Ransomware Response Checklist

If you have experienced a ransomware attack, CISA strongly recommends using the following checklist provided in a Joint CISA and Multi-State Information Sharing and Analysis Center (MS-ISAC) Ransomware Guide to respond. This information will take you through the response process from detection to containment and eradication.

• Determine which systems were impacted, and immediately isolate them.
• Only in the event you are unable to disconnect devices from the network, power them down to avoid further spread of the ransomware infection.
• Triage impacted systems for restoration and recovery.
• Consult with your incident response team to develop and document an initial understanding of what has occurred based on initial analysis.
• Engage your internal and external teams and stakeholders with an understanding of what they can provide to help you mitigate, respond to, and recover from the incident.
• Take a system image and memory capture of a sample of affected devices (e.g., workstations and servers).
• Consult federal law enforcement regarding possible decryptors available, as security researchers have already broken the encryption algorithms for some ransomware variants.