What to do after a ransomware attack?

Being hit by ransomware can be devasting and frightening, however, reacting quickly to the attack can mitigate some of the damage. In previous parts of this blog series, we explored the rise of ransomware and some of the best preventative measures. Yet even businesses that follow best practices aren’t guaranteed immunity from attacks.  

Whether your business has been hit by ransomware, or you’re looking to be prepared for the worst-case scenario, in this blog, we’ll explore what actions you should take after a ransomware attack has occurred, covering short-term, medium-term, and long-term strategies for recovery and prevention. 

Isolate affected systems as quickly as possible

Ransomware is typically designed to spread as far throughout the estate as possible. Once an infected device or file is identified, it is vital to isolate it from the rest of the network as quickly as possible to minimise further infection.   

Record all the details of the attack and report the attack to the relevant authorities. 

A ransomware attack is a criminal act that warrants taking the correct legal action. Before reporting the attack, take a picture of the ransomware message displayed on your screen and make note of any key details of the attack and include this in the report. This will help the authorities to locate and recognise the attackers.   

It’s worth noting that businesses that operate in certain industries are legally required to report potential data breaches, and failure to do so could lead to hefty fines. You can find out more about the latest rules and regulations around reporting ransomware attacks in our recent blog

Secure backups

Backups play a critical role in remediating your data; however, these are not immune to attacks. As well as your main storage of data, attackers will often target a company’s backups and try to encrypt these. Organisations should rapidly try to disconnect their backups from the network or restrict access to the backup systems until the issue is resolved. What could make a bad situation significantly worse is if infected files are “backed up” resulting in the backups becoming unusable.  

Reset passwords 

When an attacker gains access to your systems, they may also gain access to any passwords that may be saved on your machines or in your web browser. It is crucial to change all your passwords once you have restored your operating system. It’s good to get into a habit of creating unique passwords that heavily differentiate from those accessed during the breach. Doing so should help eliminate the chance that an attacker will later crack your new passwords.   

Identify the ransomware strain  

Identifying the ransomware strain may help an organisation avoid paying the ransom. Fortunately, there are now many decryption tools available online including decryption websites that may be able to provide the encryption code which is needed to unlock your device yourself. If your organisation lacks the expertise to do this, then engaging with a specialist third party can assist you in unlocking your device. 

Decide whether or not to pay the ransom 

There are many strong reasons not to pay the ransom, including the lack of certainty that the criminals will unencrypt your files, contributing to a continuing problem and the financial hit of handing over a large cash sum. 

Equally, paying the ransom doesn’t eliminate your chance of future attacks. Studies have found that 80% of paying victims were hit for a second time after paying the demanded cost. A second ransom usually comes with a subsequent heightened cost. It’s also not guaranteed that the attacker will return the data. In fact, a recent report reveals that almost 200,000 companies affected by a ransomware attack never received their data back after paying the ransom fee. 

However, depending on the severity of the attack and the importance of the data, an organisation may feel they have no other option but to take the risk and hand over the money. If a cyber insurance policy is in place, it is worth checking the terms and conditions to see what may be covered by the policy. 


While ransomware attacks are stressful and harmful, the right response plan can help with recovery and mitigate the most negative consequences.  

The response plan should not only cover immediate actions but look to strengthen your organisation’s cyber security in the long run. 

Of course, it is best to take a proactive approach and strengthen your cyber security before a ransomware attack has occurred. To stay ahead of cyber criminals, get in touch with our team of cyber security experts. 

Thanks to Principal Security Consultant David Cooper for his vital contributions towards this piece.

Also in Assess


Get in touch with our technology experts.

Talk To Our Team