“We’ve been Hit by Ransomware.” Immediate Ransomware Response Guide

Ransomware response guide to quickly reduce damage and downtime immediately after an attack

‍Ransomware continues to be one of the major cybersecurity issues of the current decade. Every second organization (59%) was hit by ransomware in 2024. Even though there's a slight drop from the 66% seen in the previous two years, with over half of organizations experiencing an attack, it remains crucial to stay vigilant. Moreover, just 20% of organizations impacted by ransomware in 2024 were able to recover in a week or less, down from 41% in 2023 and 50% in 2022. The example below demonstrates the difficulties of the ransomware recovery process.  

Recently, software maker CDK Global fell victim to a crippling ransomware attack that has disrupted thousands of car dealerships that rely on the company’s platform. As a result of the ransomware attack, CDK Global shut down its IT systems and initiated mitigation measures. During efforts to recover from the initial attack, a second cyberattack hit the company. The disruptions continued for nearly two weeks and led to the encryption of critical files and systems. As a result, the company paid $25M in ransom and, finally, initiated a restoration process.  

For CDK, like in the majority of ransomware situations, every second matters. The sooner the organization detects and mitigates the ransomware, the less damage and disruption it will suffer. The initial ransomware attack response, according to the CISA stop ransomware checklist, includes four major steps:

• detection and analysis;
• reporting and notification;
• containment and eradication;
• recovery and post-incident activity.

Following these steps would help minimize the damage and downtime caused by ransomware. Let’s delve into the primary response actions that organizations should take.

Isolate Systems Affected by Ransomware

Most ransomware variants, including BlackCat or Petya, scan networks for vulnerabilities to spread laterally, so isolating affected systems as soon as ransomware is recognized is an essential step of the overall ransomware response strategy. For any device that is (potentially) infected, it is necessary to disconnect network cables and disable WiFi, Bluetooth, and other network capabilities immediately. If disconnecting all systems is not feasible, one should prioritize isolating critical systems essential to daily operations. Several important things to consider when isolating the affected systems:  

Isolate affected systems

If isolating affected systems is impossible, power down devices. It would help to avoid the further spread of the ransomware infection. However, it will also deprive the organization of any ransomware infection artifacts and evidence, so use it only if it is not possible to temporarily shut down the network or disconnect affected hosts from the network using other means.  

Disconnect backups

Make sure backups are disconnected. Many new types of ransomware, such as Ryuk and Sodinokibi, target backups to make recovery more complicated and increase their chances that a victim will pay a ransom. When backups are compromised, adversaries gain a significant advantage, often forcing victims to pay higher ransoms. Victims with compromised backups face ransom demands that are twice as large as those with intact backups, with median demands at $2.3 million compared to $1 million for those with unaffected backups. So, limit access to backup systems until the infection is removed.

Use out-of-band communication methods

Malicious actors often observe organizations’ activities or communications to determine if their actions have been detected. So, use out-of-band communication methods, like phone calls, in the initial stages of ransomware mitigation to avoid alerting the attackers that they have been discovered and mitigation steps are being taken.  

Examine the organization's existing detection and prevention systems

Examine the organization's existing detection and prevention systems (such as antivirus, EDR, SIEM, IDS, and IPS) along with their logs to uncover evidence of additional systems or malware involved in earlier stages of the attack. Look for signs of precursor "dropper" malware like Bumblebee, Dridex, Emotet, QakBot, or Anchor, as a ransomware incident may indicate a prior, undetected network breach. Operators of these sophisticated malware variants often sell network access, which malicious actors can use to exfiltrate data and threaten public release before demanding a ransom.  

Avoid restarting affected devices

Hackers anticipate that restarting a device may be your initial reaction, and some ransomware variants are programmed to detect restart attempts. This can potentially cause further damage, such as corrupting Windows or deleting encrypted files. Additionally, rebooting can complicate the investigation of ransomware attacks, as important evidence is held in the computer's memory, which gets erased when the device is restarted.

Document Ransomware Incident

Before moving forward, take a picture of the ransom note displayed on the affected screen. Photographing a ransom note is important because:

• It serves as evidence for insurance companies, law enforcement and cybersecurity investigators.
• The note may contain unique identifiers, language patterns, or clues that can help trace the attack’s origin or identify the ransomware variant.
• It provides clear instructions from the attackers, which can be referenced during the response and recovery process.
   

In addition to this, document every action taken by the response team to mitigate the ransomware incident. Make copies of all digital media to retain evidence for the investigation. Manage chain of custody paperwork to keep your investigation on the right path.  

In addition to this, keep a record of any suspicious activity or anomalies leading up to the attack. Some of the common signs of ransomware include:

• new accounts or those with recently elevated privileges, along with any recent activities involving high-privilege accounts like Domain Admins;
• anomalous VPN device logins or any other potentially suspicious login events.
• endpoint modifications that may impair backups, shadow copy, disk journaling, or boot configurations, or any other activities that may inhibit system recovery;
• unexpected usage of remote monitoring and management (RMM) software or endpoint-to-endpoint communications that attackers commonly use to maintain persistence;
• Suspicious data exfiltration by tools like Rclone, Rsync, or any web-based file storage services;
• Newly created services, unexpected scheduled tasks, unexpected software installed, etc.
   

Read about a common ransomware infection scenario.  

Report Ransomware to Legal Authorities

Ransomware is a crime, so it must be reported to the proper authorities. Reporting the incident would protect you and other organizations from similar incidents in the future and also help legal authorities keep track of ransomware events and react to them properly. So, reporting in an integral part of the overall ransomware response process.  

The US comprehensive incident response legislation, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) is expected to be passed into law in September 2025. It obligates critical infrastructure organizations to report substantial cyber incidents within 72 hours of the incident’s occurrence and ransom payments within 24 hours after any such payment. Although CIRCIA’s rulemaking process is still ongoing and the 447-page Notice of Proposed Rulemaking (NPRM) is open for public feedback, no doubt it will be passed in time.  

As for now, organizations can report ransomware incidents to the following institutions:  

• FBI Internet Crime Complaint Center
• CISA Incident Reporting Center
• local U.S. Secret Service field office
   

In addition to the expected CIRCIA, many businesses are obligated to report ransomware as per notification requirements of specific data privacy and protection regulations (HIPAA, CCPA, GDPR, etc.). For example, HIPAA Breach Notification Rule – 45 CFR §§ 164.400-414 requires reporting data incidents if they result in a data breach affecting 500 or more individuals to the U.S. Department of Health and Human Services Office for Civil Rights:  

• Submit a Notice for a Breach Affecting 500 or More Individuals

All in all, organizations affected by ransomware must follow notification requirements as outlined in their cyber incident response and communications plans to engage internal and external teams and stakeholders with an understanding of what they can provide to help mitigate, respond to, and recover from the incident.

Understand the Implications of Paying Ransom

Deciding whether to pay a ransom is a complex matter. Most experts advise that one should only think about paying if all other solutions have failed and the loss of data would cause greater harm than the payment. Here are some factors to consider when choosing the best course of action, paraphrased into questions:

• How much time and resources are needed to get back?
• How will the safety of customers and employees be ensured?
• What are our responsibilities to shareholders regarding maintaining business operations?
• What criminal activities might the payment potentially fund?
• Could there be any regulatory liabilities from providing money to a sanctioned individual or state?

There are other important factors organizations must consider when deciding to pay a ransom. First, paying a ransom doesn’t guarantee the criminals will fulfill their part of the deal after they receive payment. Even if they did, getting the decryption keys from attackers can be complex and time-consuming. Finally, no one can guarantee that a data copy will not remain with the attackers even after the ransom is paid.  

Second, a ransom payment can be considered as a federal offense, especially if the attacker is from a country under sanctions by the U.S. government (Russia, North Korea, Iran). Businesses should think twice before paying a ransom to adversaries. For example, the U.S. Department of the Treasury says in their ransomware advisories that companies could face future legal trouble being involved in ransomware payments. FBI does not support paying a ransom in response to a ransomware attack because it just escalates the problem.  

Third, paying a ransom strengthens the criminals’ business model and encourages more criminals to engage in the same activity, ultimately increasing the frequency and price of attacks.  

Contain and Eradicate Ransomware

Organizations can take containment and eradication measures only after the affected devices are isolated. While dealing with ransomware infections, particularly advanced variants, can be challenging and often requires expert intervention, the following steps can help start the recovery process.

Determine the attack variant

There are free tools, such as the Proven Data Ransomware Identification Tool, that can help identify the type of ransomware. Just upload a sample of the encrypted file along with a ransom note and the details of the ransomware attack. Wait until the system gives a full description of the ransomware strain that attacked your organization. This information can help understand several key factors, including how the ransomware spreads, what files it locks, and how it can be eradicated.  

Search for decryption tools

After identifying the ransomware strain, the next step is to search for decryption tools. Free resources, such as No More Ransom, can assist in this process. Just enter the name of the ransomware strain on these sites to find the appropriate decryption tool.

Ransomware Recovery Actions

Ransomware recovery actions should start with updating system passwords and restoring data from backups. It is reasonable to conduct a security audit and update all systems. Keeping systems up to date helps prevent hackers from exploiting vulnerabilities found in older software. Regular patching keeps devices current, stable, and resistant to malware threats. One may also want to refine the organization’s incident response plan with any lessons learned. Finally, it is necessary to improve user awareness training and educate users on incident reporting channels.  

How Planet 9 Can Help?

Planet 9 employs seasoned professionals who can help solve your information security and compliance problems and assist clients in their ransomware response efforts. Our experts can support your organization in managing ransomware attacks by evaluating your incident detection systems, reassessing current ransomware risks, and ensuring that appropriate security controls and processes are in place to protect against ransomware.  

Feel free to contact the Planet 9 team for help with ransomware prevention and recovery. We’ll be happy to assist!