spread rapidly across networks, hence branded “crypto worms.” Cryptoworms immediately seek connections within the infiltrated network or computers, and isolation can prevent further spread.

Note that the ransomware might have entered your systems through multiple devices. You shouldn’t always expect a single “patient zero.” Be sure to treat all other connected devices with suspicion.

2. Identify the infection

In most cases, the attacker will identify themselves by asking for a ransom. However, you can use various sites, such as ID Ransomware, to identify the ransomware. Identifying helps in understanding the ransom you are dealing with, how it spreads, the type of files affected, and your possible disinfection options.

3. Report the attack

The FBI recommends that victims should report attack incidents immediately. Reporting to authorities allows them to understand the threat, provides evidence for investigations, and helps authorities understand ongoing cases.

4. Evaluate your options

Unfortunately, you only have three options of recovery from a ransomware attack. You can either agree and pay the ransom, wipe your entire system and start afresh, or try disinfecting your systems. Paying the ransom isn’t always a good idea, especially since 42% of previously affected organizations didn’t get their files decrypted after paying the ransom.

You should consider getting rid of the infection or restoring and starting fresh. While several software packages and online sites claim to remove a ransomware infection from your networks and systems, the truth on whether they can is debatable. Unfortunately, ransomware decryptors cannot clean all types of ransomware and may not work on new, sophisticated ransomware.

The best solution is to wipe your systems completely. Wiping your computers and storage devices and reinstalling from scratch is the only way to ensure that your systems are free from malware. This shouldn’t be a problem if you have been backing up your files and documents.

Remember to identify the infection dates from malware files and other information uncovered from the attack. This is because some ransomware may stay dormant in the system before activating. If so, it might have affected some already backed-up data. Identifying infection dates will enable you to avoid reinfection, as you will select backups made before the date of infection.

Mistakes to Avoid When Responding to Ransomware Attacks

Handling a ransomware incident poorly can impede recovery efforts. Be sure to avoid the following if you experience a ransomware attack:

• Don’t restart the affected device – Some people restart their devices thinking that such attacks are everyday computer problems. However, some ransomware strains detect such attempts and penalize their victims by overriding the Window’s installation setup, ensuring that the system doesn’t boot again. Other strains delete the encrypted files randomly.

• Don’t pay the ransom immediately – Even though this might be the fastest way to access your data, you aren’t guaranteed that the hackers will decrypt your files after paying.

• Don’t communicate on the affected networks – You should avoid communicating through the affected networks until you are certain that the systems have been disinfected. Establish alternative secure communication channels until remediation is complete.

• Don’t delete the affected files – You shouldn’t delete the encrypted files until advised so by a recovery specialist. Encrypted files help during forensics. Some ransomware strains also keep encryption keys that can be used to decrypt the affected files.


Ransomware attacks are devastating to individuals and businesses. You can lose valuable files that cannot be replaced, and recovering from the attack can take hundreds of hours. Unfortunately, ransomware attacks constantly evolve, with attack methods becoming more sophisticated. However, you can avoid being part of these statistics by observing and implementing cybersecurity measures.
Previous Post Next Post