Ransomware First Response Guide – What to do in the ‘Oh $#@t’ moment

When ransomware strikes, minutes and seconds matter.  Quickly containing the malware and securing your network can mean the difference between a catastrophic incident and a near miss. While ransomware distributors do their best to hide their presence, one simple fact is always on your side: encryption takes time. The sooner you notice ransomware encryption, the better. As part of regular employee security awareness training, all employees should know how to recognize a ransomware attack.  Early recognition and a well documented disaster recovery plan will help victims take the correct first steps. The right first steps can make a big difference in the outcome of a ransomware incident

Outlined below are some of the most important first steps to take when you suspect a ransomware attack. The order and priority might vary slightly depending on the size and complexity of your network, so we recommend reviewing these steps with your IT manager.  Take the time to iron out the order of operations that makes the most sense for your company. A few hours or preparation now, could save a few days of downtime later.

What To Do When You First Notice Ransomware  

The encryption process can take minutes or hours depending on the size of the network and amount of data and endpoints.  The earlier the encryption process is stopped, the better the odds of containing the malware from spreading and causing far reaching damage and downtime.

Isolate Infected Machines

If the machine is a PC or laptop, immediately disconnect it from your network by unplugging the ethernet cable and disabling wifi, Bluetooth, and any other networking capabilities. If the machine was mapped or mounted to any shared or networked drives, disconnect them. Most ransomware will automatically crawl through an entire computer and any connected shares..  This leads to the spread of the malware across a network and all its connected endpoints. In order to inhibit the spread of the encryption process, cut the machine off from all its prospective connection points.  

Power Down Impacted Machines and Vulnerable Machines

All machines that have been impacted should be powered down and ring fenced off the network.  If there is a collection of PC’s or laptops, clearly label them before powering them off so that they are not confused with clean devices later on. Even if a machine is not showing any indicators of compromise (IOC), power it off Even if this causes disruption, it will be much safer to restore and resume a machine after a full assessment of the network has taken place.

Secure Your Perimeter

There are several common attack vectors for Ransomware. Remote Desktop Protocol (RDP) is the most common, followed by phishing / credential harvesting.  Through these attack vectors, the threat actor gains elevated administrative credentials. These credentials are used to turn off systems that would detect the attack and to access sensitive applications like domain controllers and back up systems.  If you notice the attack early, you may be able to evict the attacker from your network while they are still in the act.

Close RDP Ports

Immediately close your RDP ports that are open to the internet, regardless of how secure you may believe them to be. Make time to review the login attempts and logs to determine if this was the point of ingress. Given the prevalence of RDP based attacks, this step should be always be taken if ransomware is detected.

Change Administrative Credentials

Given the prevalence of credential harvesting exploit kits, it should be assumed that either current administrative credentials have been compromised, or a new set of administrative credentials were created by the attacker. Either way, immediately ending all logged in administrator sessions and resetting all administrative credentials can quickly boot an attacker out of your network. If this step is NOT taken, you may very well allow them to observe your recovery effort and provide them with an opportunity to re-encrypt your network.  Kick them out and ensure they stay out, before you start restoring systems.

Change User Credentials

Domain admin credentials are typically harvested from a subordinate machine of an employee. To ensure that users credentials are not reused and the same elevated status granted a few hours later, force a password change across your entire user base.

Restore From Backups Second

Prioritize limiting access to your network over restoring from your backups. A very common scenario in ransomware attacks involves a rush to restore from backups. If the attacker’s access to the network is not precluded first, they will just encrypt your restore as well. It is also likely that in the process of restoring, they observed the location of a previously well partitioned back up. They will then encrypt or wipe that backup so that restoring is no longer an option. This is why securing access takes priority over initiating a restore, regardless of how much time it will take.  Once access has been locked down, check on your backups and ensure they have not been impacted. Hopefully, at least one of your backups is available. It is a good idea to scan the backup with your AV/Endpoint to ensure that no malware is lurking.

Once you are confident that unauthorized access to your critical systems is impossible, you should begin the process of evaluating the extent and pervasiveness of the attack and determining how to execute your disaster recovery process.  

Collect Evidence of Ransomware

If possible, take a picture with your mobile phone of what you observed. A picture of the ransom note, or a picture of an encrypted file can greatly assisting in diagnosing what has happened without having to reconnect or reboot an impacted machine.

After the emergency, the recovery

Now that the immediate threat has been neutralized, a full assessment of the impacted machines  and the operability of the company can be made. Victims of ransomware can use free utilities such as No More Ransom or ID Ransomware to determine the type of ransomware that has impacted them. You may also contact us to help diagnose your situation. We also strongly encourage all victims of ransomware to report the incident to law enforcement. Please read our longer form guide to ransomware response and recovery if you would like to be proactive about implementing best practices at your organization.

I need more advice like this

*** This is a Security Bloggers Network syndicated blog from Blog | Latest Ransomware News and Trends | Coveware authored by Bill Siegel. Read the original post at:

Avatar photo

Bill Siegel

Bill Siegel is the CEO and Co-founder of Coveware, a ransomware incident response firm. Before founding Coveware, Bill Siegel was the CFO of SecurityScorecard, a NY based cyber security ratings company. Prior to SecurityScorecard, Bill was the CEO of Secondmarket, and served as the Head of NASDAQ Private Market following Nasdaq’s acquisition of SecondMarket in 2015.

bill-siegel has 72 posts and counting.See all posts by bill-siegel