How To Deal With Ransomware

Ransomware attacks are faced by thousands of individuals each year. You may not be one of them, but you could soon be. An attack initially is not even that obvious. You might notice lagging, slowdowns, or weird drops in file associations which may go unnoticed until you get your I.T. department to check.

The worst part is knowing that ransomware has already been successful and a data breach has already occurred. A ransom demand note or message on your screen is the second worst thing that could happen at that moment. These messages are either black and white or red and yellow, accompanied by hazard stripes, crossbones, or a skull.

So how do you deal with ransomware and prevent attacks from happening in the first place? Let’s find out below!

Ransomware Attack Statistics 

3,729 ransomware complaints were recorded by the FBI’s Internet Crime Complaint Center in just 2021 alone. Cybersecurity Ventures have estimated that by 2023 nearly all companies will be attacked by ransomware every alternating second.

This is a huge up from 40 seconds in 2016, 14 seconds in 2019, and 11 seconds in 2021. These rising numbers are all thanks to the Covid-19 pandemic and the rise of remote work.

Since ransomware attacks are rising exponentially, frequent corporate network attacks can cause a loss of millions of dollars. The losses caused by ransomware attacks were 20 billion U.S. dollars in 2021, estimated to rise to 265 billion U.S. dollars by 2031.

CNA Financial paid a whopping 40 million U.S. dollars in a 2021 attack. This is the largest ransom paid to date and shows that demands are gradually on the rise. The criminal benefits gained have only made ransomware more popular amongst cyber attackers.

The good news is that intervention by law enforcement agencies caused payment amounts to decrease in 2021. Coveware reports that an average payment in the second quarter of 2021 was around 136,576 US dollars. This shows a decrease of 38 percent as compared to the first quarter of 2021. People believe that decreased payments are only a setback, as Unit 42 reports that ransom payments rose by 78 percent in 2021 compared to 2020.

Companies that have been affected the most are those that have 11 to 1000 employees. These make up 70.4 percent of all organizations attacked. However, regardless of company size, ransomware is still a major threat to companies of all sizes and niches. This includes oil/gas companies, educational departments, tech, and healthcare. Even public sector entities are not being left alone.

Recent legislation is believed to cause this, as it has banned using tax dollars to pay ransom demands. Hackers have started targeting private companies and smaller organizations consequently.

Law Developments

  • For quite some time, the FBI had asked companies to report a ransomware attack and asked them to refuse to pay the ransom. While field offices would send security reminders and alerts, the government only advised in previous years.
  • Only last year, however, the Crime Justice Department has geared into action and is actively taking measures to ensure all cyber-attacks are reported.
  • The Colonial Pipeline Hack and law enforcement agency crackdowns aim to catch individuals who participated in a cybercrime attack.
  • A definite law has not been passed yet, but the government is putting added pressure on companies so they would report any ransomware attacks that occur.

How Do Ransomware Attacks Work?

An attack occurs when a system or machine on a corporate network is infected with malware. Hackers use various methods to gain access, including spear phishing emails, social media campaigns, and fake messages/prompts or pop-ups.

Individuals are quickly becoming aware of these attack vectors, forcing cybercriminals to devise creative methods to gain unauthorized access.

Once malicious code or files have been downloaded onto a system or loaded from an endpoint, it gears into action. It uses an encryption key to encrypt all sensitive information that a company might need. Next, a ransom is demanded in exchange for a decryption key.

Cryptoware or ransomware that uses encryption strategies is the most prevalent. However, other variants are also surfacing and have been spotted:

  • Encryption of a system drive’s MBR (Master Boot Record) or Microsoft NFTS. This prevents a P.C. from booting up in a live operating system environment.
  • Non-encrypting ransomware/lock screens restrict data/file access but do not encrypt information.
  • Mobile device ransomware affects smartphones and inflicts damage once downloaded through pop-ups, fake apps, etc. Users are threatened with phone data release to the entire contact list if the ransom is not paid.
  • Extortionware/leakage performs data theft and steals credentials and sensitive data that are publicly released if the ransom is not paid.

Latest Malware Trends

RaaS (Ransomware as a Service) has quickly gained popularity over the last year. Dark web vendors sell malicious code to cyber attackers with little technical knowledge.

Implementation becomes indirect in this manner, and the creators can even earn a commission on each successful attack. The rise in ransomware attacks is exactly due to this. Individuals no longer need to be able to develop malicious software code themselves.

As a business, you must have a proper security protocol in place with a responsive I.T. department. You should also create data backups regularly and use common best practices to ward off attacks.

Who Do Ransomware Operators Attack?

Ransomware operators attack companies of all sizes, especially those that are in the top 10 industry sectors that have already faced previous attacks. However, no organization is safe or immune, whether big or small.

Small to medium-scale businesses are most prone to ransomware attacks as they do not have the resources and knowledge required to ensure strict protective measures. Poor defense means successful attacks, especially when owners are worried about investing in ransomware protection due to the recession.

A phishing attempt on the WHO (World Health Organization) failed but still proves that no one is safe.

Poor protocols and a lack of sophisticated I.T. systems make some organizations more susceptible to attacks than others. The United States ranks top in ransomware infections, followed by Germany and France. Windows P.C.s are the main targets, while some ransomware strains also successfully attack Linux And Mac operating systems.

Since malware attacks have become so common, every organization does come face to face with minor or major attacks at one point. Therefore, it is necessary to stay prepared and make use of best practices to minimize damage.

  • Avoid visiting sketchy websites, inspect links carefully, do not open malicious or spam emails/messages, and do not click on fake-looking pop-ups.
  • Weak patches in Microsoft’s SMB (Server Message Block) and RDP (Remote Desktop Protocol) enable crypto worms to spread.
  • Even Microsoft Office DDE (Dynamic Data Exchange) has been used to pass on an infection.
  • Ransomware strains like WannaCry, CryptoLocker, and Petya spread to each operating system in a network and can also transfer to other networks.

How To Deal With Ransomware?

If you have been attacked by ransomware,  you should surely report the ransomware attack first based on industry/legal requirements. But how do you implement damage control? Let’s find out how to deal with ransomware below:

Ransomware Infection Isolation

Based on the ransomware strain that has attacked your system, there may not always be sufficient time to react. Strains moving fast can spread from a single endpoint to other operating systems and networks. It encrypts all of the data it lands on before it can be inhibited.

Any systems suspected to be infected or the cause of infection must be immediately isolated. Disconnect access to other networks, endpoints, and storage devices on the company network. Make sure to disconnect Bluetooth and WiFi as well. Unplug the device from any LAN connection or storage devices to completely block access.

This way, the ransomware can be contained and prevented from spreading further. It is also possible that several vectors were used to enter your network or system. These could be dormant and present in another system.

Until all the threats are confirmed, it is a good idea to be vigilant and aware that any network system could be a potential host.


You can take help from several useful websites to identify ransomware. This is if you do not already have critical infrastructures such as a security team and a strong I.T. department present in the company.

It is crucial to identify the ransomware strain as it will help you decide what protective measures to take. File propagation, usual targets, and removal options will also become clearer this way.

You may also be able to get helpful information from authorities if you have reported the incident.


Many businesses do not have enough capital to simply pay a ransom. Letting the public know you have faced an attack could also damage your reputation. However, involving the authorities and reporting incidents to them can still help you avoid paying a ransom.

Since reporting ransomware attacks helps others and makes them more aware, it is a good idea not to worry too much about your reputation and opt for legal methods.

Authorities can also gain better insight into who is behind these attacks through this. They can find out how access can be stopped and how these criminals can be penalized.

You can report an attack to the FBI at the Internet Crime Complaint Center if you are in the U.S. See where to report crimes here if you live elsewhere.

Weigh Your Options

While some businesses may be willing to pay the ransom as they feel it is less costly than the loss of productivity they will face, others may think it is a terrible idea.

Hackers have started attacking small companies as they are less likely to opt out and will be more willing to cough up the ransom.

The bad news is that simply paying ransom encourages criminals to keep up with their illegal acts. You could also face civil penalties by paying the ransom and may also not be able to get your data back.

System Restore/Start From Scratch 

Several websites offer software packages for ransomware removal. But whether these will be successful is not always clear.

Not all ransomware has a proper decryption key/decryptor program. Every time a decryption key is made, hackers devise new encryption keys. Your best bet is to perform a system restore or start from scratch using a backup with proper security updates.

Start Over

Starting over will ensure that your system has no malware or ransomware. Completely wiping off storage devices/P.C.s, formatting hard drives, and reinstalling everything will ensure security.

If you have data backups, that is even better. You can easily restore media, files, and documents until the infection.

Always note down the date of the ransomware attack so you can differentiate malware files and essential information. This will also help you understand the ransomware’s operation and see if it has been dormant in your system for quite some time. Knowledge of malware functions helps you deduce what the best recovery strategy is.

Use Extended Version History to select a backup or several backups to restore files and data. Any off-site backups can also be used, including storage devices that were stored separately.

System Restore

Using a System Restore Point may be tempting, but it is not the best or safest solution to eliminate viruses/malware. Malicious software or code can be present anywhere on your system, and a restore cannot truly remove it.

System Restore also fails to save, replace or delete old data copies or personal files.

Ransomware can also encrypt local backups meaning that even with a restore, you will still end up with encrypted data.

Only an isolated cloud or device backup solution is the best bet for recovery. It also allows you to restore a computer system’s data from a certain date or period.

  • Reinstall and configure operating systems and various software apps and use backup data to ensure a full system cleanse.
  • Use account management/software credentials to reactivate accounts.
  • Making use of an online password manager helps restore access to all accounts easily. However, you will have to remember the master password and username.

What Are Some Best Practices To Defeat Ransomware?

  • Make use of anti-malware, anti-ransomware software, or antivirus software.
  • Maintain regular backups in a cloud or isolated storage devices.
  • Use immutable backup options to restore access, deploy information and get back to business.
  • Isolate infected devices from both internal and external contacts.
  • Perform security updates regularly.


Preventing ransomware attacks with antivirus software/security software is better than facing an attack and not knowing what to do. If you accidentally come face to face with one, having proper backups, isolating infected devices, cutting off network connections, and reporting to law enforcement agencies can help you reduce the severity of the damage caused.

Always opt out of paying ransom without caring for your reputation, as this can put you in legal trouble. Lack of awareness puts you and others at additional risk too.

Derik Belair

As President and CEO, Derik leads the vision, strategy and growth of Augmentt. Prior to founding Augmentt, Derik was the Vice President at SolarWinds, leading the digital marketing strategy for SolarWinds’ Cloud division. Derik has been working in the channel for over 20 years, starting his career as a channel sales rep at Corel Corp. and eventually becoming the first employee at N-able Technologies in April of 2000.
SUBSCRIBE for more resources
Related Content

Agent-based SaaS Discovery

    When it comes to Augmentt Discover, we believe in flexibility and power. Augmentt Discover can collect SaaS usage data using both an Agent and Agentless model. Here is a quick [...]

    Product Evaluation Guide

      Thank you for starting your Augmentt Product Evaluation and Trial   Here are a few resources that will help you through this technical process. Support Technical Support is available to [...]
      Augmentt is a centralized SaaS security platform built for MSPs to deliver scalable managed security services for Microsoft and cloud apps. Our multi-tenant platform gives you visibility across all your end-users to easily audit, protect and detect security threats for a holistic approach to cyber security.