What to do if you’ve had a ransomware attack


What is a Ransomware Attack

– you click on a link or open an attachment which sets off a process resulting in your files being encrypted and you receive a demand for payment to release them

First Steps:

  1. Unplug from network- pull out network cable to stop ransomware encrypting more files
  2. Disconnect from Wi-Fi network: Turn Wi-Fi Off
  3. Turn off machine as soon as possible
  4. Do not pay any money

Who to Contact

  1. Report to Action Fraud actionfraud.police.uk 0300 123 204
  2. Contact your IT department or IT provider if relevant

Recover from a ransomware attack

  1. Take Machine to IT support department/provider for them to rebuild
  2. Alternatively, as a stand alone machine, do an operation system rebuild from the ground up.
  3. Restore files from a back up that was not connected to the machine at the time of the attack.
  4. You could try and find the key to decrypt the files. Nomoreransom.org (a project being run between Law enforcement agencies and IT security companies to help victims recover their data without having to pay the criminals. There is approximately 30% chance of finding the right key)

Follow up action-Next Steps

  1. Regularly back up your data to a device you can disconnect from your computer or network. This could be an offline back up in the cloud which does not automatically update or an external device
  2. Check that the integrity of the back up
  3. Be cautious of links in emails and attachments
  4. Only download software, particularly free software from sites you know and can trust
    When possible, verify the integrity of the software through a digital signature prior to execution.
    Ensure that you regularly update patches for operating system, software, firmware, Adobe Flash, web browsers etc
  5. Install antivirus and anti-malware solutions and set these to regularly update and carry out regular scans. It is recommend that you do not rely on free versions of these.
  6. Disable macro scripts for email files, Office viewer software for opening Microsoft Office files might also be a consideration
  7. Ensure that you remove admin rights from users, and restrict the use of this
  8. Prevent or restrict the execution of programs in locations such as temporary folders used for internet, or Zip files (compression/decompression programs) including those located in the AppData/LocalAppData folder.

Next steps

Train your staff to understand the threats from ransomware, links in emails and attachments that might infect machines