What to do if infected with ransomware
Updated on October 21, 2022, by Xcitium
What should you do if infected with ransomware?
If infected with ransomware, immediately disconnect the device from the network, isolate affected systems, avoid paying the ransom, and use security tools or backups to recover data. Acting quickly helps limit damage and prevent the ransomware from spreading to other systems.
The sad reality is that ransomware is now such a widespread threat that most people are probably going to have to deal with it at some point. With that in mind, here is a quick guide on what to do if infected with ransomware.
What to do immediately after a ransomware attack
- Disconnect your device from Wi-Fi and the internet
- Unplug Ethernet cables and external drives
- Disable shared folders and cloud sync
- Isolate infected systems from the network
- Avoid using the infected system further
➡ Isolation is critical to stop ransomware from spreading across devices.
Step-by-Step: What to Do If Infected with Ransomware
Step 1: Isolate the infected system
Disconnect affected devices from the network to prevent lateral movement.
Step 2: Identify the scope of the attack
- Determine which systems are infected
- Check if data has been encrypted or stolen
- Identify the ransomware type
➡ Understanding the scope helps prioritize recovery efforts.
Step 3: Notify IT or security teams
- Alert internal IT teams or cybersecurity experts
- Engage incident response professionals if needed
➡ Fast response reduces damage and downtime.
Step 4: Do NOT pay the ransom
- No guarantee of data recovery
- Encourages future attacks
- May lead to repeated extortion
➡ Experts strongly advise against paying ransom.
Step 5: Remove ransomware
Use advanced security tools to:
- Scan systems
- Detect malicious files
- Remove ransomware components
Step 6: Restore data
- Recover from clean backups (best option)
- Use decryption tools if available
➡ Backups are the most reliable recovery method.
Step 7: Rebuild systems (if necessary)
- Reinstall operating systems
- Patch vulnerabilities
- Update all software
➡ Ensures complete removal of hidden threats.
Step 8: Monitor systems after recovery
- Watch for unusual activity
- Ensure no reinfection occurs
What To Do If Infected With Ransomware: Work out what family of ransomware was used in the attack
Ransomware is generally classified into three main groups, scareware, lockware, and encryption ransomware. You could argue that it’s really just two since scareware and lockware both work mainly through using social engineering to frighten the victim into submission.
Scareware does nothing more than send a frightening message. All you have to do is have an anti-malware program scan the device and follow its instructions. Lockware really does lock computers but is generally easily bypassed by booting into safe mode. You can then either just scan for the malware or restore it to a previous time period and then scan for malware.
The only guaranteed cure for encryption ransomware is proper data storage
You should certainly do your absolute level best to stop any form of ransomware from getting into your system in the first place, but these days, you also have to be prepared for the worst. In the case of encryption ransomware the two big threats are data theft and data loss.
Protecting against data theft
If you store data in the clear, then anyone can read it. This means that cyberattackers who gain access to your system can not only charge you a ransom to regain access to your own data but can also keep a copy of it for themselves or to sell on the black market. Alternatively, if you refuse to pay the ransom, they can either make their money through the data they steal or expose your data publicly to create trouble for you and intimidate future victims.
The solution to this is to store data encrypted (or at least store sensitive data encrypted). For completeness, this will not stop the ransomware from encrypting the data again. It will, however, mean that the cyberattackers are also blocked from accessing your data.
Protecting against data loss
Even with the best protections in place, local data backups are very vulnerable to compromise if the production system comes under attack. This is particularly true in the case of ransomware attacks because automated backups will often just transfer the infected files into the local backup, overwriting any healthy files which were already there.
You, therefore, need to have an off-site data backup as well. If you’re in the cloud, this means in a separate cloud. Ideally, you’ll also be able to recover to different time points. If you can’t manage this through your data backup software, then see if you can arrange it manually. Keeping multiple data backups can get expensive if you hold them all in fast storage. If, however, you put them into slow storage, then it becomes more feasible, especially compared to the alternative.
What To Do If Infected With Ransomware: Defending yourself against ransomware infections
It is very risky to rely purely on the free security apps bundled with the main operating systems. None of the companies behind them are cyber security companies, so they cannot be expected to have the same level of expertise as companies that actually specialize in cyber security. What’s more, you can get reputable consumer-grade anti-malware products for free and there are even solid business-grade products available at very little cost.
Additionally, you need to be scrupulous about only using live operating systems and applications (i.e. ones which are still supported by their developers) and applying any security-related updates as quickly as possible. This means ideally within a day or two, at most within a week.
Bluntly, unless you make the resources to apply these updates, then you’re leaving a wide-open door to cyberattackers who will make the time to come up with a way to exploit them. Either dedicate in-house resources specifically to applying updates as they are released or get a managed IT services provider to take care of this task for you.
What to Do vs Why It Matters
| Action | Purpose | Outcome |
|---|---|---|
| Disconnect system | Stop spread | Limits damage |
| Identify affected systems | Understand scope | Faster recovery |
| Remove malware | Eliminate threat | Secure environment |
| Restore backups | Recover data | Business continuity |
| Monitor systems | Detect reinfection | Long-term protection |
Important: What NOT to Do
Common mistakes to avoid
- Do not pay the ransom
- Do not reconnect infected devices to the network
- Do not ignore the attack
- Do not rely only on basic antivirus
➡ Poor decisions can worsen the attack and increase damage.
What businesses should do
- Activate incident response plan
- Engage cybersecurity experts
- Conduct forensic investigation
- Notify legal and compliance teams
- Communicate with stakeholders
➡ A structured response reduces long-term damage.
Prevent Future Ransomware Attacks
Best practices
- Maintain regular offline backups
- Use endpoint detection & response (EDR)
- Keep systems updated
- Train employees on phishing
- Apply Zero Trust security model
➡ Prevention is more effective than recovery.
FAQ:
What happens if you get ransomware?
Ransomware encrypts your files or locks your system and demands payment to restore access.
Can ransomware be removed?
Yes, ransomware can be removed using security tools or by reinstalling systems, but file recovery depends on backups or decryption tools.
How fast should you respond to ransomware?
Immediately. Delayed response increases the risk of spread and data loss.
Should businesses report ransomware attacks?
Yes. Many regulations require reporting ransomware incidents to authorities and affected stakeholders.
Can you recover without paying ransom?
Yes, if you have backups or access to decryption tools, recovery is possible without paying.
Please click here now to start your free 30-day trial of Xcitium AEP.
Related Sources:
