What to do after a ransomware attack?

We have previously covered the topic of ransomware on this blog, specifically the Avaddon ransomware. But Avaddon is just one of the many ransomware groups operating on the internet today. At the time of writing this article, it is in fact no longer active. This article will give you a basic understanding of what ransomware is and what characterises it. There is also a brief section at the end on how to prevent IT infrastructure from being infected by this malware. In this article, I'll take a closer look at the methods to follow and steps to take after a successful attack. Next, I will focus on minimising the damage of a potential attack on your company. Finally, I will present recommendations for minimising the risk of infiltration of your company's IT infrastructure.

Imagine a scenario where all the computer screens at company ABC, s.r.o. suddenly turn red with a message that the company is under attack. Upon closer examination, the IT department discovers that all the company's data has been encrypted and is therefore unreadable and unusable. No systems are working and even the backups on the backup server are encrypted. A worst-case scenario for the company. The most important steps come as soon as the infection is detected: don't panic, safely disconnect all devices from the network, turn them off, and isolate all USB flash drives, external drives and other devices. Sometimes it is also recommended to disconnect all end station peripherals. It is then best to contact a professional experienced in these attacks as soon as possible. Speed of action is crucial, as there is a risk of immediate data disclosure. In addition, groups of hackers sometimes only cease their activities or respond after a certain amount of time has elapsed since an attack.

Companies should also be mindful of their legislative or regulatory obligations and report the incident to the relevant authorities.

It is then necessary to determine the extent of the attack and the damage caused. The key question is whether the backups were also attacked. If not, see if the environment can be restored from them. If they have been attacked, this is worst-case scenario territory and other steps must be pursued to attempt at least a partial recovery.

To identify the damage and determine what ransomware is involved, it is important to select one hard drive after successfully disconnecting all devices, preferably from an end-user station. Then, using forensic Linux distributions or tools, make a copy of that drive. This backup serves both to document the post-attack state for future reference, but also as a test environment. Under no circumstances should any programs be run from this disk or the computer booted from it. This will create a backup of the encrypted disk on which further operations can be performed without the risk of damaging the encrypted data. Once a copy of the encrypted disk has been made, it will be installed in an isolated and secure environment so that its data can be read. Even if the data is encrypted, in the absence of backups, it is all that is left in the company.

It is very likely that the attackers will leave a clue how to contact them. This is actually in their interest, because if the victim is unable to contact the attackers, the attackers are unlikely to be able to get the ransom they want. Which ransomware group is involved is often apparent from the endings of the encrypted data.

Now imagine that a single unencrypted text file is found on the desktop of an encrypted disk. From its contents, it is possible to determine that the XYZ hacking group was behind the attack, and the file also contains a string of characters and numbers labelled as ID. The last piece of information in the file is a web address leading to the hacker group's Dark Net site.

I recommend taking proper precautions when doing anything on the dark side of the internet. For example, use an appropriate web browser on an appropriate operating system. This is the TOR browser, which routes all web traffic through the TOR anonymisation network. I also recommend using more secure operating systems such as TAILS or Qubes OS, which I also wrote about earlier in this article. We are now at the hacker group's "support site" and the negotiation game begins. At this stage, the victim usually learns all the requirements or the price for providing the decryption program and the deadline for sending the ransom. It is important not to lose one's head during the negotiation and to act with a certain degree of humility. The victim must realise that without obtaining the decryption program it is impossible to restore their data to its original form.

However, I am not saying it's impossible to recover the data without paying the ransom. There is always a small chance. The possibility of decrypting the data by brute force (controlled key discovery by testing all possible combinations) is extremely unlikely. If the process were that simple, all internet services would be in big trouble, because they are built on the same modern cryptographic principles. If the encryption of some ransomware could be broken, it would also be possible to break the encryption of any banking institution. So this is not the way to go and the whole problem needs to be addressed a little differently. While the negotiation proceeds, we will have the opportunity to make our own attempts at remediation.

We know which hacking group it is and the type of ransomware used. From various corners of the Dark Net, we may be able to find out what cryptographic protocols this type of ransomware uses. We may discover an exploitable flaw in the encryption protocol or the encryption program itself found on the disk of the infected device. There is also an organisation called No More Ransom, which constantly monitors developments in this field and tries to analyse different types of ransomware and eventually release a general decryptor. A good step is therefore also to test existing decryption programs on the backed-up encrypted data.

In general, breaking error-free encryption is impossible. Even so, it is worth trying to identify possible decryption procedures. From time to time, there is a bug in the ransomware, or a hacking group "stops" its activities and publishes a general decryptor. If I were to compare the probability of success to a lottery, the probability of "winning" would be very similar.

Decryption attempts have failed, so what are my options?

It is likely that the data will not be recovered before the deadline to pay the ransom expires. There are now only two scenarios: either the victim decides to pay the ransom or decides not to.




  + I have hope for a full data recovery

  + I do not support illegal activity

  + hackers can provide information about which way the company was hacked

  - the chances of full data recovery are almost nil

  - I have no guarantee that they will provide me with the decryption program after payment (I trust the attackers)

  - the hackers will withhold information about how the company was hacked

  - I have no guarantee that they won't disclose sensitive stolen data (I trust the attackers)

  - they are likely to disclose sensitive stolen data

  - I have no guarantee that they won't keep sensitive stolen data (I trust the attackers)

  - they're likely to keep the stolen sensitive data

  - computers and systems are still infected

  - computers and systems are still infected

  - I need to fix the entire infrastructure, put the proper security measures in place

  - I need to fix the entire infrastructure, put the proper security measures in place.

  - I support illegal activity

  - not paying does not mean that the group will never focus on the company again

  - they got money out of me and know my systems, I'll be a tempting target in the future

  - recovery and security costs

  - the ransom will not destroy the company, but it is significant


  - recovery and security costs



In any case, the clear recommendation is not to pay. By paying the attackers, their illegal activities are supported. It is hardly an overstatement to compare it to buying a stolen car or paying ransom for other criminal activities.

Operations must be subsequently restored in steps and only newly installed systems must be started. Only after they are properly configured can the data be made available. Be sure not to connect the original systems, including the virtualisation platform, to the network. You never know if an attacker has left a back door.

The above steps should not be construed as a fail-safe guide for recovering data and traffic after attacks. If you become a victim of an attack, do not hesitate to contact experts as soon as possible.

How to prevent ransomware attacks?

From the text above, the reader can understand that being a victim of a ransomware attack is no fun. Even without factoring in any possible ransom, the damage is very high. These include lost profits from the company's idle time, the possible loss of customers from the inability to provide services, or the suspension of production. Then there are the costs of restoring infrastructure and investing in security measures. Although no system is perfect, there are many ways to minimise the risk of infiltration.



Security incidents

Have procedures in place for managing security incidents, even those finally flagged as false alarms.

System permissions

No systems or databases may run under privileged users unless absolutely necessary (in most cases it is not!).


Have appropriate backups and an offline version of those backups located off-site. It is also important to regularly test the backups for recovery. Backups are useless if you cannot restore systems from them when needed.

Safety features

Deploy security features such as UPS, firewall, IDS/IPS and anti-virus protection.

Network segmentation

It is also important to have a properly segmented network (VLAN). A separate network for visitors, internal parts of the network according to the nature of their activities and servers accessible from the internet located in an isolated network segment without access to the internal part of the network. 

Remote access

Where public internet access is not required, have an active VPN that meets current standards and is free of vulnerabilities.



System vulnerabilities

Regular vulnerability scanning and penetration testing of infrastructure against known vulnerabilities. This also involves regular training of employees in cybersecurity, as social engineering is the easiest method of infiltrating a company's network.


Instal system updates.

Obsolete systems

Disable the existence of an operating system on the network that is no longer supported by the manufacturer.


Test new software parts and separate test and production environments. Monitor data between communicating systems.



Password policy

Have an appropriate password policy and enforce it.

Distribution of authorisations

Properly allocate permissions and manage them appropriately. Procedures for managing user accounts (termination, creation, editing) should be set up. A good tool is to regularly review user permissions.

Remote user access

Use suitable tools for remote work, such as tunnelled, encrypted connection via VPN.

Multifactor authentication

Use multifactor authentication wherever possible.




Regularly train all users.


Communicate with them about cyber risks.

Simulated attacks

Implement training in the form of simulated attacks through social engineering and use these to explain step-by-step how an attack can be identified.


Lesson Learned

Learn a lesson

Hope it doesn't happen again and ask yourself "Have I done everything I can to prevent this from happening again?"