First aid against ransomware

Measures and prevention against ransomware and other malware

What should you do if you encounter a suspicious file on your computer, observe unusual activities, or even receive a ransom demand? The correct response can help prevent the spread of malware attacks and minimize damage.

1. Stay calm.

For the time being, ignore the attacker: Refrain from making contact until you understand your options or it’s absolutely necessary.
NEVER take countermeasures without sufficient expertise! Avoid rushing into actions, as it may complicate later assistance.
Organize an emergency team or seek help to assess the current situation accurately and devise a plan for countermeasures.

2. Assess the current situation.

Obtain a valid overview of the immediate impacts to derive and address further measures.

Which systems within your organization/network are affected?
Which ransomware variant was used against you? [https://www.nomoreransom.org/crypto-sheriff.php]
What kind of disruptions should you anticipate?
Whom do you need to inform about your situation, when, and how?

3. Raise awareness.

Be aware that…

Your IT infrastructure has been compromised.
The attacker may be monitoring/reading your actions and measures.
The attacker has likely been active in your networks for days or weeks, with a good understanding of your networks, infrastructures, and data.
Data may have been stolen.
The extortionist typically rents infrastructures. That means it’s not the specific ransomware or service provider attacking you — ANYONE can use these tools!

4. Separate infected systems.

Identify areas of your network that have not been infected yet.
Isolate infected areas as quickly as possible to prevent further spread.
Consider external data connections such as hard drives, cloud connections, or other interfaces.

Note that machines without a “ransom note” appearing can still be compromised.

5. Remove ransomware.

Restart your computer in Safe Mode by repeatedly pressing the F8 key during startup until the “Advanced Boot Options” menu appears. Select Safe Mode with Networking to prevent the malware from automatically starting up with the computer.
Scan your system thoroughly with a trusted and up-to-date anti-malware software to detect malware. Remove identified threats or seek assistance from experts if needed.
Check your system files: Some malware can damage or delete system files. Open Command Prompt as an administrator and enter the command “sfc /scannow” to scan your system files and repair any found issues.

6. Close security gaps.

Identify the entry point through which attackers gained access to your systems, possibly with the help of forensic experts.
Determine where and how the attackers established themselves. This knowledge is essential for restoring your system integrity.
Ensure that all your software, including your operating system and web browser, is up to date with the latest security patches installed. This will help prevent future malware infections.

7. Verify backups.

Before attempting to restore or remove files, create a backup copy of the encrypted files to avoid further damage or loss.
Ensure that you only restore files from backups that were not infected with the ransomware and that the malware has been completely removed from your network.
If it is no longer possible to reconstruct your encrypted data from backups, consider which data you absolutely need and whether you can retrieve it from other sources—such as customers or systems that were not connected to the network at the time of the attack (laptops, older servers, etc.).

8. Report the incident and file a complaint.

Follow legal requirements for reporting the incident and informing affected individuals.
For particularly critical or sensitive data, it’s best to contact your partners or customers by phone.
Inform your employees about the incident and what information they can or should disclose to third parties.
Also, file a complaint with your nearest police station.