10 Things You Should Do After a Ransomware Attack

What are ransomware attacks? With ransomware attacks, bad guys download malware onto your computer or device and then demand you pay them ransom to get access to your device and important files. Hackers lock up your operating system, threatening to publish information, install another virus, or encrypt files. While it might seem like a small deal to pay the ransom and get on with your life, you can’t always trust that the person on the other end will hold up their side of the bargain.

All this can be stressful to say the least. So, here are 10 steps to take if you find yourself dealing with a ransomware attack.

1. Stay calm. It’s natural for your first reaction to be anger or fear. You’re angry because somebody is trying to shake you down for your hard-earned money. Or maybe you’re scared because the hackers have threatened to reveal private or embarrassing information if you don’t pay. Fear is reasonable because you could lose valuable files, get your identity stolen, or have your information entirely compromised. However, it’s essential that you stay calm. You don’t want to do something irrational that could have negative long-term consequences for you or your device.
2. Take a photo of the ransomware message. Remember that ransomware is a crime. In fact, hackers who distribute ransomware and extort less than $1,000 from their victims can still be charged with a felony. Before reporting an attack, it’s a good idea to take a picture of the ransomware message displayed on your device. You can do this with a smartphone, camera, or via screenshot, if possible. if possible.

Microsoft Defender

Stay safer online with one easy-to-use app<sup>1

1</sup>Microsoft 365 Personal or Family subscription required; app available as separate download

Learn more

3. Report the ransomware. The long and the short of it is that malware is illegal. Take time to report the ransomware to the proper authorities. Not only will you be protecting others from a breach like yours, but you’ll also be protecting yourself from future breaches.

4. Cut off incoming and outgoing connections. Nobody can access your computer remotely unless you’re connected to the internet. Disconnect from your Wi-Fi, unplug your ethernet cord, or do whatever else you need to do to disconnect your device from the web. If you’re not in a place where you can resolve the issue immediately, turn off the device to ensure malicious code doesn’t do further damage. Be sure to use Safe Mode when you restart your device, so you can access the basics of the operating system without allowing malware to do further damage. Cutting off your internet connection is the best way to quarantine your device.
5. Disconnect external storage devices. Keeping backups of your files in the cloud or on an external storage device are good ways to protect anything you want to keep safe. The problem with many forms of malware is that they’ll also try to corrupt your external storage devices, so recovery efforts are futile. Quickly remove your external hard drive or thumb drives connected to your device to ensure it remains clean.
6. Safely wipe the hard drive and reinstall your OS. With your items safely backed up, wiping your hard drive—while often a last resort—could be the best option when it comes to removing malware. You can reinstall your operating system and then move files from an external hard drive or the cloud back onto your device.
7. Disable maintenance tasks. Many maintenance tasks on your device will continue to run as scheduled, regardless of a ransomware attack. Tasks like automatically emptying your Recycle Bin, cleaning out conversations, and deleting old files should be put on hold until the ransomware issue is resolved. Something could be deleted that you need to eliminate the malware or point authorities toward the source.
8. Look for decryption tools in your antivirus software. Good antivirus software has a decryption tool of some sort to help resolve ransomware without meeting the hacker’s demands. Run through your antivirus software to look for decryption tools. If your software can’t help, search online on another device (a smartphone using cellular data is safe) to find a decryption tool.
9. Identify the ransomware strain. Identifying the strain of ransomware can effectively identify the encryption code you need to unlock your device. Decryption websites can provide you with decryption codes, so you can resolve the issue without paying a ransom. The ransomware strain is also good to have when you go to the authorities to report the breach.
10. Reset all of your passwords. A hacker who gains access to your computer also has access to any passwords you save in your web browser or operating system keychain. Once you’ve restored your operating system, go through and change as many passwords as you can. It’s also a good idea to make each of them unique from what you had when the breach occurred because a hacker who has a list of passwords will eventually be able to crack your new passwords.

Ransomware attacks are avoidable when you keep in mind a few ransomware prevention best practices. Doing things like avoiding questionable websites, not clicking links in emails from unknown sources, and even heavily scrutinizing emails from possibly reliable sources. Phishing scams are a common way hackers download ransomware to your computer, so it’s essential that you be cautious with links that come into your inbox or messaging app.