I’m a victim of a ransomware attack. What should I do?
Ransomware is a common and dangerous type of malware. It works by locking up or encrypting your files so you can no longer access them.
A ransom, usually in the form of cryptocurrency, is demanded to restore access to the files. Cybercriminals might also demand a ransom to prevent data and intellectual property from being leaked or sold online.
This guide has simple steps to follow if you are a victim of ransomware. The first section will show you how to respond if one of your devices is infected with ransomware. The second section will help you to recover your files and restore your devices.
Not all ransomware attacks are the same so some of the steps in this guide may not apply to your situation. Use the actions that best suit your case.
Want to find out more?
Learn more about ransomware.
Never pay a ransom
There is no guarantee you will regain access to your information, nor prevent it from being sold or leaked online. You may also be targeted by another attack.
Call the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) 24/7 Hotline on 1300 CYBER1 (1300 292 371) if you need cyber security assistance.
Respond to a ransomware attack
Start here if you are experiencing a ransomware attack.
Work through the steps below as quickly as you can. Acting quickly could stop the ransomware from spreading.
If you get stuck, seek professional help
Ransomware attacks can cause serious damage. It is hard to tackle and overcome them on your own. Consider finding a professional to help you work through a ransomware attack and get back on your feet.
It is important to record important details about the ransomware attack to help you:
- ask for help from a professional
- make an insurance, bank or legal claim that may follow after the attack
- make a report to the ASD's ACSC through ReportCyber
- tell your family, colleagues or authorities that there has been an issue.
Complete this step as quickly as possible, as the ransomware could still be spreading through your device and network.
What to record
The details you should try to record are:
- if the files that have been affected by ransomware have a new extension
- the name of any new file extension
- the ransom note
- anything else that has changed since the attack.
A quick way to record the information you need is to take a photo of your screen. It’s okay if you can’t record everything, but you should try to capture as much as possible, as quickly as you can.
As soon as you have recorded details about the ransomware attack, turn off the infected device by holding down the power button or unplugging it from the wall. For most people, this is the best way to stop the ransomware from spreading.
Ransomware can spread across networks. If there are other devices on your network, you should turn them off too. Start with the devices that are most important to you. Important devices typically include things like Network Attached Storage (NAS) devices, servers, computers, phones, tablets and any other devices that store valuable information.
Some forms of ransomware steal your passwords. It can be difficult to know what information ransomware has accessed so, as a precaution, you should change the passwords for your accounts as soon as possible. Start with your most important accounts first.
What’s important will be different for everyone, but important accounts typically include:
- cloud storage accounts
- email accounts
- bank accounts
- business accounts
As you change your passwords, consider enabling multi-factor authentication on supported accounts. Multi-factor authentication makes it harder for cybercriminals to get access to your accounts. The ASD's ACSC has published guidance on using multi-factor authentication.
Recover from a ransomware attack
Now that you’ve responded to a ransomware attack, it’s time to recover your information, restore your infected devices and report the incident.
Note: At the end of this guide, you will be given guidance on reporting the incident. In some cases you may need to make reports urgently, for example, to meet obligations to your customers or your insurance company. Consider if you have any urgent reporting requirements before you begin the next step.
Check your backups
The ASD's ACSC recommends you keep backups of your information as a precaution against things like ransomware attacks.
If you have backups, make sure they are free from ransomware to avoid re-infecting your device. Your backups may be infected with ransomware if they are saved on your infected device or were on the same network as your infected device at any point since the infection. Your backups should be secure if they were never connected to the infected device or to the same network as the infected device.
If you think your backups may be infected with ransomware, don’t try to access them, ask an IT professional for support.
If you have backups that are free from ransomware, make sure you don’t connect them to your infected device or network. Remove the ransomware from the infected device or network first using the guidance in Step 6.
What to do if you don’t have a secure backup of your information
If you do not have a secure backup, it may still be possible to recover your information but you will likely need professional help. Consider how important the affected information is to you and how much you are willing to pay for professional help to restore it.
Remember, never pay a ransom. There is no guarantee your files will be restored, nor does it prevent the publication of any stolen data or its sale for use in other crimes. You may also be targeted by another attack.
Ransomware can be difficult to remove. For most people, the best way to remove ransomware is to wipe all infected drives and devices and reinstall their operating systems. Be aware that this step will permanently delete all of your information so make sure you’ve completed Step 5 and recovered what information you can first.
Remember that ransomware can spread across a network. We recommend following this step for all drives and devices that were on the same network as the infected device at any point since the infection.
The steps to wipe your drives and devices vary across manufacturers. The manufacturer of your drive or device will have guidance on their website. We’ve listed some resources below.
Now that you have removed the ransomware from affected drives and devices, it is safe to connect them to your backups and restore your information. Remember the guidance in Step 5; only restore information from a backup if you are confident that it is free from ransomware. The ASD's ACSC’s guidance on backups includes information on restoring your information.
Report the incident to the ASD's ACSC through ReportCyber. Submitting a report helps to disrupt cybercrime operations and make Australia the most secure place to connect online. Include the information you recorded in Step 1.
Additional reporting responsibilities for businesses
If you’re a business, depending on the severity of the ransomware compromise, you may have to notify your customers of the attack.
If your business holds sensitive information (such as financial or personally identifiable information), or is part of a government supply chain, you may also need to report the incident to regulators.
If you think you need to make a report, consult with the Office of the Australian Information Commissioner or seek legal or government support.
Prevent future attacks
Take some time to consider how your device was infected with ransomware so you can prevent the same thing from happening again. The ASD's ACSC has published advice to help you protect yourself against ransomware attacks. This advice outlines precautions you can take to reduce the impact of ransomware attacks or prevent them from happening in the first place.
Who should I contact?
ASD's ACSC ReportCyber
Report cybercrimes, security incidents and abuse through ReportCyber. Your report helps to disrupt crime operations and makes Australia more secure. If your money and/or identity is at risk, also notify the relevant services below.
National Anti-Scam Centre - Scamwatch
Report malware incidents to National Anti-Scam Centre - Scamwatch. Your report helps to warn people about current threats and disrupt them where possible. You’ll need to provide details of the malware, such as how it occurred and any losses you suffered.
Your financial institution
Contact your bank or credit union immediately if you’ve lost money in a malware attack. They may be able to close your account or stop a transaction. Make sure you call them using their official phone number.
The compromised website or product owner
If the malware came from a compromised website or product, report the incident to its owner. This will help protect others from harm. Make sure you report it through an official email or phone number.
Contact the Services Australia Scams and Identity Helpdesk. They provide support if you’ve sent personal details or money to someone pretending to be from a government service.
Contact IDCARE if your personal information is at risk from a data breach. They’re a national identity and cyber support service for individuals and organisations.
Australian Taxation Office
Contact the ATO if someone has stolen your personal or business identity. You must report all tax-related security issues to the ATO.