What to do if you’re held to ransom

A guide to identify, remove and protect yourself against ransomware. #

This guide has simple steps to follow if you are a victim of ransomware. The first section will teach you how to identify ransomware and stop it from spreading. The second part will help you avoid another ransomware attack.

Never pay a ransom

There is no guarantee you will regain access to your information. You may also be targeted by another attack.

Identify and remove the ransomware #

Start here if you are experiencing a ransomware incident.

Not all ransomware incidents are the same. So, some of the steps in this guide may not apply to your situation. Use the actions that best suit your situation. Consider hiring a professional if the affected systems or files are valuable to you.

Step 1: Disconnect your devices #

Immediately disconnect your infected device #

Disconnect from everything. This includes the internet, other networks and USB storage media. Do not connect your backup storage media.

When you disconnect your device, you disrupt the communication of the ransomware and limit its spread to other devices.

Make sure your computer and mobile devices aren’t connected to each other or the internet.

How to disconnect #

There are different ways to disconnect your devices.

  1. Remove network and data cables, USBs and dongles
  2. Disable wireless connections such as Wi-Fi, cellular data and Bluetooth
  3. Repeat the above steps for any other infected devices on your network.

You will not be able to access the internet once you complete this step.

Step 2: Stop the ransomware #

Identify and stop the ransomware running on your devices.

How to stop ransomware #

Before you begin! Now is a good time to take photos of key details such as the ransom note, web links, emails, or Bitcoin addresses. Make sure you use an unaffected mobile device or camera to do this.

If you have an Apple device (macOS or iOS) or if your device is not responding, hold down the power button to turn it off.

Once you have shut down your device, continue to Step 4: Write down key details.

If you have a Microsoft Windows 10 device, you can use Task Manager to identify and stop the ransomware running on your devices.

If you have completed this step successfully on your Windows 10 Device, proceed to Step 3: Run a malware scan.

Step 3: Run a malware scan (Windows 10 only) #

Ransomware may still be on your device even after you force quit the suspicious program. Use a malware scanner to find and remove the ransomware.

How to run a malware scan #

Do this using the malware scanning tool on your device. You may already have a tool that came with your computer. If you don’t know the name of your malware program, you can search for it.

Note that a malware scan could take several hours.

  • For Microsoft Windows 10: Search your computer for key search terms such as Microsoft Defender or Antivirus. Find your scanning tool, then launch a malware scan and delete any malware identified. For more assistance, follow our steps in the step-by-step guide to performing a malware scan.

At this stage, it is strongly recommended to take photos or notes of any suspicious programs, files, pop-ups, and other key details you encounter while running the malware scan.

Step 4: Write down key details #

It is important to write down the details of your ransomware incident. Having notes will help you after the attack and may help others.

Detailed information can lead to better results #

Making a note of the incident details will help you:

  • ask for help from a professional
  • make an insurance, bank or legal claim that may follow after the attack
  • make a report to your financial institution or the NCSC
  • tell your customers, friends, or family that there has been an issue

How to write down key details #

Take note of the date, time, file details, first signs of ransomware, and affected devices. Note what you were doing immediately before the first signs of ransomware. Also, note the time you disconnected your device. Record the actions you have taken during the ransomware attack.

Write down or take a photo of the ransom note or link. Make sure you use an unaffected device to write your notes.

Write down what you can now and add more details as you go through each step.

Step 5: Get professional help #

Asking for help early could avoid further harm #

Who you ask for help may depend on what systems or files the ransomware has infected.

  • To find an IT professional in your area, search online (using a non-infected device).
  • Ask a colleague, friend or family member if they have seen this type of issue before. They might know the details of a professional that can help you.
  • If you are the victim of identity theft, visit IDCARE. It is a free not-for-profit service to help you.
  • If you have cyber insurance, contact your insurance provider. Be prepared to answer questions about Step 4: Write down key details.
  • If the ransomware targeted your software, applications, or accounts, consider contacting the provider. For example, Facebook, Gmail, or MYOB.
  • Report a cybercrime or cyber security incident online by emailing the NCSC.

Working with a professional #

When you find a professional, make sure you follow these tips.

1. Give them all the details you have:

  • When you find a professional, give them the details you wrote down in Step 4. Tell them your data is encrypted with ransomware.

2. Backup your data:

  • If you have an existing backup of your files, let the professional know.
  • Ask the professional to create a backup of your encrypted files onto a separate, blank storage device. Make sure this step is done, even if your files are still encrypted. A decryption tool may be available now or in the future that will unlock your files. We have advice on backing up and restoring data.

3. Remove the ransomware:

  • Ask the provider to confirm that the ransomware is gone from your device. Note: this step may involve a factory reset, which is irreversible. Talk to the professional about potential data loss before doing this step.

4. Reconnect your device and update: 

  • Ask the provider to reconnect the unaffected device to your network. Once reconnected to the internet, your provider can update your operating system and software.

5. Restore from an unaffected backup:

  • If you had an unaffected, recent backup, this step will restore your files to their previous state. Work with the professional to restore your files from backup. You will not be able to do this step if your recent backup is infected with ransomware. We have advice on backing up and restoring data.

6. Decrypt your files:

  • For some versions of ransomware, decryption tools may become available. You can use these to unlock your files. Ask a professional to look for a decryption tool that could work for your files.
  • We recommend No More Ransom. It is a free and reputable online resource. Law enforcement agencies and security companies manage it. If there is no decryption tool currently available that works for your files, there may be one in the future.

Step 6: Notify and report #

If you are a business, you may have to notify your customers of the attack.

If your business holds sensitive information, you may also need to report the incident to regulators. This includes financial or personal information.

How to report a ransomware incident #

Using your notes from Step 4: Write down key details, do the following:

  1. Contact your legal provider to assist you in contacting your customers, clients, and suppliers.
  2. Contact anyone affected by the compromise including staff, colleagues, family, and friends.
  3. Report the incident to us, the Australian Cyber Security Centre.
  4. If you think your bank account or credit card details are at risk, contact your financial institution. They may be able to stop a transaction or disable your account.

Step 7: Protect yourself from future ransomware attacks #

Powered by BetterDocs