Ransomware Attacks: What to Do and What to Avoid

5 Feb 2025

What to do in a ransomware attack ?

Ransomware is one of the worst and most disruptive types of cyber attacks, this can result in huge amounts of productivity downtime, lost revenue and clients, reputation damage and can spiral into astronomical impacts and costs. 

Ransomware can frequently be terminal to a business with the frightening statistic that 60% of smaller businesses go bankrupt within 6 months of a serious cyber-attack.

If you are in the unfortunate position to have been cyber attacked and have ransomware on your system, acting quickly and carefully is crucial.

Here’s what you should and shouldn’t do:
 

Do’s

✅ Isolate the infected system – Disconnect the infected device from the network (Wi-Fi, Ethernet, external drives) to prevent the ransomware from spreading.
✅ Identify the ransomware – Note any ransom messages, filenames, or extensions on encrypted files to help determine the ransomware strain.
✅ Check for decryption tools – Some ransomware variants have publicly available decryption tools. You can check resources like No More Ransom to see if there’s a solution.
✅ Report the incident – Notify your IT/security team (if applicable) and report the attack to law enforcement (e.g. the FBI’s IC3 in the U.S. or Action Fraud in the UK).
✅ Restore from backups – If you have secure, offline backups, you may be able to restore your data after removing the malware.
✅ Seek professional help – If you’re unsure how to proceed, consult a cyber security expert to help with containment, removal, and recovery.
✅ Preserve evidence – If you plan to report the attack, save logs, ransom notes, and communication for forensic analysis.

 

Don’ts

🚫 Don’t pay the ransom – Paying doesn’t guarantee data recovery and encourages further attacks.
🚫 Don’t restart your computer immediately – Some ransomware may execute further encryption processes on reboot.
🚫 Don’t try to remove the malware without a plan – Deleting the ransomware without proper analysis can make recovery harder.
🚫 Don’t connect backups too soon – If backups are still connected, ransomware may encrypt those as well.
🚫 Don’t assume all files are lost – Some ransomware can be decrypted, and forensic specialists may help recover some data.
🚫 Don’t ignore the root cause – Investigate how the ransomware got in (phishing, weak passwords, unpatched software) to prevent future attacks.

 

 

Ransomware Prevention Tips

Preventing ransomware is much easier and cheaper than dealing with an attack.

Here are key steps to protect yourself and your business:

 

Strengthen Access Controls

Use strong passwords – At least 12+ characters with a mix of uppercase, lowercase, numbers, and symbols.

Enable multi-factor authentication (MFA) – Especially for remote access, admin accounts, and email.

Limit user permissions – Use the principle of least privilege (PoLP) to restrict access to critical files.

Disable Remote Desktop Protocol (RDP) – If you must use it, secure it with MFA, strong passwords, and network filtering.

 

Backup Data Securely

Use the 3-2-1 rule – Keep 3 copies of data, on 2 different storage types, with 1 offsite copy (e.g., cloud or offline).

Ensure backups are immutable – Use storage that prevents unauthorised changes or deletions.

Test your backups – Regularly verify that backups work and can be restored quickly.

 

Keep Systems Updated & Patched

Apply security patches – Keep OS, software, and firmware up to date to fix vulnerabilities.

Enable automatic updates – For critical applications and security software.

Monitor for unpatched software – Use tools like vulnerability scanners to detect outdated systems.

 

Train & Educate Employees

Conduct phishing awareness training – Ransomware often starts with a phishing email. Teach employees how to recognise scams.

Simulate phishing attacks – Run test campaigns to improve awareness and response.

Teach safe browsing habits – Warn against downloading attachments from unknown sources or clicking suspicious links.

 

Monitor & Detect Threats Early

Deploy endpoint detection & response (EDR) – Advanced security tools can detect ransomware before it encrypts data.

Use security information and event management (SIEM) – Collect and analyse logs for suspicious activity.

Set up network segmentation – Limit how ransomware can spread between devices.

 

Block Common Ransomware Entry Points

Disable macros in Office files – Many ransomware variants use malicious macros in Word or Excel.

Use email security filters – Block malicious attachments, links, and fake sender addresses.

Restrict execution of unknown programs – Use application whitelisting to allow only approved software to run.

 

Prepare an Incident Response Plan

Have a ransomware response playbook – Define steps to contain, investigate, and recover from an attack.

Assign roles & responsibilities – Ensure your team knows who handles communication, recovery, and forensics.

Test your response plan – Run ransomware attack simulations to improve readiness.

 

 

Ransomware Incident Response Plan (RIRP) example

 

1. Preparation & Prevention

Security Measures

• Implement regular backups (offline & cloud) and test their integrity.
• Use endpoint protection and anti-ransomware tools.
• Enforce multi-factor authentication (MFA) for access to critical systems.
• Apply security patches and software updates promptly.
• Restrict administrative privileges to essential personnel only.
• Deploy network segmentation to prevent ransomware spread.

Employee Training

• Conduct regular phishing awareness training.
• Establish a clear reporting process for suspicious emails or activity.
• Simulate ransomware attacks to evaluate response readiness.

 

2. Detection & Identification

• Set up real-time monitoring and alert systems for unusual activity.
• Investigate sudden file encryption, system slowdowns, or ransom notes.
• Use threat intelligence services to identify ransomware variants.

 

3. Containment & Mitigation

Immediate Actions

1. Isolate Infected Systems
   • Disconnect compromised devices from networks (Wi-Fi, Ethernet, Bluetooth).
   • Disable shared drives and cloud syncing.
2. Assess the Scope of the Attack
3. Identify affected files, devices, and potential data leaks.
4. Determine if backups remain intact.
5. Take screenshots of ransom notes.
6. Collect system logs, event logs, and network traffic data.
7. Store encrypted files securely for forensic analysis.
8. Preserve Evidence

 

4. Eradication & Recovery

Neutralising the Threat

• Remove ransomware using trusted security tools.
• Reset passwords for compromised accounts.
• Deploy system-wide scans to detect lingering threats.

Data Restoration

• Verify backups are clean before restoring.
• Prioritise critical systems for rapid recovery.
• Monitor for re-infection attempts post-recovery.

 

5. Communication & Reporting

Internal Communication

• Notify leadership, IT teams, and employees of the incident.
• Avoid discussing attack details outside authorized personnel.

External Reporting

• Report to law enforcement (FBI, CISA, NCSC, local agencies).
• Notify affected clients or partners (if legally required).
• Engage cyber security experts and legal counsel.

 

6. Post-Incident Analysis & Prevention

• Conduct a thorough forensic investigation to determine entry points.
• Update security policies and improve incident response plans.
• Strengthen backup policies and test recovery procedures.
• Document lessons learned and implement additional security controls.

 

7. To Pay or Not to Pay the Ransom?

Recommended Approach:

❌ Do NOT pay the ransom unless absolutely necessary, also it could be illegal to pay in some countries so please check with a legal expert within your country.

✔️ Work with police and cyber security professionals.

✔️ Use free decryption tools from sources like No More Ransom.

✔️ Prioritise backup restoration over ransom negotiations.

 

All of the above information is generic guidelines and should be treated as both best advice and best endeavours to assist, if you have experienced a cyber-attack and ransomware please consult a cyber security specialist immediately as different impacts and scenarios require different solutions.

 

LoughTec are cyber security experts.

If you want to find out more on how LoughTec can help proactively protect your business, please see some options below .

 

Click to find out more about how much a cyber attack could potentially cost your business. 

Click to find out more about Security Operations Centre SOC 24-7-365 protection.

Click to find out more about Staff Cyber Security Awareness Training.

Click to find out more about Ransomware Protection.

 

Back Top