What to do if you’ve had a ransomware attack

What is a ransomware attack?

A ransomware attack is where you click on a link or open an attachment which sets off a process resulting in your files being encrypted and you receive a demand for payment to release them.

First steps

  1. Unplug from network – pull out your network cable to stop ransomware encrypting more files
  2. Disconnect from Wi-Fi network/Turn Wi-Fi Off
  3. Turn off machine as soon as possible
  4. Do not pay any money

Who to contact

  1. Report the event to Action Fraud.
  2. Contact your IT department or IT provider if relevant.

Recovering from a ransomware attack

  1. Take the affected machine to your IT support department/provider for them to rebuild.
  2. Alternatively, as a stand-alone machine, do an operation system rebuild from the ground up.
  3. Restore files from a back up that was not connected to the machine at the time of the attack.
  4. You could try and find the key to decrypt the files on www.nomoreransom.org (a project being run between law enforcement agencies and IT security companies to help victims recover their data without having to pay the criminals. There is approximately 30% chance of finding the right key).

Follow up action

  1. Regularly back up your data to a device you can disconnect from your computer or network. This could be an offline back up in the cloud which does not automatically update or an external device.
  2. Check the integrity of the back up.
  3. Be cautious of links in e-mails and attachments.
  4. Only download software, particularly free software from sites you know and can trust. When possible, verify the integrity of the software through a digital signature prior to execution. Ensure that you regularly update patches for operating system, software, firmware, web browsers etc.
  5. Install antivirus and anti-malware solutions and set these to regularly update and carry out regular scans. It is recommend that you do not rely on free versions of these.
  6. Disable macro scripts for e-mail files, Office viewer software for opening Microsoft Office files might also be a consideration.
  7. Ensure that you remove admin rights from users, and restrict the use of this.
  8. Prevent or restrict the execution of programs in locations such as temporary folders used for internet, or zip files (compression/decompression programs) including those located in the AppData/LocalAppData folder.

Next steps

Train your staff to understand the threats from ransomware, links in e-mails and attachments that might infect machines.