The Complete Guide to Ransomware

Everything you need to know to prevent, stop, and recover from ransomware attacks

Ransomware is the #1 security concern

Ransomware tops the list of security concerns for IT professionals in 2017, and for good reasons: in 2016 we saw massive growth in both the variety and frequency of ransomware attacks. In this guide, we’ll outline everything you need to know about the ransomware trend, how to protect your organization from an infection, and what to do if you’ve suffered from a successful ransomware attack.


  1. What is ransomware?
  2. How ransomware works
  3. Ransomware protection
  4. Response plan
  5. Focus on prevention
  6. Next steps

What is ransomware?
And how is it evolving?

Broadly speaking, ransomware is malicious software designed to either lock a victim’s screen (locker ransomware) or encrypt their files (crypto-ransomware). Successful ransomware infections allow criminals to demand payment from the victim (generally in anonymous Bitcoin) in exchange for restoring access.

Terms we’re going to avoid: crypto-ransomwares, cryptoviruses, and CryptoLockers, oh my!

Now that we’ve got a general definition of ransomware down, just a few more notes on terminology before we move on (feel free to scroll ahead if terminology isn’t your thing).


Cases of lock screen ransomware have been in significant decline for a few years now. Compare that to the explosive growth we’ve seen in crypto-ransomware and it’s generally safe to assume when someone says “ransomware” they’re referring to crypto-ransomware. That holds true for this guide, as well. Let’s agree from this point on we’ll just say “ransomware” and drop the “crypto”. Sound good? Great!


Without getting too sidetracked explaining the differences between malware and viruses (short version: a virus is a type of malware with distinct parasitic characteristics), suffice it to say most of the time when people use “cryptovirus” they’re simply referring to ransomware, too. It’s generally a bit of a misnomer, though there are some ransomware variants that do self-propagate and spread like viruses. More on that later. In the meantime, let’s bid adieu to the term “cryptoviruses,” too (at least for this guide).


This was one of the first ransomware families to gain widespread, public notoriety when it appeared in 2013. As such, you’ll often still hear people use “CryptoLocker” as a blanket substitute for “ransomware,” even though CryptoLocker is officially no longer active. In this guide, any subsequent use of “CryptoLocker” refers specifically to the strain, not to ransomware in general.

Stop ransomware attacks other solutions miss

See how Barkly's Runtime Malware Defense blocks the latest ransomware attacks before they encrypt any files.

Get protected now 

3 of the most prominent active ransomware variants

Note: If you're looking for a more comprehensive set of write-ups on the latest ransomware variants, Bleeping Computer's "The Week in Ransomware" is a great resource. You can also get a feel for current ransomware activity and campaigns by checking out Ransomware Tracker, a live list of ransomware distribution sites and botnet command and control servers (the computers telling a bunch of infected computers what to do).

Here are brief descriptions of some of today’s most notorious ransomware families:


Simply put, 2016 was the year of Locky. First observed in February, it quickly became the the most prolific ransomware strain being delivered.

2016 most active ransomware variants.png

Over the course of 2016, Locky left other ransomware variants in the dust PhishMe Q3 2016 Malware Report

Distribution for Locky has been heavily tied to phishing email campaigns sent out by the Necurs botnet, one of the world's largest networks of infected computers (when Necurs experienced temporary outages in June 2016 and again in January 2017, Locky infections plummeted). Sadly, those outages haven't lasted for long, and each time Necurs came back online, Locky infections surged.

How Locky infects victims

Locky has typically been delivered via phishing email campaigns that trick users into either opening malicious Microsoft Office documents and enabling macros or opening JavaScript attachments. More recently, Locky executables have been delivered as Windows Script Files and DLLs.

Locky ransomware email attachments.png

Locky accounted for nearly all of the malicious email payloads identified in Q3 Proofpoint Q3 2016 Threat Summary

Once executed, Locky encrypts files and renames them with a .locky extension. The popularity and success of Locky has resulted in several updates and spin-offs, however, including versions that rename files with .zepto, .odin, .thor, and .osiris extensions.

In addition to scanning local drives for files to encrypt, Locky also encrypts files on network shares (even unmapped ones) and deletes Shadow Volume Copies so they can't be used in restoration attempts. Updates to Locky have incorporated changes such as offline encryption and various evasive techniques (ex: recognizing and avoiding sandboxing environments).

There is currently no way to decrypt files that have been encrypted by Locky without paying the ransom. Recovery options are limited to restoring from backup. That’s why the best way to protect your organization from Locky is to prevent it from landing on machines in the first place or — as a last line of defense — stop it at runtime.

Note: Despite the frequent modifications, Barkly stops even new, never-seen-before variants of Locky and other ransomware by recognizing its behavior and shutting it down before it can do any damage. Watch it in action vs. the Zepto variant of Locky below:

Wistia video thumbnail - Barkly Blocks Zepto static captions

Thanks for reporting a problem. We'll attach technical data about this session to help us figure out the issue. Which of these best describes the problem?

Any other details or context?




Cerber ransom screen Bleeping Computer

Another ransomware variant making its debut in 2016, Cerber stands out from Locky and other ransomware families two distinct ways: 1) it contains VBScript that makes victim computers actually talk to them; 2) it was launched as a ransomware-as-a-service operation that allows anyone to distribute it in exchange for a 40 percent cut of any ransoms paid.

Researchers at Check Point estimated profits generated from Cerber were roughly $195,000 in July of 2016 alone, making it a $2.3 million-dollar source of income for criminals per year.

Earlier versions of Cerber renamed encrypted files with a .cerber extension. Newer versions now add a random file extension and have also developed the ability to kill databases in order to encrypt database files.

While decryption tools were temporarily available for previous versions of Cerber, none are available for the current version.


cryptxxx ransom screen.jpg

CryptXXX ransom screen TrendMicro

CryptXXX is a ransomware trojan that rose to prominence after the people behind TeslaCrypt ransomware called it quits. TeslaCrypt had been primarily delivered via the Angler and Neutrino exploit kits. With it gone, CryptXXX quickly became one of the go-to ransomware payloads for both (until Angler went belly up in June).

When infected with CryptXXX, the victim's encrypted files are renamed with a .crypt extension. Updated versions of CryptXXX up the ante by also including credential stealing capabilities.

Researchers at Kaspersky have created several tools designed to decrypt files encrypted by CryptXXX, only to have the ransomware authors make updates that render them ineffective. The decryptor for the most current version can be found here (it works for now, but based on the track record there's no telling how long it will).

Other notable ransomware variants that take things up a notch


Why encrypt individual files when you can lock someone out of their computer altogether? Petya ransomware does just that by encrypting the master file table. The result is a non-functioning system that requires a full machine reimagining if the ransom isn't paid.

The good news is there is a decryption tool available for Petya. The bad news is there is a new modified version of Petya called Goldeneye making the rounds. Unlike Petya, there is currently no decryptor tool for Goldeneye available.


Is encrypting a victim's files and demanding they pay up always the best way to make money off them? What if you could use the information you'd be encrypting for an even bigger payday? That's the question the creators behind the ransomware Shade asked themselves, and they decided they wanted to have it both ways.

Before it encrypts a victim's files, Shade will scan the computer for signs of accounting or banking activity. If it finds them, it installs remote control tools attackers can then use to try to gain access to the victim's finances.

A decryptor tool is available to recover files encrypted by Shade. But if Shade installed credential stealers and remote control tools, it unfortunately won't be of much use.

Note: For more on multi-stage ransomware attacks that also incorporate credential theft and other compromising activities, see our Malware Chat on the topic.


Why infect one user when you can infect an entire organization? That's the goal the creators of VirLock have in mind. VirLock is ransomware that also acts like a parasitic virus, infecting files and spreading across systems by creating new, unique versions of itself every time a file is executed. That makes detecting and blocking VirLock the old fashioned way — scanning a file to see if it matches a known malicious signature — ineffective.

The latest version of Virlock takes its encryption game to the cloud, spreading itself across networks via cloud storage and collaboration applications. All it takes is for one user to open an infected file on a shared folder and every file on their computer (and every other shared folder they have access) can be encrypted.

How ransomware attacks are evolving: 5 trends to watch

Trend #1: Ransomware attacks are becoming more frequent

With more criminals turning to ransomware as a source of income, it's no surprise attacks are on the rise, especially attacks targeting businesses. Why? As infamous American bank robber Willie Sutton explained when asked why he robbed banks, "Because that's where the money is."

Did you know?

Attacks on businesses increased 3x in 2016. A company gets hit with ransomware every 40 seconds.

Kaspersky Security Bulletin 2016

It doesn't help that more ransomware-as-a-service (RaaS) operations are popping up, making it easier than ever for criminals — even those with little to no technical experience — to conduct ransomware attacks. All they have to do is sign up to the service by agreeing to pay the ransomware developers a portion of any ransom payments they receive. Some ransomware-as-a-service platforms such as the recently discovered Satan RaaS even offer online management consols that make it easy for criminals to launch, manage, and track ransomware campaigns.

Trend #2: Phishing has become almost exclusively a ransomware delivery vehicle

97% of phishing emails deliver ransomware

These days phishing emails almost always carry ransomware PhishMe Q3 2016 Malware Report

If you're looking for more evidence of ransomware's prominence, consider that 97.25% of phishing emails analyzed in 2016 by anti-phishing company PhishMe were attempting to deliver ransomware. All other malware payloads accounted for less than 3% combined.

Criminals know the easiest way to sneak ransomware past an organization's security is by infecting its users, and email provides them direct access to do so. They've clearly determined ransomware provides them with the most lucrative way of capitalizing on that.

Trend #3: New ransomware variants are being produced at an alarming rate

Ransomware variant growth rate

Growth of ransomware variants since December 2015 Proofpoint's Q3 2016 Threat Summary

The number of new ransomware families grew by 10x in 2016, increasing 53% from Q2 to Q3 alone.

The heavy volume of new and modified ransomware variants also means organizations haven't been able to reliably count on traditional security solutions like antivirus to identify and block attacks. By the time any particular strain of ransomware is discovered and blacklisted, criminals have often already moved on to a new variation that will slip past undetected at the outset of their next campaign.

Trend #4: Once attacked, the majority of organizations are getting infected

Ransomware attacked vs infected

Number of companies who have been attacked at least once and ended up getting infected. Barkly

For nearly 3/4 of organizations experiencing ransomware attacks, the security they have in place unfortunately doesn't stand up. 71 percent of the targeted organizations we spoke to in a recent survey suffered one or more successful infections that resulted in data being encrypted, and in some cases, lost for good.

The catch is very few organizations actually pay the ransom, even after successful attacks (or at least they're not comfortable saying they did). Results from another survey we conducted with ransomware victims indicated that only 5 percent paid up. The fact is many victims are able to recover at least some if not all of their encrypted files from backup (only 42 percent of our survey respondents reported being able to recover everything).

Trend #5: Encryption was just the beginning — ransomware criminals are raising the stakes

Perhaps as a response to low payment rates, we're seeing several new ransomware tactics designed to turn up the pressure on victims and leave them little choice but to pay. For example, we're seeing ransomware attacks now being directed at servers and databases (see the recent MongoDB attacks) with the intention of causing more widespread damage to critical services and systems that's signficantly more difficult to recover from quickly.

And in another twist on ransomware extortion methods, we're also seeing attacks add the threat of doxxing — releasing victim data publicly — if they choose not to pay. That threat is especially damaging to organizations that deal with private and sensitive customer data, such as hospitals, law firms, financial services, and others. It turns what would otherwise be an inconvenient IT issue resolved by backup into a potential data breach event. That completely changes the equation of whether or not to pay.

Back to top

How ransomware works

According to a June 2016 survey by Osterman Research, nearly 50 percent of organizations have been hit with ransomware. As infection rates continue to rise, more and more attention and budget is being directed toward finding ways of keeping machines clean and data safe.

To do that, organizations need to understand how ransomware works and what needs to happen in order for an infection to be successful. Let's break down what the infection process looks like, starting with the most common ways ransomware gets delivered and the steps you can take to reduce your risk.

Stages of a ransomware attack


The infection typically happens in one of two ways: by clicking on a link or attachment in an email or via an exploit kit released by a compromised website.

How ransomware is usually delivered

Execution (evasion, searching for files to encrypt, and spreading)

Ransomware authors will often leverage slight modifications, process injection, and other techniques to make their programs slip past antivirus security undetected. Once on a machine, ransomware searches the system for files to encrypt. Some ransomware target specific file types (for example: .docx, .xlsx, etc.). Some can also spread to mapped network drives, which puts other computers and systems connected to “patient zero” at risk.


In many cases, encryption can occur in minutes or even seconds. Our malware researchers clocked the ransomware Chimera at just 18 seconds. Files are rendered inaccessible and typically renamed with a new file extension that can sometimes signal which type of ransomware you’re dealing with.

Ransomware encrypts files within seconds or minutes

Ransom demand

Once encryption is complete, a ransom or lock screen is displayed informing the user they have X amount of time to pay a fine (typically in the form of Bitcoin) in exchange for a decryption key. After that deadline the ransom will go up or the files will be destroyed.

Ransomware demand screen

How ransomware infections start

How does ransomware get onto victim machines in the first place?

The short answer: either via phishing emails or exploit kits.

Ok, sure. We've heard the horror stories about employees finding USB flash drives in the parking lot and plugging them in. But by far, the two primary, most likely delivery channels for ransomware are email and websites compromised with exploit kits. Let's look at each in more detail below.

Ransomware delivery channel #1: Email

Why email?

For cyber criminals, email serves as a direct line straight to the soft, chewy, vulnerable center of your network — your users. By sending emails disguised as legitimate messages the hope for ransomware authors is they can trick users into either opening an infected attachment or clicking a link that takes the user to an infected website.

It’s a tactic referred to as phishing (attackers try to catch users by luring them into taking the bait). Unfortunately, it can be highly effective — according to the Verizon 2016 Data Breach Investigation Report, phishing emails have an average open rate of 30% — and research shows ransomware is now the #1 type of malware that phishing delivers (by far).

So we're talking spam emails?

Not exactly. You may still get an obvious mass spam email from a “Nigerian prince” from time to time, but the truth is many of today’s phishing emails are surprisingly sophisticated.

For starters, they’re more likely to be targeted, with attackers actually taking the time to do a bit of research and craft emails that are personally relevant to their victims. Ex: Just a few minutes on LinkedIn can supply an attacker with a name of a business connection or colleague they can reference to make their email much more convincing.

This type of targeted phishing attack is referred to as spear phishing (because the attacker is singling out and going after a specific person or group).

How does a phishing email deliver ransomware?

Two primary ways:

  1. Malicious attachments
  2. Links to malicious or compromised websites

As of now, simply opening a phishing email isn't enough to get a user infected with ransomware. Attackers still need users to take one additional step in order to get the malicious ransomware code onto their machine — either opening an infectious email attachment or clicking on a link that takes them to an infectious website.

We'll get into how the second option works when we talk about exploit kits. First, let's explore how attackers hide ransomware in attachments.

What types of attachments does ransomware hide in?

The success of ransomware phishing attacks hinges on convincing the victim every aspect of the email is legitimate. An attacker can go to great lengths crafting a customized, relevant message and making it look like it's coming from a sender the victim knows and trusts, but if the attachment looks suspicious that can ruin the chance of the user taking the bait.

To avoid raising suspicion, attackers often hide ransomware in the types of attachments we expect to receive — some of the most common include MS Office docs (Word, Excel, and PowerPoint) and PDFs.

These documents can be disguised as anything from invoices, contracts, regulatory forms, and more.

MS Office docs are a popular choice among ransomware authors because they allow them to leverage macros (bits of code that allow additional functionality) to execute the ransomware without the user's knowledge. Ex: The Locky ransomware family originally gained traction and notoriety in early 2016 with its use of malicious macros in Word documents.

If macros aren't enabled, the user won't be able to properly read the document, and they will be asked to enable them. Once macros are enabled that allows code in the document to download and execute the actual ransomware payload.


If possible, it's a good idea to adjust your users' Microsoft Office default settings to disable macros. That way you can prevent ransomware from exploiting them.

Microsoft has a support document that walks you through that process

More recently, attackers have begun using JavaScript file attachments to deliver ransomware (it's now even more popular than using Word docs). What makes that especially concerning is JavaScript can do anything a regular application can do, without attracting the scrutiny of a .EXE. It's also easy for ransomware authors to disguise JavaScript file extensions so they look like they're .TXT files or something else innocuous.

How can I prevent ransomware from being delivered via email?

You can't prevent attackers from sending ransomware phishing emails, but you can put security controls in place that a) reduce the risk of users taking the bait, or b) prevent ransomware from successfully executing even if they do.

Prevention tools: Email filtering

Actively filtering email attachment types that are potentially dangerous and aren't commonly used or necessary to day-to-day work is certainly a low-effort way for you to lower your risk, but as the example of Locky demonstrates, criminals are becoming increasingly good at sneaking malicious code into file types that will get past most email filtering. For that reason, email filtering is far from a comprehensive solution.

Did you know?

74% of ransomware victims reported they were running email/content filtering at the time of infection in a recent survey we conducted. 100% were running antivirus.

Percentage of ransomware victims using security solutions at time of attack
Percentage of ransomware victims using securtity solutions at time of attack

Ransomware has been proven to bypass traditional security solutions. Barkly

Prevention tools: User education

Teaching users how to spot and react to suspicious emails can help transform them from a major liability to a formidable first line of defense. To help, we've put together a Phishing Field Guide complete with example phishing emails you can share with users to show them exactly what to watch out for.

User awareness training is a great long-term investment, but it's also an ongoing commitment, and there's no guarantee users are going to be 100% mistake-free 100% of the time. That means you need to have back-up safety nets in place so you're ready for the inevitable when new or even trained users click on something they shouldn't have. More on what those are in the “How to stop a ransomware infection” section.

Ransomware delivery channel #2: Exploit kits

What makes exploit kit delivery different from delivery via email?

The biggest difference is, with email, the burden is on the attacker to trick a user into actively downloading and opening a file. By using tools called exploit kits, however, criminals can infect victims who visit a compromised website automatically, without any clicking required.

How do exploit kits work?

Exploit kits allow criminals to upload malicious code to any web page they have access to. That code is designed to exploit specific vulnerabilities in browsers or other software the visitor may be running (ex: an outdated version of Adobe Flash Player). If the vulnerability is present, the exploit kit can leverage it to download ransomware. For a deeper dive, see our blog post "Understanding Exploit Kits: How They Work and How to Stop Them".

So avoid sketchy websites and we're good to go?

Sorry, not really. Another way for criminals to boost their infection rates is to compromise ad networks, so even visits to legitimate, mainstream websites can result in a ransomware attack.

That's precisely what happened in March 2016, when malicious ads (malvertising) containing the Angler exploit kit appeared on The New York Times, the BBC, AOL, and the MSN homepages, exposing tens of thousands of visitors.

How can I prevent ransomware from being delivered via compromised websites?

Again, it's all about focusing on the things you can control. You can't stop attackers from creating and using exploit kits, but since they rely on taking advantage of software vulnerabilities, one thing you can do is take precautions to make sure your software is patched and up-to-date.

Prevention tools: Patch management

Depending on the size and complexity of your organization, staying on top of, evaluating, testing, and rolling out the latest patches can be a full-time job in and of itself. The good news is, when it comes to successful exploits, the vast majority take advantage of just 10 incredibly popular vulnerabilities.

According to the Verizon 2016 DBIR, the following 10 vulnerabilities account for 85% of successful exploits: CVE-2001-0876, CVE-2011-0877, CVE-2002-0953, CVE-2001-0680, CVE-2012-1054, CVE-2015-0204, CVE-2015-1637, CVE-2003-0818, CVE-2002-0126, CVE-1999-1058

Start out by patching those and you can drastically reduce your risk. From there, you'll want to implement a patch management strategy that ideally involves automation.

Prevention tools: Install an ad blocker

Ad blockers can help protect your users from malicious ads (malvertising) that can infect even mainstream, legitimate websites.

How ransomware evades detection and how infections spread

Why is my antivirus not stopping ransomware?

Antivirus works by performing routine file scans and looking up file signatures in a database of known malware signatures. This approach is very effective for blocking known malware, but it doesn’t stop brand malware or old malware that has been repackaged with a new signature. Unsurprisingly, hackers have caught on to this critical weakness and are now engineering ransomware and other attacks to get past antivirus. Here are a few ways they do it:

  • Polymorphic malware is malware that is engineered to mutate, changing its own file name or signature, so that it will get by antivirus.
  • Cryptors or obfuscators are tools that change the appearance of a file, making it unrecognizable to antivirus.
  • Fileless delivery of ransomware (for example, through registry keys) allows attacks to evade antivirus file scans and pass undetected.
Once a ransomware payload is delivered, what happens next?

The precise next steps can vary from ransomware variant to variant, but in general, once ransomware is executed it wastes very little time scanning local and connected drives for files to encrypt. Some variants (such as Locky and DMA Locker) even encrypt unmapped network shares, extending the reach of the infection and making potential damage even more widespread.

Different ransomware variants can also scan for different file types, though many cast their nets wide and can encrypt anything from Microsoft Office files to multimedia files. It's important to note some ransomware variants like Locky also delete shadow volume copies — live backup snapshots Windows users could otherwise use to restore their files.

Did you know?

Ransomware typically only takes a matter of minutes or even seconds to finish encrypting files.


Once the encryption process is complete and the files are rendered inaccessible, the ransomware then creates a ransom note that notifies the user what just happened. Ransom notes are typically .TXT files, but depending on the ransomware, they may also appear on a web page and/or replace the Windows wallpaper, too. The point of the notes is to establish the ransom demand amount, walk the user through how to pay it (typically with Bitcoin), or simply direct them to a web page for further instructions.

Note: Details included in the ransom notices, specifically any URLs that are included, can sometimes provide clues as to the specific type of ransomware you're dealing with (as can any changes the ransomware has made to encrypted file extensions — more on that later).

To see what the infection process looks like and get a feel for how fast it happens, here is a video of TeslaCrypt in action:

Wistia video thumbnail - TeslaCrypt Encryption

Thanks for reporting a problem. We'll attach technical data about this session to help us figure out the issue. Which of these best describes the problem?

Any other details or context?


Teslacrypt encrypting files in a matter of seconds. Barkly

Back to top

Ransomware protection

Stop ransomware attacks other solutions miss

See how Barkly's Runtime Malware Defense blocks the latest ransomware attacks before they encrypt any files.

Get protected now 

How to stop a ransomware infection

In addition to working to prevent ransomware delivery in the first place, you can also make it more difficult for ransomware to complete the infection process even if it does land on a machine.

Antivirus, anti-malware, or anti-exploit tools — what do you need?

There's no lack of solutions marketed to addressing ransomware. Honestly, it can be difficult to make sense of all the terminology and clearly determine what does what. One helpful way of simplifying things is by classifying solutions based on when they come into play during a ransomware attack.

As the chart below illustrates, the biggest difference between most protection tools is the specific attack stage you can map them to. Thinking of tools in this way allows you to identify where you're covered and where your gaps are. A solid ransomware defensive strategy incorporates protection at each possible stage of an attack.

Mapping security solutions to the stages of a ransomware attack

Security solutions mapped to ransomware stages

Goal #1 (pre-execution): Keep ransomware off your endpoints by preventing delivery

Examples of solutions that can help:
  • Gateway defenses such as firewalls, UTM, email and SPAM filtering, etc.
  • User awareness training programs and anti-phishing tests
  • Exploit prevention such as EMET, patch management, ad blockers, etc.

Knowing that some attacks may find a way around these defenses (especially due to users being human and clicking the wrong thing no matter how often they're trained), you should also have protection in place to prevent ransomware from proceding past the next stage.

Goal #2 (pre-execution): Block ransomware payloads from executing

Examples of solutions that can help:
  • File scanning and filtering products such as antivirus and next generation antivirus tools
  • Program isolation solutions such as sandboxing tools
  • Free / DIY filtering options such as application whitelisting (AppLocker), GPO-based restrictions like blocking program executions from temp folders, disabling Microsoft Office macros, etc.

Knowing that many ransomware variants are designed to sneak past these defenses you also need solutions designed for protecting you even if a ransomware program is executed.

Goal #3 (pre-damage): Stop executed ransomware from doing harm

Examples of solutions that can help:

Note: Blocking attacks at runtime is your last chance to prevent a ransomware infection. The next two groups of solutions are designed to help you react to successful infections by isolating and recovering from them quickly.

Goal #4: Isolate ransomware infections to prevent them from spreading

Examples of solutions that can help:

Note: Again, these won't help you stop a ransomware infection, but they can help you detect and contain it.

Goal #5: Recover quickly without paying the ransom

Examples of solutions that can help:

Missing runtime protection?

Barkly serves as a last line of defense against ransomware. We block attacks that get by antivirus by recognizing malicious behavior at runtime.

Learn more
Back to top

What to do if you’ve been infected

In this section, we’ll walk you through the steps you should take immediately should you or any of your users become the unfortunate victims of a ransomware attack.

As with any security incident, the important thing is to keep your cool and approach things systematically. That’s easier said than done, of course, but having a basic framework for a response plan and practicing it ahead of time can help. Let’s walk through what that looks like.

Step 1: Isolate

Disconnect infected machines from the network and lock down shared network drives.

With ransomware, the primary thing you're up against is its speed. Unlike other cyber attacks that prioritize stealth in order to maintain system access and control for long periods of time, ransomware simply prioritizes encrypting as much as possible as fast as it can.

For that reason, depending on how you discovered or were notified of the infection, you may find yourself dealing with just one infected device (consider yourself lucky) or multiple users and machines. Your first step should be isolating any infected machines you’re immediately aware of by disconnecting them from the network as well as wifi. Keep in mind, many ransomware variants are able to spread through shared network drives, so you may need to temporarily lock those down and check your file servers, too.

Unfortunately, since ransomware encrypts files so quickly, in many cases the damage on infected devices will already be done. Hope isn’t necessarily lost, but don’t shift your focus to recovery quite yet.

Determine the full extent of the infection

The majority of ransomware variants will make changes to encrypted filenames, often changing all the extensions to something that corresponds with the ransomware name (ex: .zepto or .locky). They also often create README.txt and README.html files with ransom instructions. Looking for these markers can give you an idea as to the extent of the infection and how far it’s spread.

It’s important to track down any devices with these signs of infection and take them all offline. Missing any single infected device increases the risk of the infection spreading all over again.

Step 2: Investigate

Determine what type of ransomware you’ve been infected with

The reason this is helpful to know is some ransomware variants have been identified as being “fake” — meaning they don’t actually encrypt your data effectively. Other variants have been cracked and decryption tools have been made available. Still other variants may not have a good track record of actually delivering a working decryption key even if you decide to try paying the ransom.


For a list of possible ransomware types you’ve been infected with, and to find out whether a decryption tool is available, use our: Ransomware Decryption Tool Finder


New or modified file extensions appended to encrypted files are often one clue as to the particular type of ransomware you’re dealing with. Likewise, information included in the ransom screen — specifically, any URLs it points you to for more info or payment steps — can also serve as identifying markers. Researcher Michael Gillespie’s website allows you to upload a ransom note and/or a sample encrypted file to learn what type it is.

Lastly, you can try some good old-fashioned googling. Search for the ransom screen messaging, for the extension that has been applied to your locked files, or for some of the symptoms you’re experiencing such as encrypted unmapped network shares or encrypted shadow copies. Another great resource to check out for more info on specific ransomware variants is

Determine the source and cause of the infection

To understand how the attack started you’ll also want to identify “patient zero” — the first person in your organization who got infected. Keep in mind this may not always be the user who reported the incident. In some cases, you may be able to determine patient zero by looking at the properties of one of the infected files and seeing who the owner is listed as. For more on how to identify patient zero, see this thread in Spiceworks.

Again, since most ransomware doesn’t wait long to get going once it’s on a machine, in many cases you should be able to find out what triggered the attack by finding out what the user was doing shortly before the ransom screen popped up.

Ask users to retrace their steps:

  • Did they open any new documents?
  • Click on any attachments or links in an email?
  • Did they visit any websites they don’t normally visit?

Once you determine the cause of the infection it may also be a good idea to share an alert with other users letting them know what to be on the lookout for (ex: phishing emails with fake invoices, etc.).

In the meantime, is there anyone else who needs to know about the ransomware attack right away? If so, now’s the time to tell them.

Step 3: Recover

Try to restore your encrypted data

Unfortunately, in most cases, once files are encrypted there’s no way of unlocking them without the decryption key. That said, malware researchers are sometimes able to exploit flaws in ransomware encryption methods and develop decryption tools. As mentioned, our Ransomware Decryption Tool Finder is an easy way to find out whether a decryption tool is available for the strain of ransomware you’ve been infected with.

If no decryption tool is available then your only other option is to restore your files from backup. Of course, the only way you can do that is if a viable backup is available. A recent poll of IT pros found that only 42% were able to fully recover their data, even with backups in place.

The top reasons for failed or incomplete backup recoveries were:

  1. Backups that weren’t regularly monitored or tested didn’t work.
  2. Local backups or backups connected to a shared drive were also encrypted.
  3. There was a loss of data since the last incremental snapshot.

For more tips on how to make your backup strategy ransomware-ready, see our blog post, “3 Better Ways to Use Backup to Recover from Ransomware.

Note: Even if you aren’t using a dedicated backup provider, you may still be able to recover your data if Microsoft’s free volume shadow copy service (VSS) is enabled. Just keep in mind VSS has its limitations, and some ransomware variants are able to encrypt shadow copies, as well.

Decide whether or not you need to pay the ransom
Ransomware refuse to pay ransom

Surveyed IT Pros almost always refused to pay the ransom. Barkly

If you can’t decrypt or recover your files from backup, you’re left with a difficult decision to make. While most authorities don’t recommend paying the ransom (and stats indicate very few organizations actually do), ultimately, your decision will have to be based on your situation, not other people’s.

Things may come down to how integral access to the encrypted information is to your business. It’s a good idea to think about how valuable your data is — are you dealing with law case files, patient health records, customer sales orders, etc. — and make decisions on how you would handle various encryption scenarios ahead of time. That way, you’re not forced to make an uninformed decision in the heat of the moment.

Keep in mind, however, once attackers have identified your organization as a successful target the odds of you experiencing repeat attacks are high.

Wipe infected machines to avoid re-infection

The safest way is to nuke the computer and bring it back to factory settings. Then restore from backup.

If you don’t have backup you can use, the situation becomes trickier. There are some things you can try in order to salvage some of the files, such as malware-removal tools (Microsoft offers a free one), but you do run the risk of a malicious file getting missed and the infection starting back up all over again.

Step 4: Reinforce

Conduct a post-attack retrospective

With the attack contained and any recoverable data restored, business may thankfully be getting back to normal. Now that the immediate crisis is over, however, it’s important to take the opportunity to do a full assessment of what happened, how you responded, and any surprises or gaps that were exposed along the way.

Starting with how the ransomware was successfully delivered in the first place, go back and retrace the trajectory of the attack. Try to identify any vulnerabilities that were exploited along the way and specific controls you can put in place to either eliminate or mitigate them.

Let’s say the attack was launched with a phishing email. What vulnerabilities and gaps in your security allowed the ransomware to be successfully delivered?

For starters, the user who received the email was fooled. Can you invest in awareness training to help users make better educated decisions? Better yet, are there things you can do so damaging user mistakes are harder to make? Can you disable macros in Microsoft Office docs so ransomware authors can’t exploit their functionality, for example?

It’s also clear if you were running email filtering and antivirus they were both either bypassed or ineffective. Are there adjustments you can make to strengthen them? Are there additional layers of endpoint security you can add that work differently and stop specific types of attacks they don’t?

How far did the infection spread? Are there adjustments you can make to user access privileges to limit what infected accounts can reach?

Were you able to wipe machines and adequately recover from backup? Are there any changes to your backup strategy you need to make?

Did you know?

50% of ransomware victims experience repeat attacks.


Unfortunately, suffering one ransomware attack puts you at greater risk for suffering another one. Asking these types of questions will help you probe where your weaknesses are and determine what needs to change to avoid a repeat incident.

In addition, here is a checklist you can use to better prepare for ransomware infections and raise your odds of successfully preventing them in the first place.

Back to top

Why prevention is king

If you’re like most IT pros, you hire endpoint security tools to accomplish two main jobs: protect your organization from data loss or theft and minimize downtime for end users. Having the ability to detect infections and restore data following a ransomware attack is critical, but when it comes to accomplishing those jobs, preventing infection in the first place should be the priority for a few reasons:

  1. Backups aren’t always reliable: Even with backups in place, only 42% of organizations fully recover their data from a ransomware attack.
  2. Backups don’t prevent data theft: Backups can mitigate data loss, but they won’t help in the case of data theft. This should be a concern for any organization guarding sensitive data.
  3. IT time is valuable: Someone has to clean up when there’s an infection. Your team is too busy to be putting out fires that could be prevented.
  4. A successful attack means downtime for users: It may only take a couple hours to reimage a machine, but a couple hours at the wrong time could have a huge impact for users who are working on tight deadlines or preparing to give presentations.
Back to top

Next steps

Now that you are an expert on all things ransomware, it’s time to make sure your organization’s protection is up to speed. We’ve put together the following checklist to help you through the process:

Ransomware survival checklist

  • Do you have up-to-date antivirus installed on your endpoints?
  • Do you have behavior-based endpoint protection like Barkly installed that can stop attacks antivirus can’t?
  • Are you using an automated patch management system? If not, do you have an organized method of discovering, evaluating, and deploying software updates?
  • Have you conducted security awareness training for your users, with an emphasis on identifying potential phishing emails and reporting any suspicious or unusual activity as soon as possible?
  • If possible, have you disabled Microsoft Office macros?
  • Do you understand how an attack can spread through shared network drives?
  • Have you limited user access and privileges to the bare minimum they need to do their jobs?
  • Do you have backups on their own separate network?
  • Do you have an up-to-date inventory of the backup recovery point objective (RPO) and recovery time objective (RTO) for all your workstations and servers?
  • Do you have a schedule for regularly testing your backups?
  • Have you conducted a risk assessment to identify and assign value to your organization’s critical data assets?
  • Do you know your cost of downtime? Figuring this out will help you put a dollar amount on keeping your systems up and ransomware-free.

Additional tools and resources

After all that, still looking for more? Here are some links to other fantastic ransomware tools, tutorials, and stats worth checking out:

DIY ransomware protection:

Ransomware Protection Using FSRM and PowerShell by Matt Hopton, Netwrix Blog

How to Block CrypVault Ransomware via Group Policy by Tim Buntrock, 4sysops Blog

Cryptolocker Canary Tutorial by JustinCredible, Spiceworks Forum

Ransomware identification and decryption tools:

Ransomware Decryption Tool Finder (type in file extension to identify variant and get link to a decryptor if one exists) by Barkly

ID Ransomware (upload ransom note or encrypted file to have it analyzed) by Michael Gillespie

Ransomware Overview (great list of ransomware variants plus additional prevention measures) by Florian Roth and additional contributors

Ransomware simulation and testing:

Ransomware by the Numbers (list of must-know statistics), Barkly Blog

Ransomware Tracker (live list of active ransomware C&C botnet servers, distribution sites, and payments sites, along with blocklists for your firewall) by

Ransomware Chronicle (comprehensive list of ransomware developments from May 2016 - January 2017) by David Balaban

In the time it's taken you to read this page, 0 businesses have been attacked by ransomware.

Businesses are hit every 40 seconds. Don't let yourself become one of them.

Stop ransomware with Barkly
Back to top