Ransomware is both an operational and business emergency. Beyond encryption, there may be data exfiltration, persistence across the network, and reinfection risk if you restore before cleaning. This short guide summarizes the most important actions.

1) Immediate actions when you detect an attack

  1. Isolate the infected system
    • Disconnect the affected device from the network (cable or Wi‑Fi).
    • On‑prem: shut down suspicious servers or virtual machines if needed to stop spread.
    • Cloud: disable network connectivity for the affected VM or container.
  2. Preserve evidence and document
    • Do not delete evidence (files, logs, attacker notes/messages).
    • Record the time/date of the incident, affected systems/data, and attacker communications (if any).
  3. Notify IT and activate your response plan
    • Activate the Incident Response Plan.
    • Notify leadership and information security.
  4. Do not pay the ransom
    • Do not engage with the attacker.
    • Payment does not guarantee recovery and can incentivize further attacks.
  5. Start backup recovery (with validation)
    • If you have a recent backup, begin the restore process.
    • Cloud: confirm backups are stored in a secure location and verify integrity before restoring.

2) Environment-specific response (cloud vs on‑prem)

Cloud environment

  1. Engage your cloud provider
    • Contact your provider (AWS, Azure, GCP).
    • Request isolation of the affected VM/container and support for log analysis to identify the breach path.
  2. Review security configuration
    • Check for misconfigured permissions or unauthorized access.
    • Validate whether the entry point was storage misconfiguration (S3, Azure Blob Storage, etc.).
  3. Restore from backup
    • Use unaffected backups and validate integrity.
    • Consider restoring from a dedicated backup bucket/account or an alternate region/location.

On‑prem environment

  1. Isolate the physical network
    • Disconnect non-essential routers, switches, and servers if needed to stop propagation.
    • Check potentially compromised devices (NAS, legacy servers, unpatched endpoints).
  2. Analyze the attack
    • Review firewall, antivirus/EDR, and monitoring logs.
    • Look for suspicious patterns (outbound connections to unusual IPs, new accounts, scheduled tasks).
  3. Restore from backup
    • Use offline backups or a hybrid cloud backup strategy.
    • Make sure backups are not contaminated before returning to production.

3) Recovery and prevention

  1. Restore systems and data
    • Prioritize critical services (databases, apps, authentication, email).
    • Cloud: use tools such as AWS Backup, Azure Recovery Services, or Google Cloud Backup.
  2. Investigate the breach
    • Engage digital forensics to determine the entry point, what was compromised, and whether data was exfiltrated.
  3. Upgrade security controls
    • Review firewall/network rules, antivirus/EDR, and access policies (MFA, least privilege).
  4. Train employees
    • Run phishing simulations and ongoing training.
    • Cloud: ensure users are trained in provider security best practices.
  5. Communicate with stakeholders
    • Notify customers, partners, and authorities if a data breach occurred (per applicable regulations).
    • Use internal channels (Slack, Teams, Notion) to share updates with a clear cadence.
  6. Document the incident
    • Record everything in an incident log for audits and lessons learned.
    • Cloud: use CloudTrail / Azure Monitor / equivalent logs for traceability.

Conclusion

  • Don’t panic: act calmly and follow the plan.
  • Prioritize safety: isolate, document, and restore in that order.
  • Prevention > cure: invest in backups, training, and continuous monitoring.

Sources