Ransomware Mitigation Checklist

Ransomware Attack Response and Mitigation Checklist

Ransomware is a rapidly growing threat worldwide. It has been dubbed the leader in global cyberattacks in recent days. This can cause serious issues and financial loss to many individuals and organizations. Here’s the Ransomware Response Checklist for Attack Response & Mitigation.

Ransomware has become a lucrative business for criminals. While ransomware victims continue to pay ever-increasing ransom demands, it has grown into a billion-dollar industry and shows no sign of slowing down.

Ransomware attacks cost more than $1Billion per year, and the threat of Ransomware attacks is increasing around the globe.

This section will provide information on the ransomware response checklist as well as mitigation techniques for sophisticated Ransomware attacks.

Common Factors

Ransomware has a common feature: Ransomware uses very strong encryption (2048 RSA key method) for all Ransomware variants. It is estimated that it will take approximately 6.4 quadrillion years to crack an RSA 2048 Key by an average desktop computer.

Ransomware became more secure due to the availability of advanced encryption algorithms such as RSA and AES ciphers.

Ransomware uses Bitcoin Payment that is not traceable. Each Ransomware variant demands a different bitcoin amount to obtain the decryption keys.

Sometimes attackers can give the decryption keys at no cost to you. Instead, they force the victim to infect other Few People to obtain the decryption keys.

To maintain anonymity, attackers use the “Tor” (The Onion Router to Establish the Communication to Victim). This helps attackers to hide their IP addresses since the Tor network is made up of thousands of nodes from different countries. You can’t browse TOR sites with regular Internet browsers.

Infection Symptoms –Ransomware Response List

You can’t close the window that has opened. It contains Ransomware Program instructions and a warning countdown.

A Countdown program will warn you that there is a deadline to pay or you won’t be able to Decrypt the file.

You suddenly can’t open the file, or you get errors such as “file corrupted”.

You can see different directories that say HOW TO DECRYPT FILE.TXT or some similar instruction.

Ransomware Entry point, Infection Vector

Phishing Emails:

An email with a malicious link in the body content will be sent to the user. Once you click the link, a file containing ransomware will be downloaded.

The email looks like it comes from Major Brands, Social Engineering, and Seeking.

Email Attachments

An email will be sent to the user with an attached innocent file. Once the user opens the file, it will be sent to him as an email.

Urgent Requirements, Job Offers, Common Zip File, Sense Of Urgency to Open Document, Money Transferred

Embedded hyperlink

A Malicious document contains an embedded hyperlink. When a user clicks the hyperlink, I will go to the internet and download the Ransomware variant of the Malicious File.

Ex: Normal Looking Document, Innocent-Looking Hyperlink, linked with Ransomware.

Also, read Immense power to the globe against Ransomware Battle

Websites and Downloads

A User Browser the infected website and Compromised, and then download a program. They think it’s a legitimate software but it contains Ransomware.

Excludes: General Browsing and Porn Websites. File Download from Bit . Torrent. PC Downloads.


An infected machine will be infected by a User Browser that has an outdated browser, a malicious plug-in, or an unpatched third-party application. The infection can spread through infected users within the organization, as well as file-sharing platforms such IRC, Skype, and other Social Media.

Infected websites will redirect users to exploit kits. It will also have a concern about ransomware exploits that will be later downloaded and exploited.

Ex: No user interact for some time, Malvertising.

Incident Response and Mitigation

The following steps can be taken to mitigate the effects of infection if you believe you are infected.

Locating the Indicator for Compromise


During encryption, File Extention will change with a new extension you have never seen before.

So collect the Known Ransomware File Extension and monitor the Extensions. This will allow you to detect Ransomware before it is used.

The file extension that is currently infected remains unchanged, but an encrypted file extension will be created. This extension will be added to the normal extension of the infected files.

You can find all Ransomware File Extension Types – Ransomware File Extension.

Bulk File Renamed

Monitor a large number of Files being renamed on your network or computer. This will give you an indication that ransomware has infected your computer.

Verify that your Asset has not been modified by any large file names.

The Behaviour Analysis will allow you to determine if any files have been changed or used unexpectedly. This is different from normal use.

Security Tools

Endpoint Protection, Antivirus, and Web content filtering are security tools that may be used in your company to filter the content you access via the internet. This will allow you to analyze the behavior of your network, your computer, and help you identify the behavior-based indicators.

It will monitor user baseline behavior and notify you if it notices something unusual.

Your network’s intrusion detection and prevention system will stop the callback of unusual files and encrypt your file.

It will also prevent you from downloading an encryption key from the command-and-control server. This will stop your files from being encrypted in your system.

Ransomware Notes

Ransomware is an explicit indicator of compromise that pops up on your screen telling you to pay a ransom.

It is the first indicator that ransomware attacks are taking place and should be known by most people.

User Reports

User reports to the help desk that they can’t open or find files and that their computer is slow.

Make sure that your organization’s help desk professionals are trained to face ransomware and take the appropriate mitigation steps.

Next: If You’re Infected

Once you have confirmed that your network or computer has been infected, take the next steps.

Disconnect from the Network – Ransomware Response List

Completely disconnect the infected computer and all network connections.

All storage devices such as USB drives, external hard drives, and other storage devices should be removed.

You can turn off any wireless devices such as routers, WiFi, Bluetooth, and other wireless devices in your company.

You can simply unplug your computer from the network or any other storage device.

Do not try to erase anything, such as your format, devices, or other data. This is crucial for the investigation process.