Back to Blog

What to do AFTER a Ransomware Attack

Image of EJ Phillips
EJ Phillips

Ransomware attacks are as costly as they are common with a suspected attack happening every 11 seconds. They affect big and small businesses alike: no organization is immune. In fact, often small businesses become more of a ransomware target because they often tend to not budget for adequate security and back up measures. This can be a costly mistake. Markets that are a particularly susceptible to attack are the healthcare and financial industries.

download it security eBook

2021 was a year that saw unparalleled ransomware activity, with the 2021 SonicWall Cyber Threat Report reporting that it was the most costly and dangerous year on record. There is no reason to believe that 2022 will be any different.

What Can You Do to Avoid Ransomware Attacks?

There are a number of preventive measures you can take to address ransomware attacks.

pim.INFO.avoidRansomare.Jan2022 (1)

Train Your Employees!

Make sure they know what to look for when it comes to phishing scams as well as have them be diligent in updating their passwords and utilizing cybersecurity best practices like multifactor authentication. They should also know what to do in the event of a cyberattack.

Keep your operating system up to date and patched.

All computers require operating system software to work. It is the base software that manages the hardware and allows a user to interact with the computer. Occasionally, these programs produce new versions of their software. These new versions install the latest technical advances, which can upgrade a computer’s performance and give its users more and better features as well as corrections that have sealed up vulnerabilities in the operating system. The National Healthcare System of the UK failed to properly update after a Windows Security update and fell prey to ransomware in 2017.

The Principle of Least Privilege

Use the Principle of Least Privilege (POLP) when granting access to your network. This means using caution when handing out administrative privileges and only allowing employees to have no more than what they need. The idea behind this is the fewer number of people having access means less damage.

Use antivirus software.

Antivirus software and managed threat response measures like those offered by pim through SOPHOS add to your online security.


Have a system in place that backs up your data automatically and frequently. This will help reduce the amount of damage a ransomware attack can cause and reduce business disruptions and the costs associated with cyberattacks.


Steps for After the Ransomware Attack

Even with the best prevention strategies in place, chances are that you may still fall prey to a ransomware attack. A ransomware attack can be devastating, but if you act promptly and properly, you can mitigate some of the damage.

Stay Calm and call your MSP

Yes. We know. This is easier said than done when you suddenly cannot access your data. But keeping a level head in this stressful time will help you when you take the next steps. Call pim, or whomever oversees your IT, immediately and alert them to the attack so that they may begin to help you with the following actions.

Record the Details of the Attack

The ransom note on your screen will not only contain the details of how you are to pay the ransom should you decide to pay it (which pim does NOT recommend), but also will help recovery teams engaged to determine what ransomware hit you. This will help the experts find an existing recovery key. This information is also helpful should you need to fill out any reports for police or insurance companies. This can be as simple as taking a photo of your screen with your phone.

Isolate the affected device

Disconnect the affected computer from your network. While the ransomware may have already infiltrated your network, you reduce this likelihood as well as it having reached your backups by isolating the attack. This is especially true if you use cloud backups. Disconnecting the affected computer helps stop the ransomware in its tracks.

Alert All Users

Let your entire team know what is happening. While it is always a good idea to send out an email announcement and post warnings on company message boards, you should check with each employee directly to ensure that they know what is happening and what to be on the lookout for.

download business continuity eBook

Secure Your Backup

Backups play a crucial role in remediation from cyberattacks, but they are not immune to ransomware. In the event of a ransomware attack, organizations must secure their backups by disconnecting backup storage from the network or locking down access to backup systems until the infection is resolved.


Now that your mitigation team has quarantined the infected device(s) and secured your backups, it can begin to identify the ransomware strain and hunt down the matching decryption.

Disable Maintenance Tasks

Your mitigation team should immediately disable automated maintenance tasks such as temporary file removal, on affected systems. This will prevent these tasks from interfering with further remediation and investigative steps.

Start with a clean slate

Hopefully, your mitigation team has isolated the infected device(s) and has been able to secure your backups. At this point, ALL online and account passwords should be changed. But once a network has been infected, there is no way to guarantee that the ransomware is completely gone unless all devices are wiped clean. This includes virtual devices as well.

This is where your secure back up comes to play. (Remember how we told you to be backing up your data automatically and frequently?) Restarting your servers with a CLEAN recent backup will ensure that the ransomware has been remediated and there is minimal disruption. In the meantime, your organization can keep your productivity going by putting into place your disaster recovery plan. Having a reliable cloud to backup from, like the one provided through ProActive Cloud, can reduce the impact of a ransomware attack.

Related Posts

What is Cyber Insurance, and do I need it?

Image of Javon Harper
Javon Harper

The cost of dealing with a data breach can be disastrous. It goes beyond simply repairing...

Read more

Password Protection Priorities for a Small Business

Image of EJ Phillips
EJ Phillips

The ever-changing waters of cybersecurity and technology can be tricky for a small business owner...

Read more