I have been infected with ransomware. Now what?

I have been infected with ransomware. Now what? 1

In recent years there are more and more ransomware infections that leave companies (large, medium, and small) as well as individuals without access to their information.

Isolation: Once we have been infected by ransomware we must isolate the affected computers as soon as possible, disconnecting them from the network, to prevent the infection from spreading.

Complaint: As soon as we can, we must bring the case to the attention of the authorities:

  1. We can do this by contacting the Telematic Crimes Group of the Civil Guard or the Central Technological Investigation Brigade (BCIT) of the National Police.

Help: the INCIBE (National Institute of Cybersecurity) has at the disposal of citizens and organizations a consultation telephone on cybersecurity, 017. There they can indicate the steps to follow.

Recovery: either with the help of the security forces, the INCIBE or a company specialized in information security, we must try to recover the kidnapped information.

  1. In some cases, it is possible to break the encryption used and decrypt our files.
  2. In other cases, this solution may not be viable, so the only thing left is to make use of the backups we have available.

Pay or not pay?

  1. From a legal and ethical point of view, criminals should never be paid, as crime is financed and encouraged.

The best way to avoid such an incident is prevention:

  1. Have up-to-date antivirus on all systems and networks
  2. Have equipment and programs properly patched and updated
  3. Make use of secure system configurations
  4. Raise awareness among users:
  5. Most infections occur through phishing.
  6. It is essential that employees know how to identify dangerous messages and that they suspect that what is out of the ordinary.
  7. They must know the different methods of attack and how they can defend themselves.

And, if all the above has failed, it is essential to have backups of all the information necessary to keep the organization running, so that, if an attack of this type disables our systems, we are able to recover them in a reasonable period of time to a state as similar to the one prior to the incident.