cybersecurity, Malware, ransomware, Security

What to do after a Ransomware Attack?

What do you do when you wake up one morning and realise that your log in credentials into your system have suddenly become null and void?  What actions do you take when it dawns on you that your files have been encrypted with a view of illegally denying you access? Do you want to find out what to do after a ransomware attack?

Ransomware attacks have certainly been on the rise since the advent of the information age. This rise has however been exasperated by the unprecedented increase in the number of internet users particularly because of the huge change in work habits that has been stimulated by the COVID-19 pandemic.

In other words, there are more people than ever before who are currently working remotely. This in turn means that there are more opportunities for cyber-fraudsters to take advantage of unsuspecting users through the use of ransomware software. This is mainly done through the use of phishing emails as well as drive-by downloading scams which are usually masqueraded as legal and legitimate messages.

Once locked in, these cybercriminals can cause devastating losses by soliciting huge amounts of money from the users in question. They may also refuse to give back the confiscated information and instead choose to use it maliciously despite receiving the demanded ransom.

This article therefore seeks to enlighten its readers concerning the appropriate steps to take in situations where one has unfortunately become a victim of ransomware attacks. It seeks to convey different techniques which can be applied by such users in order to reduce losses and curtail future attacks.

The Stages of a Ransomware Attack  

Ransomware mitigation is usually based on the degree of the attack in question. This means that one has to be able to understand the degree to which his or her system has been compromised in order to apply the appropriate remedy. The following are the general steps that usually take place in any give ransomware attack:


Installation typically occurs within seconds of allowing system access to the ransomware in question. This access is commonly allowed either through the opening of phishing emails or visiting ransomware infected websites. Once the ransomware has been given access, it usually attaches itself to the said server and could even affect all other devices connected to the endpoint under consideration.

Exchange of Keys

Once the installation is complete, the ransomware facilitates contact between the server being operated by the fraudsters and the computer system under attack. This contact normally aids in the generation of cryptographic keys which are used to access the system under blitz.

File Encryption

The files in the system under bombardment are then encrypted so as to deny the user from accessing them. This kind of encryption can also take place over a large interconnected computer network.


Blackmail in this case is simply the ransom demanding process that takes place almost immediately after file encryption is done. It is normally accompanied by either a promise to restore the encrypted data or a threat to maliciously handle it if the demanded payment is not settled.

Appropriate Ransom Response Procedures

The following are the recommended ransomware response procedures that should be adhered to in case of an attack:

System Quarantine

This should certainly be on the top of the agenda in as far as curtailing a ransomware infection is concerned. It is usually done by separating all the devices connected to the network under scrutiny in order to prevent further infection.

Ensure Backup Security

Data backups are arguably the most important components when it comes to system remediation and restoration. One should therefore ensure their safety in case of a ransomware attack since they are usually targeted by cybercriminals with a view of hindering system recovery processes. System backups should either be locked down or disconnected from the infected network until the ransomware challenge is resolved.

Deactivate Maintenance Tasks

Maintenance tasks refer to actions which are usually performed routinely depending on the demands of the system in question. Such tasks if left running during a ransomware attack, could compromise the process of tracking down the source of the blitz under consideration.

Backup Infected Systems  

Any information found to be infected must be isolated and stored in a safe and secure manner. This should be done with a view of preventing avoidable loss of data during the process of decryption. Data that is not too important and sensitive at the moment can even be stored for longer periods of time until a suitable decryption tool is obtained.

Identify the Type of Ransomware Used

Identifying the ransomware used is extremely important as it usually aids ransomware specialists in finding out the loopholes in your system that may have allowed access. It also helps to facilitate the creation of an effective decryption tool as a remedy to the prevailing encryption. Finding out the infection source point as well as isolating the ransomware in question are two of the processes that aid in the identification of the malware used.


It is every bit possible to recover fully from the effects of a ransomware attack. It however takes prompt and proactive action during and after the attack for the sais recovery to become a reality.

Source : HackerCombat

Previous ArticleNext Article
Send this to a friend