How to Stop Ransomware in Action | EasyDMARC

How to Stop Ransomware in Action

7 Min Read

What would you do if your device was suddenly taken over by malware? Without warning, your files and data are encrypted and you can longer read or open them. Everything of value on your device is now suddenly scrambled into nonsense, and the only way you’re getting it all back is to pay the ransom to an unknown hacker.

While this may sound like a nightmare, it’s a genuine possibility for many individuals and organizations across the globe. So, what can you do to combat it? We say – have a plan. Ransomware thrives on knee-jerk reactions and poor, haphazard choices.

Ransomware is a type of malware that infects your data and documents, encrypting it with a key that only the hacker holds. The hacker typically demands a ransom, and if it isn’t paid within the timeframe (usually 24 to 48 hours), then the data is erased for good. 

It’s absolutely imperative to know how to protect yourself from ransomware before an attack happens. But what if it’s too late?

Keep reading for steps on how to stop ransomware attacks that are already harming your network.

Isolate the Infected Device

The first thing you’ll need to know is how to stop ransomware from spreading. It’s especially important if you’re part of an enterprise or organization. What separates a mild annoyance from malware that can literally bankrupt a company overnight is how far the ransomware is allowed to spread. So immediately disconnect any devices attached to your infected system.

Unplug drives, make sure there are no wireless connections from the infected device to other ones, and disconnect it from the network. Quick reaction time is vital with this step. As soon as the infection is located, it’s imperative that you isolate the system with haste to stop the virus from spreading.

Disconnect All the Devices From the Network

Now that you’ve isolated the infected system, it’s time to worry about the network. Many forms of malware don’t just dig their roots into one computer. They go straight for the network.

Ensure that every single device you can disconnect is detached as soon as possible. Always assume that the ransomware is swimming around in the network. Your goal now is to make sure that it has no way to access systems via connections.

Assess the Damages

Now that you’ve disconnected the devices and isolated your main system, it’s time to look over the damages. Check shared drives and folders, network storage devices, and external, USB, and cloud folders. Check any known locations of important data.

How far was the malware allowed to spread, and what did it manage to reach? In best-case scenarios, you may have been quick enough to stop it from reaching too much data. 

In fact, you might not be missing anything that you don’t have backups for. However, in worse-case scenarios, you may be distraught to find that massive amounts of data are now encrypted and unrecoverable. Regardless, take note of the damage.

Determine if Any Credentials or Data Have Been Stolen

This is the most important part of looking over the damage. How valuable is the missing data? Are important credentials and vital information now gone or encrypted? Determining the value of the missing information and the replaceability of said data will dictate how you respond to the attack.

However, under no conditions should you respond hastily without a plan. Even if you have important credentials that have been infected, ransomware attackers aren’t always going to keep their word and return your info. 

It would be unwise to assume that these attackers are honest enough to stick to their terms. So even in a worst-case scenario, take a minute to consider your options.

Locate Patient Zero

Now that you’ve gotten an understanding of the overall damage, you can start looking at the source of the infection. Knowing where the malware first started makes it much more manageable. However, this isn’t always an easy process. It’s common for ransomware to require some sort of action on the receiving end in order to spread. Typically, this is through the opening of an email or a faulty link.

Retrace the steps of the virus and ask employees about their recent activity. This helps you determine possible entry points. In some circumstances, the encrypted files even have an “owner” in the properties. This owner is often the one used as an entry point for the malware.

Identify the Ransomware Type (Strain)

Now it’s time to look into what form of ransomware you could be dealing with. It’s important to understand because there are actual treatments and recommended responses for different types of ransomware.

Some of the biggest types out there are strains like Bad Rabbit, GoldenEye, Locky, Maze, Ryuk, Dharma, etc. Look up the symptoms of your strain and see what types of ransomware it could match.

This step will help you understand what method of recovery you can use later.

Report the Ransomware to Authorities

Before moving on to how you’ll deal with the matter, you should report the infection to the authorities. It’s best to get some investigation on the matter in the hopes of preventing any future attacks. Without giving the attacker any sort of consequence, they can continue attacking victims. In order to help stop ransomware, you should report the attack immediately.

Evaluate Your Backups

In best-case scenarios, a response might not even be necessary. Before you look into your response options, look through your backups. The ideal situation would be if you had fairly updated backups of most of the important data that was lost, and none of the backups were hit by the infection.

In that case, you may not need to respond to the attacker at all. The hacker has failed, and as long as you isolate the infection and recover your system from the backups, you’ll be fine. However, in most scenarios, this is not the case. If so, it’s time to consider your options.

Research Your Decryption Options

If you’ve done research on your strain’s behavior, you should have an idea of what kind of ransomware you’re dealing with. Use this to look up decryption options. Many times, there are organizations and efforts that can help undo the damage and stop ransomware attacks. 

One of the best places you can visit is a site called No More Ransom, where you can access tools and upload copies of encrypted files in order to be matched with the proper decryption process.

Choose a Response Option

If none of this was sufficient in returning your files, it might be high time to face the music. There’s a chance those files are lost forever. In most cases, it’s not recommended to ever pay the ransom, as there’s a good chance you won’t even receive the means to decrypt your files after it’s been paid. 

However, if the files are that vital, you may consider if the demanded ransom expense is worth the chance at reclaiming them.

Final Thoughts

While it’s much easier to prevent ransomware than fight against it, there’s still something you can do. If you’ve been vigilant regarding your backups and have maintained healthy cyber awareness levels in your organization, ransomware shouldn’t be able to penetrate your system.

Still, even if it did, you have more than a few options before you consider paying the ransom.


Content Team Lead | EasyDMARC
Hasmik talks about DMARC, email security, and cyberawareness. She finds joy in turning tough technical concepts into approachable and fun articles in plain language.


Inline Feedbacks
View all comments

succees We’re glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.

succees You’re already subscribed to EasyDMARC newsletter. Continue learning more about email security with us