How to Respond and Report Ransomware Attacks

How to Respond and Report to a Ransomware Attack

If you are asking yourself how to respond and report ransomware attacks, our sincere condolences.  This will be a stressful time.  These tips will help you prevent additional unnecessary strain on business operations.

Before you go ‘guns blazing’ to respond to a Ransomware incident, review the following checklist to make sure you do not make the situation worse than it already is; remember, this is and needs to be a well thought out process.  Disconnect all infected machines from the internet and then perform the following steps.

Situation Analysis

You thought you were protected.  You’ve heard the news of this happening with other businesses, but you didn’t think it would happen to you.  Ransomware attacks will often happen at the absolute worse time for you, and the best opportune time for the cyber criminal.  In many cases, your system was compromised long ago.  Keep in mind, the goal of a cyber criminal is to make sure you are forced to pay their ransom.  They have often been in your system for some time, have deleted backups, circumvented controls, and have chosen this very moment to execute their attack.  They are at war and are determined to win.

1) Take a very deep breath and realize that it can take a few weeks to recover from a ransomware attack.

You will need your employees, suppliers and trusted partners on your side during this event.  You need friends on your side.  Avoid the temptation to point blame or make unrealistic demands on those around you.  In the vast majority of cases, overwhelmingly, the incident was caused by an internal employee clicking or opening a file attachment; it is highly unlikely this was done intentionally.  There will be a time and place to recap what happened, what was learned and how to prevent this from occurring again in the future.

2) Contact your commercial insurance carrier.

Often your insurer, even if you do not have cyber coverage, will be able to get you pointed in the right directly.  They have received these phone calls before.  Take a few minutes to alert them to what you are facing, you may be pleasantly surprised to find they have resources available to help you respond to this impactful incident.

3) Contact the FBI.

You were the victim of a crime. Take the time to contact your local FBI field office and ask them for assistance. This is why you pay taxes. You can also submit a tip online.  It is recommended that you file a report with the FBI’s Internet Crime Complaint Center (IC3).

4) Discuss your backup situation with your Trusted IT Provider.

After a Ransomware attack occurs, the ONLY solution will be to restore from backups.  You will need to wipe clean the infected operating systems and take steps to harden the unaffected endpoints on your network.  In some very rare cases, there could be a decryptor available; but remember that your files cannot be decrypted without a key that is known only by the cyber criminals; decryptors do not have a good track record.  This is one reason backups become vital in the process of responding to a ransomware attack.  The FBI does not like to see companies paying ransom’s, in some cases you still aren’t able to recover your files or you are simply re-hacked after having paid; paying the ransom should be the absolute last step you take, talk to experts before you engage in discussions with cyber criminals.


These tips assume that your IT company is already engaged, please – make the phone call to your insurer before people go around running tools, wiping drives, and trying to quickly fix the situation.  Beyond unplugging your machines from the internet, do not start trying to fix before you’ve performed the above steps.

Keep in mind, hackers are already in your system, how are they going to respond to seeing you actively trying to avoid paying them their ransom?  Disconnect from the internet wherever possible, and make a few phone calls to experts who can assist in constructing a proper incident response plan.