How to
Ryan Harnedy
May 2016

How to Recover from Ransomware: The First 5 Things You Should Do

Photo by DLG Images

It’s the day you hoped would never come. You did everything right. You trained your users. You patched your firewall. You used behavior-based malware detection. You took every precaution...and yet, that support ticket still comes through:

“Hey, umm...something’s weird on my computer...none of my files open...and I got this message saying I need to pay...something called Bitcoins?”

It happened. Your user has ransomware. Maybe they clicked on a phishing email, maybe they visited a site infected with malvertising — whatever the reason, you have a ransomware infection and now you have to deal with it.

Ransomware Triage: Crucial First Steps for Responding to an Infection

While it’s crucial to build a strong, multi-layer security strategy for your company, the truth is that no system is 100% effective. There’s always a chance that someday you may find yourself, through no fault of your own, dealing with a user who has ransomware.

We recently had the chance to ask IT pros on Spiceworks who have been hit with ransomware about their experiences. Based on their answers, we created this list of five things you should do right away to contain the infection and reduce your risk of having to pay a massive ransom.

1) Disconnect the computer from the network

Once you suspect a computer might have ransomware on it the first thing you need to to do is take it offline. Pull the ethernet cord, shut off the Wi-Fi and shut off the computer. Some ransomware can spread via network connection, so the sooner you disconnect any potentially infected computers the better your chances are of containing the breach.

2) Disable shared drives

A growing number of ransomware varieties, such as CryptoFortress and Locky, will encrypt network and shared drives connected to the infected computer. If you think you may have a ransomware infection it’s a good idea to take all of your shared drives offline temporarily until you’ve cleaned out your network.

3) Talk to "patient zero"

Once you’ve shut down the computer and taken your shared drives offline take some time to speak with your user about what they were doing prior to the ransomware infection. Did they get any unusual emails? Did they get asked to enable macros?

Learning from your user how the malware got on their computer will help you better combat any further attacks and make your email much more effective when you…

4) Alert the rest of your users

Once you know what type of attack you’re dealing with you can send out a quick note to your users so they can be on guard for any future ransomware attacks. While it’s unfortunate that you got hit with a cyberattack it is a good time to have your users brush up on cybersecurity training and be better equipped to avoid these attacks in the future.

5) Update and run your security software

Now that you’ve isolated the infected computer and alerted your users check for and install any available updates on your security software and run a scan on all of the devices on your network. Ransomware changes pretty rapidly so make sure you have the most current version of your antivirus and anti-malware endpoint protection installed on computers throughout your network.

Next step: Restore from backup (if possible)

Now that you’ve contained the infection and put the rest of your users on guard, the best way to fix your user’s computer without paying the ransom is to restore it from your backup. Before you wipe the computer, however, make sure your backup is up-to-date and that you have a good copy of that data. You don’t want to hit the nuke button and realize your last backup was two months ago.

There are quite a few things that can reduce your ability to rely on backup, and you don't want to find out about them after it's too late. To make sure your backup is ransomware-ready, see my blog post "3 Better Ways to Use Backup to Recover from Ransomware."

While we hope you never have to use this checklist, if you do find yourself with a ransomware infection taking these steps should help you contain the breach and get back to business as usual.

For more information about how to keep ransomware off your computers and to keep from ever having to use this list in the first place, check out our IT Pro’s Guide to Endpoint Security (it's ungated and there's no form to fill out, so go ahead and dive in!).

Ryan Harnedy

Ryan Harnedy

Ryan writes about how to make cybersecurity make sense to end users and keep employees safe from ransomware, malware, and phishing attacks. He enjoys decoding buzzwords and sharing security tips that users might actually follow.


Close the gaps in your security

See how Barkly’s Runtime Malware Defense blocks attacks other solutions miss.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.