Ransomware Incident Response Plan

June 22, 2017

When ransomware attacks happen, the most emergency thing is to get a ransomware incident response plan first and then carry out the plan.

Ransomeware Attack Background

It has been over a month since last ransomware WannaCry attack; and those days’ hot topic seems calm down. The latter virus EternalRock is also just like a slice of wind and it did not trigger much waves. Though WannaCry has almost died away, there can be more viruses in the future which may be more evil and are powerful to destroy netizens’ computers. Also, for those victims of ransomware WannaCry, I believe that they can’t forget the virus as quickly as those who do not affected by the virus. Therefore, we should not completely put down the alert. Instead, we should always keep it in mind when we are using computer to surf the Internet.

What to Do When Ransomware Attacks happen?

No one can completely avoid being infected by ransomware virus during his life of using computer, even they are very careful while operating on computer; because the virus will try its best to get on your computer and make it infected. Then, what should we do in case of been affected by ransomware?

First of all, do not panic and organizate a ransomware incident response plan. Just like a general need to figure out a strategy before starting up a battle with the energy, we need a ransomware response plan before start the fight with the Trojan.

What Is a Ransomware Incident Response Plan?

Ransomware incident response plan is a set of actions which you plan to do after confirming the ransomware virus attack. Different people have unlike ransomware incident response, but they are similar. Here, I would like to introduce you my personal suggestions to you as an editor in IT field.

1. Cut off the path of infection

We can’t destroy the source of infection – the virus, but we can cut off the possible paths of infection to our computers. Usually, disconnect Internet will help since most virus spread through Internet. Moreover, for ransomware WannaCry, we also need to block port 445, patch vulnerability named MS17-010 and may also stop SMBV1 service.

For Windows users, keep up with the pace of Microsoft and install updates of Windows is import. It is said that Microsoft has already published updates which solve vulnerability problem several month before WannaCry attack.

2. Rescue data

To do ransomware response, must rescue your important data. Most loss caused by ransomware attacks are data loss, including work documents, family videos, art pictures, favorite music, paid apps, etc. And, operating system damage is also a great loss; reinstalling OS is troublesome and may need new registration key. Still, strike of computer bother your daily work or entertainment; this inconvenience is also a kind of influence of virus attack.

To rescue your data, the most direct way is backup crucial data out of the infected computer. If you are lucky enough, the data will become normal and accessible the moment it dissociates from the affected machine. If not, move the data to another safe place for further treatment.

To backup data, you need a data backup software. In most cases, if your computer get infected, you can’t use it anymore, even boot into system. Then, you can create a bootable USB on another healthy machine first, then download and install the data backup software to the USB. Next, insert the USB to the affected computer and boot from the USB. Finally, open the data backup software in the USB and backup important data in infected computer to the USB. The following are detailed steps of make bootable USB and backup data.

Create bootable media

Step1. Choose, download, install and launch bootable media creator. Connect the USB for making bootable device into USB port.

Step2. Select “Create Bootable Media” to go on.

Create Bootable Media

Step3. The software will value whether your system has certification to create a bootable device. If it is, the below screen will pop up and click “Next” to continue. If not, just follow the guides to make OS available for making bootable media.

Create Bootable Media Certification

Step4. Choose “USB Boot Device” and “Next”.

Create Bootable USB

Step5. The program will start to create bootable USB immediately. Just wait until it finishes.

Tip:This application can also backup data for you. And, when you create bootable media, it already pack this app into the bootable media, so you just can insert the bootable USB into infected computer and use the built in software to backup data. If you want to use the other software, you have to install it in this USB. Yet, in case of confliction of the bootable files and the other data backup software, you may need to get another USB to install the backup program.

Backup data

Step1. Connect USB(s) containing bootable files and data backup software to affected computer; boot from the USB flash drive. Open the backup software. Here, we still take the above software for example since it claims “especially for WannaCry ransomware”.

Step2. Pick “I Want to Backup Data”.

I Want to Backup Data

Step3. Select “File Backup” in its main interface.

File Backup

Step4. Choose the import files/folders you want to migrate out of this computer.

Select Files to Backup

Step5. Choose the USB flash drive as backup destination.

File Backup Destination

Tip:If the USB is not large enough to contain the files you want to backup, or the bootable files forbid storing files on the USB, the software will remind you of those. Then, you can cancel this operation, connect another external storage device and retry. Or, you can just backup to NAS. However, you are not recommended to backup to cloud using this software for it only supports to backup to several clouds and the apps of these clouds has been installed on this computer.

Backup to NAS

Step6. Click “Start Backup” and wait until it finishes.

Finally, you can seek for further solutions for the virus attack without time limitation. Also, you won’t worry about data loss at any time.

3. The third item of Ransomware incident response plan is scan for virus and try to get rid of it.

After your data moved out, you can be sure to do something to deal with the ransomware. First of all, figure out what the hell it is. You need rely on anti-virus software to scan through your computer. If it can’t help, try to google for answer with your symptom, maybe there are others who are the same with you. In most ransomware attacks, the target is not a single one but a large group of machines. Say, the target of WannaCry is Windows users who has vulnerability of MS17-010.

Then, you’ll find that you are not alone to fight for the virus. Together with the other victims or people who care about you victims and are able to help, you will find a way out. This is a long time process; just be patience!


Ransomware incident response plan: Avoid further infection, rescue data and fight the virus.