It is 10:00 PM on a Friday night, almost done winding up work, thinking about your weekend plans, when you notice a strange message on your desktop. A ransomware attack often comes as a surprise.

Phobos Ransomware Recovery
“All your files have been encrypted!”

“What? I just finished everything. Oh, it could have been just another joke by my coworker!”

But something hits you! Instead of ignoring it, you randomly start checking files on your PC, noticing a strange set of extensions that just won’t open with any program, for example take the following screenshot:

Here comes the moment of brutal truth; your systems have been injected with ransomware and there are high chances your entire network is now compromised!

You are already stressed out, but note that no matter what you do, in the event of a ransomware attack, time is money! The quicker you notice and take notice, the higher chances you end up saving your precious data. It takes time for files to get encrypted and transfer over to the hacker. Instead of panicking, remain calm and work on the steps mentioned herein.

What to do in case of a ransomware attack? Our complete Ransomware First Response Guide will help you in minimizing your losses. This guide has been extensively prepared by our experts after helping several of our clients based in Germany and worldwide.

Without further ado, follow the steps below:


Don’t panic. 

Understand that your systems have been compromised. The ransomware attack has successfully managed to bypass all of your antivirus programs and firewalls. It is so sophisticated that the more you wait, the more damage it incurs. You now have three choices:

  • Employ a free tool to recover your data
  • Pay heavy ransom (which we do NOT recommend, and provide no warranties for any sort of ransomware data recovery)
  • Restore from backup (An ideal situation!)

We certainly won’t advise you to go with the first option. Looking for a reliable, economical/free malware removal and data recovery software and proceeding with the recovery will take hours, if not days, which is more than enough for the hackers to encrypt and capture your entire data.

Important Note: Before proceeding with anything, take pictures of the entire process from your smartphone. You’re going to need them as evidence to report to the law enforcement authorities.


Do you need to pay the ransom or recover from backup?

Going with the second option is no different than the first one. Paying a ransom means you are helping the attackers become successful in their business models. There also is no guarantee that you will ever hear back and recover your data. While we do not recommend this, sometimes it can be an economic option to recover your data.

In doing so, it is also important that you consult a ransomware removal company specialising in such incidents, such as BeforeCrypt. Dealing with the hackers and making a safe route for payment (as the last resort) should be done by professionals. These hackers are very smart and shrewd, and are extremely risky for anyone to deal with them other than professionals.

This could very well be a trick to mint money from your company. Unfortunately, there is a vicious cycle where the businesses fail to invest properly in their security infrastructure and simply choose to pay a ransom amount, which they believe is an economical option.

The FBI does not want victims of ransomware to pay the ransom. Here’s why:

“Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity.”

The FBI Blog

The FBI, instead, recommends that the businesses should have a solid prevention plan (such as training employees and sturdy prevention control methods) and a continuity business plan in the catastrophic event of data loss.

Ransom, should you decide, is paid through Bitcoin and not a bank transfer. You also need to open up an account at one of the legitimate websites to deposit funds and buy bitcoin, a process that could be time consuming. The following are the two most popular websites to buy and sell bitcoin:


Once purchased, you can send bitcoin to the attackers. Remember, there are going to be no refunds, and you are on your own after paying the ransom.

Let professionals manage the communication. BeforeCrypt uses disposable email addresses, hiding the identities of our clients to reduce identity theft in the future.

Since these guys are criminals, they excel at what they do. From our experience, we have learned that many times, hackers aren’t even able to decrypt a test file or two once we establish communication with them. If they aren’t able to decrypt the files, it means they don’t have a decrypter and are looking for just extortion of money.

Given that your company religiously makes backups and keeps them isolated from the network, you have a good chance of recovering most of your data without any loss. While in an ideal situation, many companies choose to connect their backup systems to the network for real-time cloud backups. While convenient, the malware mostly travels and destroys the backups first BEFORE targeting any other system.


Inform your IT company

Several medium sized businesses and large enterprises have a dedicated IT department and hopefully they should have a plan already in place!

Unfortunately, given the budgetary constraints, many companies do not have an IT department. In this case, they need to call a meeting with the owners and staff of the company to come up with a plan.

And in times like these, they need to approach a ransomware removal and ransomware data recovery company that can do this job for you, such as BeforeCrypt, since these companies are specialized in handling such instances, save time and avoid failures. An experienced company can help you save the day.


Time is money! Unplug your machines

When the patient is bleeding, what do the doctors do? They don’t treat the wound, rather focus on first stopping the blood loss, after which they proceed with the treatment.

You never know the message you just saw on your screen could very well be programmed to show AFTER all files have been encrypted, which may take hours or even days. Nevertheless, take no chances. The moment you notice the malware, immediately do the following:

  • Disconnect all your drives from the network
  • Power off wifi, bluetooth and ethernet cables
  • If possible, power off the entire network by literally pulling the plug
  • Inform your remote workers who may be connected with the infected network to disconnect and shut down their systems

Find the root cause of the ransomware attack

Find the root cause, in this case, the first computer that got infected. It is not possible to have an entire network impacted by the virus simultaneously as it spreads from one system to the other and takes time.

We are living in the most challenging times! COVID19, the novel coronavirus has forced economies to shut down leading to loss in billions of dollars. The governments all over the world are focusing on controlling the root cause and isolating patients to reduce and/or eliminate its spread.

The case is no different when it comes to containing a malware attack. The cybercriminals are evil geniuses. Here are some of the ways a malware is spread on the entire network:

  • When a coworker opens an email that looks legitimate, and downloads the attachment. The ransomware then installs on the system and connects with the command center of cybercriminals giving them complete remote access without your knowledge.
  • A phishing email that looks legitimate and steals user login id and password. An example could be Google Accounts, Microsoft Outlook, standard chartered (or any other bank), etc.

Ransomware attack – Understand the type of ransomware

WannaCry. Does that ring a bell? It was one of the most dangerous ransomware attacks set out to trigger a mass blackout. By the time it was resolved, over 25% of the UK’s entire NHS systems were compromised, from systems to ventilators!

Every ransomware is programmed differently, and hence treated differently. While there are myriads of strains for any ransomware, the two most common ones are:

  • Screen locking ransomware
  • File encrypting ransomware

The screen locking malware is marginally easier to resolve and recover from as compared to the second one.


Ensure encrypted files are also backed up

Backing up encrypted files means you still have chances to recover your data, which can be done after paying the ransom (only as the last resort) or once the issue is resolved by the ransomware. Once the encrypted data is backed up, it can be decrypted and used to recover the data.


Decrypt or restore from backups? Ransomware attack recovery options

Once again, we strongly recommend you let the professionals handle everything from communication, to payment and decrypting the data in case of a ransomware attack. Based on our experience, there is no tool in the market to decrypt the data. Hence, most of the time, it is the attackers that will send you a decrypter. Paying the ransom and waiting to get access to the decrypter is all at risk as there are no guarantees.

We also strongly encourage all victims of ransomware to report the incident to law enforcement. Please read our longer form guide to ransomware response and recovery if you would like to be proactive about implementing best practices at your organization.

Are you going to pay the ransom or restore from backups? This is going to be the most challenging decision to make for your company. Before going with the backups, take note of a few things:

  • Ensure that you have the most recent version
  • Perform a test restore for 30 minutes to see the total time it takes to restore data

If you are restoring a few GBs, it should be pretty straightforward and simple. For data stored in TBs, it may take several days depending upon the speed of your network and the systems.

The damage has been done and you are in the final stages of data recovery. But before moving forward, you also need to perform the final assessment of the damages:

  • Report the incident to the law enforcement authorities
  • Use a free malware detection tool from No More Ransom or ID Ransomware Detection

To be honest, if your most recent backup is too old, you are at fault here. Ensuring the latest backups is your responsibility. If your recent backup isn’t too old, and able to restore data during the 30-minute testing session, then you are better off in avoiding the ransom.


Be transparent and communicate

If the nature of the data is of private confidentiality, such as usernames and passwords, you are legally obliged under the GDPR and the US laws, to communicate the data breach in the form of a press release/email to your colleagues and customers, including, but not limited to:

  • The type of breach
  • The date and time of breach
  • The damage assessment
  • The actions you have taken (such as paying the ransom, restoring from backups, reporting to the law enforcement authorities, etc.)
  • The suggestions to your clients (such as changing username/password, etc.)

Being transparent is important. While it is natural that your company will suffer once there is a data breach, the more proactive approach you take, the better it will be for you.