How to
Brianna Gammons
Sep 2016

What to Do When You've Been Hit With Ransomware

Ransomware FAQs:
Your Ransomware Questions, Answered

Having an incident response program is one thing. But how do you deal with a type of attack that acts immediately and takes everyone by surprise?

As the 2016 SANS Incident Response Survey explains:

"Ransomware also presents unique challenges for IR teams. They are not tracking an attacker through the environment, as they normally would. Instead, they are combating a program’s ability to spread as fast as it can."

If companies with an entire team of people dedicated to incident response and a full suite of sophisticated software at their disposal are having trouble responding to ransomware, how can companies with smaller budgets and fewer resources be expected to react smoothly to a ransomware attack?

With ransomware infections continuing to climb (reports estimate over 56,000 in March 2016, alone), organizations of all sizes are scrambling to tighten up their security and plan for the increasingly likely scenario that they’ll be targeted by a ransomware attack.

If you’re one of the thousands of IT pros and security leaders looking for answers, here are answers to some of the most urgent questions you’re likely to face during and immediately following a ransomware attack. Knowing the answers and working out a plan to address them ahead of time will help you move through the recovery process much more smoothly and get your organization back to normal.

Skip ahead to get answers to the following questions:

I’ve been hit with ransomware. What do I do?

Maybe you get a notification from a user (or, worse, a group of users) that they can’t open their files. Or maybe you notice accessibility issues firsthand. You get a sinking feeling and worst-case scenarios flash through your head. Your stress level is growing. Take a deep breath, grab some coffee, and dive in. All that matters right now is getting more info and minimizing the damage.

What has the ransomware infected and how can I stop it from spreading?

Depending on how you discovered/were notified of the infection, you may find yourself dealing with one or multiple users and machines. Your first step should be isolating any infected machines by disconnecting them from the network. Keep in mind many ransomware variants are able to spread through shared network drives, so you may need to temporarily lock those down and check your file servers, too.

The majority of ransomware variants will make changes to encrypted filenames, often changing all the extensions to something that corresponds with the ransomware name (ex: .zepto or .locky). They also often create README.txt and README.html files with ransom instructions. Looking for these markers can give you an idea as to the extent of the infection and how far it’s spread.

To understand how the infection started you’ll also want to identify “patient zero”. Keep in mind that may not always be the user who reported the incident. In some cases, you may be able to determine the source of the infection by looking at the properties of one of the infected files and seeing who the owner is listed as For more on how to identify patient zero, see this thread in Spiceworks.

What do I tell my users?

If a user reported the attack, get them off the network while you figure out what’s going on. The same goes for any other impacted users if you’re getting multiple complaints.

Once you determine the cause of the infection it may also be a good idea to share an alert with other users letting them know what to be on the lookout for (ex: phishing emails with fake invoices, etc.).

In the meantime, is there anyone else who needs to know about the ransomware attack right away? If so, now’s the time to tell them.

What was the source of the infection?

If you didn’t hear about the attack from patient zero, talk to them now. Most ransomware typically doesn’t wait long to get going once it’s on a machine, so in many cases you should be able to find out what triggered the attack by finding out what the user was doing shortly before the ransom screen popped up.

Ask users to retrace their steps:

  • Did they open any new documents?
  • Click on any attachments or links in an email?
  • Did they visit any websites they don’t normally visit?

How do I get my files back?

Unfortunately, in most cases, once files are encrypted there’s no way of unlocking them without the decryption key.

That said, malware researchers are sometimes able to exploit flaws in ransomware encryption methods and develop decryption tools. Our Ransomware Decryption Tool Finder is an easy way to find out whether a decryption tool is available for the strain of ransomware you’ve been infected with.

If no decryption tool is available then your only other option is to restore your files from backup. Having a backup system is part of any good disaster recovery plan, but is your current backup good enough to get your users up and running quickly after you’ve been hit? If not, you have some thinking to do. For tips on tightening up your backup strategy, see our blog post “3 Better Ways to Use Backup to Recover from Ransomware.”

Should I pay the ransom?

If you can’t decrypt or recover your files from backup, you’re left with a difficult decision to make that may come down to how integral access to the encrypted information is. It’s a good idea to think about how valuable your data is — are you dealing with law case files, patient health records, customer sales orders, etc. — and make decisions on how you’ll handle various encryption scenarios ahead of time.

The FBI has become more clear as of late that you should not pay the ransom, and when we surveyed IT pros on Spiceworks, only 5% of people hit with ransomware even considered paying the ransom an option. But ultimately, your decision will have to be based on your situation, not other people’s.

How can I tell what type of ransomware we’ve been infected with?

Another factor that may play into your decision of whether to pay or not is the type of ransomware you’re infected with. Some variants have been identified as being “fake” ransomware that doesn’t actually encrypt your data effectively. Other variants have been cracked and decryption tools have been made available. Still other variants may not have a good track record of actually delivering a working decryption key.

There are several ways to learn what type of ransomware you’ve been infected with. The first thing you can try is using our Ransomware Decryption Tool Finder. Even if a decryption tool isn’t available, typing in the encrypted file extension will provide you a list of the possible ransomware types.

Information included in the ransom screens — specifically, any URLs it points you to for more info/payment steps — can also provide you with identifying clues. Researcher Michael Gillespie has a website that allows you to upload a ransom note or a sample encrypted file to learn what type it is.

Lastly, you can try some good old-fashioned googling. Search for the ransom screen messaging, for the extension that has been applied to your locked files, or for some of the symptoms you’re experiencing such as encrypted unmapped network shares or encrypted shadow copies. A great resource to check out is

How do I make sure that the ransomware is off of my user’s device for good?

The safest way is to nuke the computer and bring it back to factory settings. Then restore from backup.

If you don’t have backup you can use, the situation becomes trickier. There are things you can try to salvage some of the files from the computer such as malware-removal tools (Microsoft offers a free one), but you do run a risk of a file getting missed and the infection starting back up again.

How do I convince my boss that we need better security against ransomware?

If she isn’t scared off by the fact that your organization was hit with a ransomware attack in the first place, make sure you explain to her just how bad the attack was or could have been if you hadn’t intervened. Spend time calculating the cost in terms of downtime and lead with that.

Be sure to come prepared to discuss not just the problem, but specific solutions. Do your homework on potential fixes for the problem and determine how the cost of implementing them compares to downtime and disruption costs. The clearer you can make the business case, the better.

How do I prevent ransomware from infecting my users in the future?

The good news is there are things you can do now to prepare yourself for dealing with ransomware and to stop it from infecting your system in the first place.

Ransomware To-Do List: Preventing Attacks

  1. Do you have AV installed on your endpoints?
  2. Do you have anti-malware or other endpoint protection installed that can stop attacks antivirus can’t?
  3. Are you using an automated patch management system? If not, do you have an organized method of discovering and deploying software updates?
  4. Have you conducted security awareness training for your users, with an emphasis on identifying potential phishing emails and reporting any suspicious or unusual activity?
  5. Do you have separate logins for all employees? Does everyone have only the access necessary for them to do their job?

Ransomware To-Do List: Limiting the Damage

  1. Have an up-to-date inventory of the backup status for all your workstations, including your recovery point objective.
  2. Run tests recovering data from backup in different scenarios. Keep track of how long it takes to restore and the success/failure rates.
  3. Practice a 3-2-1 backup strategy that requires you to have three copies of your data in two different locations, one of which is offsite.
  4. Conduct a risk assessment to identify and assign value to your organization's critical data assets. You need to know what data is important and where it resides.
  5. What is your cost of downtime? Figuring this out will help you decide whether to pay or not, should the time come. It will also help prove to your boss just how important it is to keep your systems ransomware-free.

Next Steps: Test Out Barkly's Anti-Ransomware Protection

Sometimes you think you’re doing everything right and malware still gets through. New variants of ransomware are being created everyday. It’s hard to keep track of the new ways they operate. Barkly is pioneering a new approach to endpoint security. Try us free for 15 days and block ransomware attacks on your users’ devices.

Brianna Gammons

Brianna Gammons

Brianna is helping us grow an active community of security beginners and experts alike. She is exploring topics like security in healthcare and how to keep companies safe from ransomware.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.