• Home
  • /Learn
  • /What to Do if You’re Infected With Ransomware
background image


What to Do if You’re Infected With Ransomware


Ransomware is becoming a growing criminal industry, generating billions every year. These attacks can cause irreparable damage to an organization if not handled correctly. The former CEO of CISCO estimated that the number of ransomware attacks by the end of 2021 could end up being as high as 100,000, with each one costing companies an average of $170,000.

If you suspect your company computer is infected with ransomware, it is crucial to act quickly to ensure a full recovery. Our experts at Packetlabs have years of experience helping organizations build their protection against cyberattacks and reduce the impact of an attack. Fortunately, there are several steps you can take to give your organization the best possible chance of minimizing damage and quickly recovering from an attack.

  1. Isolate the infected devices. Remove the device or devices infected with ransomware from the network as soon as possible to safeguard your network. Minimizing the infection’s spread will make recovering from the ransomware much easier down the road.

  2. Stop the spread: Similar to an infectious disease, ransomware moves very fast. Turn all potentially infected machines off and disconnect them from the web. Until the machines are thoroughly cleaned, they continue to threaten network security and could cause re-infection. It is also recommended that wireless connectivity be shut down.

  3. Quarantine the malware: The malware should be quarantined, allowing investigators to analyze the device infected with ransomware and identify the exact strain of ransomware responsible for encrypting files. Removing the entire infection makes it extremely difficult for recovery teams to find the specific ransomware sample involved in the attack

  4. Evaluate the damage caused: A strange file extension name or odd file name could have created curiosity to open the file or click the link. Inquiries into what happened before the device was infected with ransomware will help evaluate the damage. The devices that are not fully encrypted should be isolated and switched off to help contain the attack and prevent further damage and data loss. A comprehensive list of all the affected systems should be created, including network storage devices, external hard drive storage, laptops, and any other possible vectors. After that, it would be advisable to lock all shares and halt any ongoing encryption processes to keep additional shares from being infected with ransomware while repairs occur.

  5. Root cause analysis: Identifying the source of the cyberattack, also known as Tracking Patient Zero, is a crucial step while recovering from ransomware. Check for any alerts that may have come from your antivirus program, any active monitoring platform, or owner file properties.Identify the ransomware and alert coworkers/employees: It helps to know which variant you are dealing with, so any information included in the ransom note can be helpful. Once you have identified the ransomware and conducted research about its behaviour, you should alert all unaffected coworkers/employees or users.  Alerting all other users within your network will help track and detect other corporate devices that may be infected with ransomware.

  6. Contact the authorities: Spreading malware is against the law, as is extorting an individual or organization for ransom, so involving law enforcement agencies is a required step as soon as you can reasonably contain the ransomware. Partnerships with national law enforcement can help find encrypted data and bring culprits to justice.

  7. Assess your backup systems: Ideally, you will have an uninfected and complete backup to replace any information stolen. If such a backup is available, the next step is to employ antivirus software that ensures all systems and devices infected with ransomware are wiped free of ransomware, which could continue to encrypt your files and corrupt your backup. Once all traces of malware are removed from your system, you can restore your systems from this backup. Unfortunately, many organizations do not create and maintain backup files.

  8. Search for decryption options: Even if you happen to be without a viable backup, there is a chance you can recover your data from the attack. There are a growing number of free keys available online. You can try to decrypt the data locked by ransomware using the ransomware decryption tools available. 


Most ransomware spreads through phishing attacks, where users get tricked into clicking a link on an email that gives the hackers broad access to their system.

You may not be able to prevent all security threats every time, but acting quickly can contain the damage. To check if your company has any vulnerabilities or gaps within your IT infrastructure contact Packetlabs.