Ransomware Response Checklist | CISA (2024)

FAQs

What to do in response to ransomware? ›

Identify critical systems and determine the impact when they are affected by ransomware; • Provide an up-to-date and complete overview of systems and interdependencies; • Record the configuration of systems with each change; • Develop and maintain infrastructure designs containing critical systems and data flows.

The first step, even if you just suspect that one computer may be infected, is to isolate it from other endpoints and storage devices on your network. Disable Wi-Fi, disable Bluetooth, and unplug the machine from both any local area network (LAN) or storage device it might be connected to.

Email security tools, anti-malware, and antivirus software are critical first lines of defense against ransomware attacks. Organizations also rely on advanced endpoint security tools like firewalls, VPNs, and multi-factor authentication as part of a broader data protection strategy to defend against data breaches.

Isolate and contain

Immediately disconnect infected computers and servers from the network. Ensure wireless connections are disabled as well. If not sure which front-end assets are infected, or if the ransomware is still actively spreading and encrypting files, disconnect storage devices before they become infected.

Don't: Pay the Ransom

Many new victims of ransomware attacks are interested in paying the ransom. They want to get the attack over with and move on with their business. However, this is a bad idea. First, there's no guarantee a hacker will let your systems go after you pay the ransom.

If taking the network temporarily offline is not immediately possible, locate the network cable (e.g., ethernet) and unplug affected devices from the network or remove them from Wi-Fi to contain the infection.

3 – Keep three copies of any important file: one primary and two backups. 2 – Keep the files on two different media types to protect against different types of hazards. 1 – Store one copy – or “go bag” – off-site (e.g., outside the home or business facility).

What are the 7 phases of incident response? ›

The 7 steps of incident response are Preparation, Identification, Containment, Eradication, Recovery, Learning, and Re-testing. These phases provide a structure to manage the response to a cybersecurity threat in an organized way.

Data Loss: Some ransomware attacks encrypt data as part of their extortion efforts. Often, this can result in data loss, even if the company pays the ransom and receives a decryptor. Data Breach: Ransomware groups are increasingly pivoting to double or triple extortion attacks.

Ransomware Removal and Recovery FAQs

Isolate the infected system from the network to prevent the spread of ransomware. Turn off Wi-Fi and Bluetooth, and unplug any storage devices. Use antivirus software to scan and remove the ransomware from the system if possible. Contact a cybersecurity professional for assistance.

Ransomware is malware that encrypts your files or stops you from using your computer until you pay money (a ransom) for them to be unlocked. If your computer is connected to a network the ransomware may also spread to other computers or storage devices on the network.

First, disconnect the infected computer or device from your network. If your data has been stolen, take steps to protect your company and notify those who might be affected. Report the attack right away to your local FBI office. Check to see if you can restore your systems from back-ups.

Backing up your data to an external hard drive or cloud server is one of the easiest risk mitigation practices. In the case of a ransomware attack, the user can wipe the computer clean and reinstall the backup files. Ideally, organizations should be backing up their most important data at least once per day.