Page contents

What to do if you’ve had a ransomware attack?

A ransomware attack is where you click on a link or open an attachment which sets off a process resulting in your files being encrypted and you receive a demand for payment to release them.

Disclaimer

The advice and information provided on this website are for general informational purposes only. While we strive to offer accurate and helpful content, we do not take responsibility for any actions taken based on the advice provided. Users are encouraged to exercise their own judgment and discretion when implementing any recommendations. We make no guarantees regarding the outcomes or results of following any advice, and assume no liability for any consequences resulting from its use.

First steps

In the event of a ransomware attack you should start by:

  1. Unplug from network – pull out your network cable to stop ransomware encrypting more files
  2. Disconnect from Wi-Fi network/Turn Wi-Fi Off
  3. Turn off machine as soon as possible
  4. Do not pay any money

Who to contact

You should flag the ransomware attack to the following people:

  1. Report the event to Action Fraud.
  2. Contact your IT department or IT provider if relevant.

Recovery

You can try the following to recover from a ransomware attack:

  1. Take the affected machine to your IT support department/provider for them to rebuild.
  2. Alternatively, as a stand-alone machine, do an operation system rebuild from the ground up.
  3. Restore files from a back up that was not connected to the machine at the time of the attack.
  4. You could try and find the key to decrypt the files on www.nomoreransom.org (a project being run between law enforcement agencies and IT security companies to help victims recover their data without having to pay the criminals. There is approximately 30% chance of finding the right key).

Further action

You should consider these actions to make your business more robust against ransomware attacks:

  1. Regularly back up your data to a device you can disconnect from your computer or network. This could be an offline back up in the cloud which does not automatically update or an external device.
  2. Check the integrity of the back up.
  3. Be cautious of links in e-mails and attachments.
  4. Only download software, particularly free software from sites you know and can trust. When possible, verify the integrity of the software through a digital signature prior to execution. Ensure that you regularly update patches for operating system, software, firmware, web browsers etc.
  5. Install antivirus and anti-malware solutions and set these to regularly update and carry out regular scans. It is recommend that you do not rely on free versions of these.
  6. Disable macro scripts for e-mail files, Office viewer software for opening Microsoft Office files might also be a consideration.
  7. Ensure that you remove admin rights from users, and restrict the use of this.
  8. Prevent or restrict the execution of programs in locations such as temporary folders used for internet, or zip files (compression/decompression programs) including those located in the AppData/LocalAppData folder.
  9. Train your staff to understand the threats from ransomware, links in e-mails and attachments that might infect machines.