How to Handle a Ransomware Attack (Plus: 5 Steps to Recover From Ransomware and Prevent It)

How to Handle a Ransomware Attack (Plus: 5 Steps to Recover From Ransomware and Prevent It)

  Cyvatar | 11/04/2021

You’ve done everything you can to avoid a ransomware attack, but you’ve still fallen victim to one. 

Whether a new employee clicked a link without thinking or a member of the C-suite was swindled into downloading a file that looked legitimate, ransomware attacks are far more common than you think. In fact, ransomware is the most common form of cybercrime.

The Cost of Ransomware

Ultimately, if your organization falls victim to a ransomware attack, it isn’t simply the ransom that you’ll be responsible for paying. The costs are far greater, which is why these cyberattacks are so devastating for a business.

Here are just a few of the costs you’re looking at (outside of the ransom itself):

  • Legal fees: When there’s a need for incident response, one of the most important aspects is the legal ramifications.
    A trusted law firm is in charge of handling any ensuing lawsuits from a breach; and when incident response is proactively managed, your legal team will also lead tabletop exercises and plans or policies for future incidents.
  • Remediation costs: If your internal IT team can’t handle remediating a breach, then calling in the experts will become a necessary cost.
  • Loss in business: Any IT downtime means you can’t do business and serve your customers until your data is safely restored. Plus, you may end up losing some trust from potential customers who are concerned about future hacks.
  • Forensic accounting costs: Speaking of business losses, many organizations choose to hire forensic accountants to determine the interruption costs for the company. You can then attempt to acquire this loss from your insurance plan.
  • Public relations costs: If you’re like most companies, you already know a decrease in customer trust is going to come post-breach. Since you want to get a head start on positive press, additional public relations resources may be necessary. 


While our best recommendation is to call in an expert immediately after an attack, we recognize this may not be the knee-jerk response for every business. 

So if you want immediate steps for right after a ransomware attack, follow these five steps:

1. Take a snapshot.

If you can, take a quick snapshot of your system and all of its memory. This will help identify the breach and any files that were infected.

(Not sure what you have? This is where IT Asset Management comes into play.)

2. Disconnect and isolate.

If possible, disconnect the device(s) from the internet and any associated networks.

If you know only one device has been attacked, it’s important to remove it from the rest of your network before there’s been time for any potential malware to spread.

(Obviously for larger networks or system-wide attacks, this step is less feasible. Again, we’ll stress: call in the experts!

3. Alert the right parties.

There are mixed schools of thought when it comes to speaking to the authorities about a ransomware attack. While it’s always best to report cybercrime, some businesses fear that time for an investigation will only incur more costs (including higher ransom and other business-related expenses).

However, in order to help stop ransomware, it’s best to alert the IC3 (FBI’s Internet Crime Complaint Center) when ransomware occurs.

If you have cybersecurity insurance, be sure to contact your insurance provider. Depending on the circumstances, it may be a good time to alert your customers as well.

4. Run a comprehensive scan.

Now that you’ve isolated the infected machine(s), run a scan on your remaining systems. This is where comprehensive and continuous monitoring and scanning will become extremely important.

Since cybercriminals aren’t known for their honesty, they may have told you only certain things were infected and they infiltrated much more.

5. Don’t pay the ransom.

While it may feel like the only way to recover your data and move on in your business, paying ransom to cybercriminals doesn’t ensure anything. Not only do you not know whether you’ll get your data back, it may be encrypted or copied. 

What’s more: paying the ransom only encourages cybercrime, making even more businesses victims.


Now that you have a better handle on your ransomware situation, it’s time to start removing and remediating. Having a trusted cybersecurity partner that’s focused on prevention and remediation is important. This is where Cyvatar’s fully managed cybersecurity services can come in to fully remediate for you.

Remove malware

Since most ransomware involves a malware program or decrypted files, it’s critical to remove anything malicious from your assets.

There are a number of decryption and remediation tools, as well as malware scanners at your disposal; but of course the safest method is to get help from an expert.

Change passwords

It may go without saying, but this is an opportunity to create more secure passwords and lock down your systems. Institute multifactor authentication management if you weren’t using it already.

Restore files

You may need to start from scratch, with original (or most recent) file versions or clean software restores from your cloud backup. Depending on the depth of the attack, your entire system may need to be restored.

On the other hand, some businesses decide to simply forfeit the data or files that were encrypted and no longer necessary for the business.

Determine the cause

If it hasn’t become obvious by now, it’s important to determine the source of the ransomware attack. That way, you’ll be able to prepare better for the future.

This is a great opportunity for secure endpoint management, to better secure your organization’s endpoints and proactively protect against future attacks.

Don’t let a ransomware attack devastate your business again. Cyvatar’s managed cybersecurity services are focused on cyber attack prevention. Get started with effortless cybersecurity by speaking with a Solution Outcome Advisor today.
Try our intuitive Cyvatar Platform. The best part? It’s free to get started.

Circa Las Vegas

Thurs. Aug 5th

Cybersecurity Reunion Pool Party at BlackHat 2021