First published: 14 Jul 2023
Last updated: 14 Jul 2023

Content written for

Individuals & families
Small & medium business

I’m a victim of a ransomware attack. What should I do?

Ransomware is a common and dangerous type of malware. It works by locking up or encrypting your files so you can no longer access them.

A ransom, usually in the form of cryptocurrency, is demanded to restore access to the files. Cybercriminals might also demand a ransom to prevent data and intellectual property from being leaked or sold online.

This guide has simple steps to follow if you are a victim of ransomware. The first section will show you how to respond if one of your devices is infected with ransomware. The second section will help you to recover your files and restore your devices.

Not all ransomware attacks are the same so some of the steps in this guide may not apply to your situation. Use the actions that best suit your case.

Want to find out more?

Learn more about ransomware.

Never pay a ransom

There is no guarantee you will regain access to your information, nor prevent it from being sold or leaked online. You may also be targeted by another attack.

Call our Australian Cyber Security Hotline on 1300 CYBER1 (1300 292 371) if you need cybersecurity assistance.

Respond to a ransomware attack

Start here if you are experiencing a ransomware attack.

Work through the steps below as quickly as you can. Acting quickly could stop the ransomware from spreading.

If you get stuck, seek professional help

Ransomware attacks can cause serious damage. It is hard to tackle and overcome them on your own. Consider finding a professional to help you work through a ransomware attack and get back on your feet.

Recover from a ransomware attack

Now that you’ve responded to a ransomware attack, it’s time to recover your information, restore your infected devices and report the incident.

Note: At the end of this guide, you will be given guidance on reporting the incident. In some cases you may need to make reports urgently, for example, to meet obligations to your customers or your insurance company. Consider if you have any urgent reporting requirements before you begin the next step.

Prevent future attacks

Who should I contact?

ASD's ACSC ReportCyber

Report cybercrimes, security incidents and abuse through ReportCyber. Your report helps to disrupt crime operations and makes Australia more secure. If your money and/or identity is at risk, also notify the relevant services below.

National Anti-Scam Centre - Scamwatch

Report malware incidents to National Anti-Scam Centre - Scamwatch. Your report helps to warn people about current threats and disrupt them where possible. You’ll need to provide details of the malware, such as how it occurred and any losses you suffered.

Your financial institution

Contact your bank or credit union immediately if you’ve lost money in a malware attack. They may be able to close your account or stop a transaction. Make sure you call them using their official phone number.

The compromised website or product owner

If the malware came from a compromised website or product, report the incident to its owner. This will help protect others from harm. Make sure you report it through an official email or phone number.

Services Australia

If you need to report a scam related to myGov or Services Australia, including Centrelink, Medicare or Child Support, email it to reportascam@servicesaustralia.gov.au.

If you think you've been scammed by someone impersonating myGov or Services Australia, including Centrelink, Medicare or Child Support, call Services Australia’s Scams and Identity Theft Helpdesk.

IDCARE

Contact IDCARE if your personal information is at risk from a data breach. They’re a national identity and cyber support service for individuals and organisations.

Australian Taxation Office

Contact the ATO if someone has stolen your personal or business identity. You must report all tax-related security issues to the ATO.

Need more support?

For help with all types of threats, visit our where to get help page. If you still need help, call our hotline 24/7 on 1300 CYBER1 (1300 292 371).

ASD takes protecting your information seriously. Under the limited use obligation, information that industry organisations voluntarily provide ASD about cybersecurity incidents, potential incidents or vulnerabilities impacting your organisation cannot be used for regulatory purposes. This includes any information that is acquired or prepared by ASD with you organisation's consent.

Was this information helpful?

Thanks for your feedback!

Optional

Tell us why this information was helpful and we’ll work on making more pages like it