Ransomware Response Checklist

If you have experienced a ransomware attack, CISA strongly recommends using the following checklist provided in a Joint CISA and Multi-State Information Sharing and Analysis Center (MS-ISAC) Ransomware Guide to respond. This information will take you through the response process from detection to containment and eradication.

  • Determine which systems were impacted, and immediately isolate them.
  • Only in the event you are unable to disconnect devices from the network, power them down to avoid further spread of the ransomware infection.
  • Triage impacted systems for restoration and recovery.
  • Consult with your incident response team to develop and document an initial understanding of what has occurred based on initial analysis.
  • Engage your internal and external teams and stakeholders with an understanding of what they can provide to help you mitigate, respond to, and recover from the incident.
  • Take a system image and memory capture of a sample of affected devices (e.g., workstations and servers).
  • Consult federal law enforcement regarding possible decryptors available, as security researchers have already broken the encryption algorithms for some ransomware variants.