Get in Touch

Contact us to learn more about our elite cybersecurity services and industry-leading technologies.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Emergency Incident Assistance

Is your network under attack? Get in touch with a
BreachQuest Specialist right away with this form.

You can also reach us by calling our 24/7 hotline.

+1 888 409 5811

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

You can also reach us by calling our 24/7 hotline.

+1 888 409 5811

Ransomware Attack! Now what?

By: BreachQuest

Ransomware attack! Now What?

You got hit with a ransomware attack.  Now what?

It’s not the end of the world and happens to a lot of organizations in all industries. Don’t panic. Our Incident Response team has outlined below what you need to do.

Isolate the Environment

The first step is to isolate infected systems immediately. However, it is important not to power off machines, as forensic artifacts may be lost. Removing all infected devices helps limit the replication of the ransomware to adjacent assets.

A few immediate things you can do while isolating the environment:

  • Disconnect the internet
  • Disable remote access
  • Change passwords

Throughout the investigation, continue to isolate any additional accounts/endpoints discovered to be involved or compromised along the way.

Notify your Cyber Security Partners

Notify your cyber insurance carrier, incident response partner, and other IT partners (e.g., MSP). Quick action and reporting to the appropriate parties will help handle a claim, regardless of when it is reported. Once you have reported the claim, immediate assistance and a plan of action will be provided to respond to the incident. If you have cyber insurance, your provider may offer in-house expertise and services to walk you through proper response steps. Remember to keep constant communication and promote collaborative investigation and response efforts.

Establish Timetable of Key Events

Begin to analyze the execution of the ransomware to determine characteristics that may be used to contain the outbreak/infection and note them as indicators of compromise (IoCs). Keep a running list of IoCs in hand to search for the initial point of entry. Your list should include determining the first appearance of the ransomware binary and determining the user first impacted by it.

While establishing the key events, preserve a copy of the malware file(s) in a password-protected zip file, as this will help further the investigation.

Preserve Logs and Artifacts

Preserve the system(s) for further forensic investigation, including log review, MFT analysis, and deep malware scans. This step is critical to assessing how the breach happened, who is responsible and conducting future forensics.

Begin Restoration

While prepping for restoration, it is essential to preserve any artifacts, systems, and relevant backups based on the sensitivity and scale of the incident. Once all relevant data, equipment, and systems have been preserved, replace or rebuild systems based on a prioritization of critical services. Begin to restore impacted systems from a clean backup, taken prior to infection if available. For systems not restorable from backup, rebuild the machines from a known good image, a pre-configured standard image if possible. It is important to note that throughout the investigation, it is crucial to remediate any vulnerabilities and gaps identified.

Preparation is Best

It is best to prepare for a ransomware event rather than during one. If your organization would like to participate in a facilitated tabletop simulation of this or any other incident response scenario, please contact BreachQuest at  Furthermore, there are many ways to strengthen your security posture. Our blog post, “Cybersecurity Practices for Secure Infrastructure,” outlines the best practices for preparedness. These considerations should likely be documented as part of a well-structured incident response plan. If you need help with your incident response plan, contact BreachQuest, and we’ll be happy to help. We also recommend subscribing to the Cybersecurity and Infrastructure Security Agency’s alerts.



Share this article:

Sign up for our newsletter to get more industry news and insights.

Related Insights


Introducing…..Percy Alexander

Read more


NSO Group iMessage Zero-Click Exploit – Patched by Apple

Read more