You’ve Been Hit by Ransomware. Now What?

teenage hacker girl attacks corporate servers in dark typing on red picture id946613770

The worst has happened: Your organization is the victim of a ransomware attack. Now what? While there are several variants of ransomware out there today, some of the more pervasive variants include REvil, Conti, and Avaddon ransomware.

How can you contain the damage quickly and limit the attack’s impact on your business and productivity? Take these four steps to minimize ransomware’s destruction of your files and systems.

  1.  Immediately contain and neutralize the threat

An end user in your organization gets the alert – their system is locked up with ransomware. They can’t access files and you’re alerted. Once you receive that hallmark notification, you need to immediately determine if the attack is still happening.

Malicious activity from a ransomware attack often starts before ransomware even lands on a system. Recent research from Sophos experts investigating a REvil attack found a direct link between an inbound phishing email and a multi-million-dollar ransom attack two months later.

Collect as much initial information as possible, and, using these breadcrumbs, assess if the attack is still happening. It’s important to figure out which devices may be impacted and isolate them by disconnecting them from all networks.

  2.  Get a full picture of the damage

There are a number of different ways that REvil, Conti, and Avaddon ransomware can enter your network. These include exploiting a known vulnerability, brute-force attacks against Internet-facing services, or simply abusing stolen user credentials. And these are just a few examples.

Now’s the time to determine how they got in and figure out which endpoints, servers, and operating systems were affected. Get a sense of what assets have been destroyed and which are still intact. What is the status of your backups? Does the attacker have them? Have they been deleted (a common tactic in ransomware attacks today)? Be sure to identify which machines were left untouched, as they will be important in your recovery efforts.

  3.  Put incident response into action

Hopefully this isn’t the time to regret never having put a written and tested Incident Response (IR) plan into place. Put your IR plan into play and start your clean up and recovery.

If you don’t have an IR plan, determine who will handle the aftermath of the attack. Aside from the obvious stakeholders, like IT admins and senior management, you will likely want to bring in outside security experts. Also, contact your cyber insurance company and legal counsel to help determine if you need to report the incident to law enforcement. Employees will likely also need to be informed, but legal can help advise what information they need and when and how to dispense it.

It’s also important to consider how you communicate. If the intruders have been in your network for a while, they’ll probably have access to email and may be eavesdropping.

  4.  Continue vigilance post attack

As mentioned, attackers will often continue to monitor the situation and even your email communications to see how you respond, which is why it is essential to be vigilant about how you are communicating and what you are saying over email. The attack is often not over after the ransomware is initially deployed. In fact, attackers are likely to have downloaded and installed backdoors that allow them to come and go on your network and install additional tools.

While you may consider the attack over, it’s difficult to eliminate all traces of any attack. Take the time to identify how the attackers got in, learn from any mistakes, and make improvements to your security.

Sophos can help you recover from even the most devastating ransomware attack. Learn more at


Copyright © 2022 IDG Communications, Inc.