Your browser is out of date.

You are currently using Internet Explorer 7/8/9, which is not supported by our site. For the best experience, please use one of the latest browsers.

Request a Consultation

Ransomware / Crypto-malware what to do?

When you’ve been attacked by Ransomware or other Crypto-Enabled Malware, time is of the essence.

Get Started

Recovering from a Ransomware Attack

If you know or suspect your systems have been infected with malware, call right now for help. TRUE: 866.430.2595

If your systems have been infected with ransomware or another crypto-enabled malware, you can reach TRUE’s 24/7/365 Incident Response Team for help right away here 866.430.2595. For non-emergency help with Incident Response, you may contact us at

When an organization is attacked with Ransomware or another crypto-locker style virus, their systems are rendered unusable and the immediate tendency is to begin doing something.  Anything.  Unfortunately, unless you are experienced at recovering from these cleverly designed attacks, you may be inadvertently causing more damage to your system.

Paying the bad guys immediately is usually a bad option.  Remember, they are bad guys.  Just because you pay them doesn’t mean that they will restore your systems. Also, paying them almost assures that they will be back for more of your money in the not-too-distant future.

In addition, once your systems have been restored, you need to ensure that the bad actors no longer have access to your systems. Otherwise, you could easily become their favorite new repeat customer.

Understanding the source and breadth of your infection can be tricky, so it’s best not to attempt to use systems at all until you are certain the spread has been contained. Malware is designed by threat actors to cause damage, and cyber criminals are constantly evolving their tactics to circumvent endpoint protection, evade detection, and enable rapid spread. Extreme caution is advised until TRUE’s Incident Response (IR) team is able to confirm for you that the infection has been stopped, and triage is complete.

TRUE’s IR team is trained and experienced with a wide spectrum of cyber attacks and incidents, able to understand patterns and other evidence that may indicate your incident is potentially larger (or smaller) than you first thought. To help them investigate, our teams may request additional access or information. In some cases, Network Security Monitoring (NSM) may provide additional key insight into a security incident, allowing our analysts to read all traffic on your internal network, decrypt SSL traffic where desired, perform deep packet inspection, collect very granular usage patterns, identify internal or external issues, and so on.

The type of malware you may be dealing with will certainly inform triage and remediation tactics, but the fact is that there are so many variants of the common malware strains currently floating around that you may be dealing with some version which has been updated to be more difficult to fight. Engaging an expert can be invaluable when it counts the most. Nevertheless, you may very well be dealing with a widely known malware instance that has been sitting dormant inside your systems, just waiting to be unleashed, biding its time for the first errant click. Common types of malware include the widely known and historically prevalent CryptoLocker, as well as Bad Rabbit, Cerber, Crysis, CryptoWall, CTB-Locker, GoldenEye, Jigsaw, KeRanger, LeChiffre, LockerGoga, Locky, NotPetya, Petya, Spider, TeslaCrypt, TorrentLocker, WannaCry, ZCryptor, and more.

There is a chance that you could simply restore your backups.  As of late, however, we are seeing much more sophisticated attacks, whereby, the attacker have probably been inside your systems for several week and have disabled or otherwise corrupted your backup.  Therefore, a normal recovery process may not work.

TRUE’s first priority is usually to assess the effects of the malware and prevent any further spread of the virus or ransomware within your environment, then apply triage and remediation. This may mean asking users to quit logging in to their computers, staying off all remote access accounts, disconnecting systems, forcing password resets, etc. until an investigation can determine how widespread the incident is, and the best path forward. The TRUE IR team is available in-person when needed, wherever you are in the continental US, to bring you help immediately.

Our digital forensics and incident response (DFIR) experts will work with your team to gather all relevant data to help the TRUE IR team build a clear picture of exactly what has taken place, including cause, source, timelines, spread of the attack, resources accessed, and more. This may include a retelling of known events, all relevant available logs that have been enabled, access to affected systems or accounts, and anything else that will help them build the most complete understanding of the situation. Drawing from years of experience remediating and investigating cyber attacks through TRUE’s 24x7x365 Security Operations Center, our IR team will correlate the data from your incident with our specialized threat feeds and trends they see in the field daily to help you understand the full scope and implications.

Ransomware is defined as malware accompanied by a ransom request. In most cases, all files in infected systems will encrypted or systematically destroyed, and a message will appear on infected machines demanding immediate payment in Bitcoin deliverable to the criminals. The promise is generally that the cyber criminals will restore access, cease destroying files, or decrypt your files for you if the ransom is met. That promise will always be a roll of the dice, however, because you have no guarantee that criminals will keep their word or that their software and processes will function as intended. If you have a solid disaster recovery plan with complete backups that are effectively segregated and can be restored in short order, you will thank your lucky stars in this moment.

Get Started with True Digital Security

Incident Response Evaluate Preparedness