Go to content
Menu Menu Menu

Logo NIC.br Logo CERT.br

Ransomware: How to Respond

Author: CERT.br
Version: 1.0 — October 5, 2025

English translation technical review: Merike Käo, DoubleShot Security

See also

Ransomware: How It Happens

Ransomware: How to Protect

Ransomware: How to Detect

Download the PDF Brochure

Summary

Introduction

Once evidence of a ransomware attack is detected, it is necessary to act quickly to contain its spread, eliminate the presence of the attacker, eradicate the root cause of the compromise, restore the environment and return to normal operation.

Failure in the removal of malware, in the elimination of the accesses used by the attacker or in the patching of the security vulnerabilities exploited by the attacker can lead to new attacks and more damage.

This section addresses the technical part of responding to ransomware attacks. Issues related to reporting the crime to law enforcement, and to the negotiation and payment of the ransom should be part of the Incident Response Plan, but will not be dealt with here because they involve legal and business decisions, which are not part of the scope of this document.

It should be noted, however, that the payment of the ransom does not prevent new extortion attempts, nor does it guarantee the total recovery or confidentiality of the data. In addition, the ransom money can finance and encourage the illegal activities of the attackers.

The Infographic "Ransomware: How to respond" illustrates the main recommendations, detailed below. Depending on the organization environment and the type of ransomware, these recommendations may be made simultaneously, or in a different order or may not be applicable at all.

Infographic Ransomware: How to respond
Infographic "Ransomware: How to respond"

Icon Follow the Incident Response Plan 1. Follow the Incident Response Plan

Thinking about how to respond to a ransomware attack only when the problem happens can delay actions and decisions, require greater recovery effort, result in more downtime, bring more losses and leave unresolved weaknesses that can lead to new attacks.

  • Have an Incident Response Plan in place prior to an incident occurring.
  • Define in it the contacts that should be involved, including:
    • who should be contacted first, to start the response process;
    • who decides on technical measures that may affect the organization's operation, such as turning off equipment and blocking access;
    • which service providers need to be contacted, for example, cloud storage, software solutions, support and security;
    • who needs to be notified in senior management and legal counsel, to deal with regulatory and business decisions and, where applicable, contacts with the insurance company and issues related to the notification of authorities and the ransom payment.
  • Also define and document:
    • the functions that employees and contractors must perform;
    • the requirements and deadlines for notifying incidents to clients or regulatory bodies, for example, in case of a data leak which may have privacy implications;
    • the procedures to call the insurance company in the event of a claim;
    • the incident response steps to be followed (see more below).
  • Train the contacts defined in the Incident Response Plan so that they know how to perform their tasks.
  • Document the actions taken and the information collected.

One way to determine who should be involved and define their role is to gather technical, legal and management personnel and, together, discuss a ransomware attack scenario and identify the answers to all the topics discussed in this document. Some companies choose to perform a Table Top Exercise to simulate an attack and check if everyone would know what to do.

Documenting the response to the incident helps to understand the attack, align the teams involved, correct failures, and update the Incident Response Plan. This documentation may also be necessary, along with the evidence collected from the compromised equipment, in cases that require involvement with law enforcement or to meet compliance requirements, such as a notification to a regulatory body.

Icon Contain the attack 2. Contain the attack

The first step in responding to a ransomware attack is to contain the progression of the attack, in order to reduce the impact to the organization. The containment process includes protecting systems that have not yet been compromised and isolating systems already affected, in order to regain control.

2.1. Protect systems not yet compromised

Protecting shared environments and turning off systems not yet compromised prevents them from being infected, which helps contain the attack, reduces data loss and facilitates the return to a normal state of operation.

  • Prioritize the isolation and protection of systems and data that are critical for business operation, especially backups, as they are essential for the recovery of the business operations.
  • Disconnect or restrict write permissions on networked file storage and sharing systems, such as NAS and cloud services.
  • Turn off any equipment not yet affected:
    • if it is not possible to turn them off, disconnect them from the network.

2.2. Isolate the systems already compromised

Isolating already compromised systems causes the attacker to lose connection to the network, interrupts the attack chain and stops Data Exfiltration and the ransomware propagation to other systems.

  • Disconnect:
    • compromised equipment from the wired network and from any other types of connections, such as Wi-Fi, Bluetooth and cellular;
    • external devices connected to compromised equipment, such as disks and flash drives, to prevent them from being affected.
  • Block any malicious connections detected, for example, to C2 servers.
  • Preserve the evidence and, if possible:
    • perform a memory dump of the compromised equipment;
    • take a snapshot of virtual systems and cloud storage volumes.
  • Try to collect all the necessary data before making any change to the compromised systems, as any modification can destroy important information for analysis and recovery.

Although containment measures are essential to stop the attack, they can alert the attacker about the detection and trigger programmed mechanisms to Delete Files, speed up Data Encryption, and make it more difficult to recover the systems and data that have been compromised.

Icon Identify the ransomware 3. Identify the ransomware

Identifying the specific ransomware helps to understand the malware behavior, discover affected systems, fix vulnerabilities, and evaluate data recovery options.

  • Analyze the ransom note information, the extent of files that were encrypted or, if available, the memory dump of the compromised equipment.
  • Search reliable sources for available decryption keys:
    • decryption keys can be an alternative for data recovery, if the backups are inaccessible or corrupted.

Examples of projects that help identify ransomware decryption keys are:

Icon Analyze the collected information 4. Analyze the collected information

Logs from security tools and evidence collected from compromised systems, when analyzed together and enriched with information about the ransomware, can reveal key elements to determine the root cause of the compromise and measure the extent of the incident.

  • Research ransomware from specialized sources, such as bulletins and security alerts, to find out the indicators of compromise (IoC) and the techniques and tools used by the attackers.
  • List the evidence collected from the compromised systems, the network logs, the security tools and any added information about the ransomware, if it has been identified, and try to determine:
    • the entry point into the network;
    • the details of the initial infection;
    • the date of the beginning of the incident;
    • which data was exfiltrated, if any;
    • the network connections made by the attacker;
    • the systems to which the malware spread;
    • other systems used by the attacker, for example, for Data Exfiltration, and Persistence and C2.
  • Identify the root cause of the organization's compromise, i.e. the Initial Access. Were compromised credentials used, how were these credentials compromised, what vulnerabilities were exploited, etc. Correcting the problems identified is essential to avoid new future compromises.
  • If you identify new compromised systems, apply the actions listed in section 2.2. Isolate the systems already compromised.

If personal data has been exfiltrated that needs to be reported due to a state or federal privacy regulation, a complete report with the description of the incident, including the root cause and what measures have been taken to correct the root causes of the incident should be provided to the legal counsel or individual responsible for handling breaches to personal data.

Icon Eliminate the ransomware 5. Eliminate the ransomware

Just removing the malware is not enough to ensure complete recovery of the environment. For complete recovery it is necessary to eliminate all remnants left by the attacker, such as configuration changes and Persistence and C2 mechanisms.

Therefore, to ensure the complete eradication of the attacker's actions, the safest approach is the reinstallation and reconfiguration of the affected systems.

  • Reinstall compromised systems using trusted media.
  • Apply all updates, especially security updates and patches.
  • Make sure to fix the vulnerabilities that allowed the attacker to compromise your environment:
    • if it is not possible to correct it, take appropriate mitigation measures.

More details on secure system configuration are available in "Ransomware: How to Protect".

Icon Change passwords and review access 6. Change passwords and review access

To prevent the attacker from returning to the network using compromised credentials, it is important to reset all passwords and strengthen the protection of all accounts.

  • Change the passwords of all accounts:
    • assume that they were compromised and untrustworthy;
    • prioritize accounts suspected of having been compromised and those with privileged access.
  • Eliminate privileges added by the attacker.
  • Block or delete accounts created or reactivated by the attacker.
  • Ensure multi-factor authentication (MFA) is enabled on accounts:
    • make sure it is active where necessary, because the attacker may have disabled it.

Icon Restore data and connectivity 7. Restore data and connectivity

After the systems are reinstalled and reconfigured, it's time to restore the data and reconnect the equipment to the network.

To avoid unintentional reinfection, it is important to ensure that the recovered data is intact and does not contain residual copies of the malware nor other embedded tools or modifications to settings made by the attacker.

  • Recover data from trusted backups, preferably from offline copies.
  • If backups are not available or untrusted, check if there are any decryption keys available (see phase "3. Identify the ransomware"):
    • if you can't decrypt the data, try to rebuild it using other available resources, such as emails or external repositories.
  • Remove any containment measures that have been applied.
  • Reconnect to the network.

Icon Improve the environment with the lessons learned 8. Improve the environment with the lessons learned

After the critical phase of the incident is dealt with and the normal operations resumed, it is time to intensify monitoring, analyze the incident more deeply and strengthen security measures, to ensure that problems have really been solved and avoid the occurrence of new incidents.

  • Reinforce the monitoring and detection controls listed in "Ransomware: How to Detect".
  • Write an Incident Report, consolidating what was documented in the previous phases, especially the actions taken, the evidence preserved and the information collected.
  • Update the Incident Response Plan, considering:
    • what worked, but needs to be adjusted;
    • what didn't work and needs to be corrected;
    • what was missing and needs to be added.
  • Take advantage of the experience to improve the organization cybersecurity posture and reinforce the preventive measures indicated in "Ransomware: How to Protect", in particular:
    • update systems or replace obsolete solutions;
    • improve the protection and monitoring of critical networks and systems;
    • invest in training and awareness.