The worst has happened. Your background has changed to a ransom note. Your files have .lockbit extensions. The CEO is screaming. What you do in the first 60 minutes determines if you recover in a day or in a month.
Phase 1: Containment (Do NOT Reboot)
1. Disconnect Network Cables: Physically pull the ethernet cable or disable WiFi. Stop the lateral spread to other servers.
2. Do NOT Shut Down: Ransomware often stores the encryption key in RAM. If you reboot, you destroy the key and any chance of free decryption. Sleep/Hibernate is safer.
3. Check Backups: Physically disconnect your backup drives/NAS immediately. Ransomware looks for backups first to delete them.
Phase 2: Identification
Who hit you?
Upload the Ransom Note and a specialized encrypted file to ID Ransomware (id-ransomware.malwarehunterteam.com).
It will tell you the family (e.g., Ryuk, Sodinokibi, Dharma).
Check NoMoreRansom.org: The police and security companies release free decryptors for older ransomware. Check if you are lucky.
Phase 3: Scope Assessment
You need to know how they got in.
Check logs for:
- RDP Brute Force: (Event ID 4625).
- Phishing Emails: Check the first infected user's inbox execution.
- Vulnerable VPNs: Unpatched Fortinet/Pulse Secure.
If you restore backups without fixing the hole, they will just encrypt you again tomorrow.
Phase 4: To Pay or Not to Pay?
The FBI says: Never Pay.
The Reality says: It depends.
- If backups are gone and the data is critical -> You might have to negotiate.
- If you pay: The average success rate of decryption is ~90%.
- Double Extortion: Modern gangs steal your data before encrypting it. Even if you restore backups, they threaten to leak client data (GDPR fines) if you don't pay.
Phase 5: Recovery
1. Wipe Everything: Do not just "clean" the virus. Nuke the drives and reinstall the OS from scratch.
2. Restore Data: Restore files from clean backups.
3. Reset All Passwords: Assume the Active Directory Domain Admin hash is compromised. Reset the KRBTGT account twice.