If you have experienced a ransomware attack, CISA strongly recommends using the following checklist provided in a Joint CISA and Multi-State Information Sharing and Analysis Center (MS-ISAC) Ransomware Guide to respond. This information will take you through the response process from detection to containment and eradication.
- Determine which systems were impacted, and immediately isolate them.
- Only in the event you are unable to disconnect devices from the network, power them down to avoid further spread of the ransomware infection.
- Triage impacted systems for restoration and recovery.
- Consult with your incident response team to develop and document an initial understanding of what has occurred based on initial analysis.
- Engage your internal and external teams and stakeholders with an understanding of what they can provide to help you mitigate, respond to, and recover from the incident.
- Take a system image and memory capture of a sample of affected devices (e.g., workstations and servers).
- Consult federal law enforcement regarding possible decryptors available, as security researchers have already broken the encryption algorithms for some ransomware variants.