Ransomware Recovery Checklist

Ransomware Attack Response and Mitigation Checklist

Ransomware is a rapidly growing threat worldwide. It has been dubbed the leader in global cyberattacks in recent days. This can cause serious issues and financial loss to many individuals and organizations. Here’s the Ransomware Response Checklist for Attack Response & Mitigation.

Ransomware has become a lucrative business for criminals. While ransomware victims continue to pay ever-increasing ransom demands, it’s grown into a billion-dollar industry and shows no sign of slowing down.

Ransomware attacks cost more than $1Billion per year, and the threat of Ransomware attacks is increasing around the globe.

This section will provide information on the ransomware response checklist as well as mitigation techniques for sophisticated Ransomware attacks.

Common Factors

Ransomware has a common feature: Ransomware uses very strong encryption (2048 RSA key method) for all Ransomware variants. It is estimated that it will take approximately 6.4 quadrillion years to crack an RSA 2048 Key by an average desktop computer.

Ransomware became more secure due to the availability of advanced encryption algorithms such as RSA and AES ciphers.

Ransomware uses Bitcoin Payment that is not traceable. Each Ransomware variant demands a different bitcoin amount to obtain the decryption keys.

Sometimes attackers can give the decryption keys at no cost to you. Instead, they force the victim to infect other Few People to obtain the decryption keys.

To maintain anonymity, attackers use the “Tor” (The Onion Router to Establish the Communication to Victim). This helps attackers to hide their IP addresses since the Tor network is made up of thousands of nodes from different countries. You can’t browse TOR sites with regular Internet browsers.

Also, Read List of Ransomware variants distributed

Symptoms of InfectionRansomware Response Checklist

You can’t close the window that has opened. It contains Ransomware Program instructions and a warning countdown.

A Countdown program will warn you that there is a deadline to pay or you won’t be able to Decrypt the file.

You suddenly can’t open the file, or you get errors such as “file corrupted”.

You can see different directories that say HOW TO DECRYPT FILE.TXT or some similar instruction.

Ransomware Entry Point and Infection Vector

Phishing email:

An email with a malicious link in the body content will be sent to the user. Once you click the link, a file containing ransomware will be downloaded.

The email looks like it comes from Major Brands, Social Engineering, and Seeking.

Email Attachments

An email will be sent to the user with an attached innocent file. Once the user opens the file, it will be sent to him as an email.

Urgent Requirements, Job Offers, Common Zip File, Sense Of Urgency to Open Document, Money Transferred

Embedded Hyperlink

A Malicious document contains an embedded hyperlink. When a user clicks the hyperlink, I will go to the internet to download the Ransomware variant of the Malicious File.

Ex: Normal Looking Document, Innocent-Looking Hyperlink, linked with Ransomware.

Also, Read No more ransom adds Immense power to globe against Ransomware Battle

Websites and Downloads

A Users Browser the infected site and Compromised website and download software and they think it a genuine software but it actually contains a Ransomware variant.

Ex: General Browsing, Porn Websites, File Download from Bit Torrent, PC Downloads, Play Stores.

Drive-by Infection

An infected machine will be infected by a User Browser that has an outdated browser, a malicious plug-in, or an unpatched third-party application. The infection can spread through infected users within the organization, as well as file-sharing platforms such IRC, Skype, and other Social Media.

Infected websites will redirect users to exploit kits. It will also have a concern about ransomware exploits that will be later downloaded and exploited.

Ex: No user interact for some time, Malvertising.

Incident Response and Mitigation

The following steps can be taken to mitigate the effects of infection if you believe you are infected.

Locating the Indicator for Compromise

Do you need to file extensions?

During encryption, File Extention will change with a new extension you have never seen before.

So collect the Known Ransomware File Extension and monitor the Extensions. This will allow you to detect Ransomware before it is actually used.

The file extension that is currently infected remains unchanged, but an encrypted file extension will be created. This extension will be added to the normal extension of the infected files.

The Ransomware File Extension Type is a little-known and unusual one. Ransomware file Extention.

Bulk File Renamed

Monitor a large number of Files being renamed on your network or computer. This will give you an indication that ransomware has infected your computer.

Verify that your Asset has not been modified by any large file names.

The Behaviour Analysis will allow you to determine if any files have been changed or used unexpectedly. This is different from normal use.

Security Tools

Security tools such as Endpoint Protection, Antivirus, Web content filtering in your organization that may allow you to filter the content that your access on the internet that analyze the behavior of your network and your computer will help you to find the behaviourally based indications.

It will monitor user baseline behavior and notify you if it notices something unusual.

Your network’s intrusion detection and prevention system will stop the callback of unusual files and encrypt your file.

It will also prevent you from downloading an encryption key from the command-and-control server. This will stop your files from being encrypted in your system.

Ransomware Notes

Ransomware is an explicit indicator of compromise that pops up on your screen telling you to pay a ransom.

It is the first indicator that ransomware attacks are taking place and should be known by most people.

User Reports

User reports helping desk that they can’t open or find files, and also that their computer is slow.

Make sure that your organization’s help desk professionals are trained to face ransomware and take the appropriate mitigation steps.

Next: What if you are Infected?

After confirming that your network or computer has been infected, take the next steps.

Disconnect the NetworkRansomware Response Checklist

Completely disconnect the infected computer and all network connections.

All storage devices such as USB drives, external hard drives, and other storage devices should be removed.

You can turn off any wireless devices such as routers, WiFi, Bluetooth, and other wireless devices in your company.

You can simply unplug your computer from the network or any other storage device.

Do not try to erase anything, such as your format, devices, or other data. This is crucial for the investigation process.


This case will require you to assess how much of your organization’s infrastructure has been compromised.

Locate your First Infected Machine and confirm that the infected storage medium is there. You could be one of the following.

  • Sticks of USB memory with valuable information
  • Shared or unshared Drives and folders
  • External hard drives
  • cloud-based storage (DropBox, Google Drive, Microsoft OneDrive/Skydrive, etc…)
  • Storage in the network

Verify the encryption sign on the asset. You can revert to the unencrypted version that you have previously saved on cloud storage if it is.

If you have backups available for encrypted storage, identify the infected/encrypted part of files. Then determine which file you need to restore.

If you do not have the option to proceed with the above options, then connect the memory drive and verify the other possibilities for decryption.

/Learn the Type and Version of Ransomware

First Ransomware must know which files it has to decrypt if you have paid the ransom.

You can check the registry or file list created by ransomware to determine the extent of the infection.

Every Ransomware has a different version. You can do some research on Google to find out which version of ransomware was used and then do your research using that information.

Find out the Ransomware Strains

Each ransomware type has a different function and method in terms of ransomware strains. You need to be aware of which ransomware-type you are dealing with and which option is available.

If you believe you are the first victim of concern ransomware, you can consult security experts to find out what type of ransomware is actually at work. They will need to see information about files and systems.

The majority of ransomware doesn’t have future self-spreading functionality to jump across networks unless you share directly from infected machines.

Ransomware generally infects only one machine or the related files of a shared network. It won’t encrypt files it doesn’t control.

Also, make sure to verify the above information regarding infected ransomware strains.

Rapid Response in an Emergency

Ransomware doesn’t require any user interaction to perform its Task.

It is important to quickly respond by calling the helpdesk immediately and letting internal parties know that Ransomware has been detected.

Notify your company’s executive and other legal teams.

Notify your regulatory agency, consult your law enforcement, and try to implement your communication strategy as soon as you can.

You can also contact the industry’s Information Sharing and Analysis Center (ISAC) site to know about a similar attack.

Ransomware Response Checklist – Paying Ransomware

Advantage: Paying

  • It is faster than restoring data from Backup
  • It would be the cheapest option in terms of total recovery cost
  • It helps to minimize disruptions to users and businesses.

Advantage: You are not paying

  • Data recovery can be used to preserve data integrity.
  • Supporting cybercrime and not paying criminals
  • Protect yourself against being targeted again. You can also reduce the chance of being attacked again.

Disadvantage: The cost of paying

  • Rewarding crime by supporting it
  • You could be subject to high-risk future attacks and possibly even be victimized again.
  • It is not possible to guarantee that data recovery will occur.

Disadvantage: Ransomware mitigation Checklist – Not paying

  • It will take a lot of effort to recover the data.
  • It is possible to get into a serious situation if you do not have a backup plan.
  • It will disrupt the business continuity of users and users, and it will be economically efficient.

Ransomware Response Checklist: Getting Bitcoin Funds Ready in Bitcoin

You must make sure your Bitcoin vault is ready before you pay ransom to criminals.

Preparing the bitcoin vault takes time. Once the vault is ready, you will need to deposit your bitcoin.

It doesn’t necessarily mean your file will be decrypted immediately, even though you have paid the ransom.

Sometimes criminals might manually verify the ransom amount you have paid.

Sometimes it takes more than a day to receive your decryption keys back. Sometimes criminals may not respond to you.

Ransomware Response Checklist – Defending the Ransomware Attack

Regular backups of your data are a good idea. Also, make sure your backups are always available to you in case you need them.

Microsoft Office documents are a major vector of infection. Make sure that your Microsoft Office Macros are disabled by default.

A strong Firewall can be used to block commands and control server callbacks. It prevents malware from accessing encryption keys from the C&C Server callback.

Scanning all emails for malicious attachments, content, or links. To minimize infection vectors, you should segregate the physical and logical networks.

Anti-malware and antivirus protection should always be used. Most antivirus currently uses behavior-based analysis to help minimize unknown ransomware threats.

Do not give local administrator rights to users by default. Avoid high privilege default.

Allow the user to have access to files they need for their work.

Your employees should be trained on ransomware attacks, their common functions, and how to attack networks.

Block unwanted web content and ads. It will also download ransomware or other malicious content.

These Ransomware response Checklist considerations apply to Windows as well as other platforms.