Report and recover from ransomware

It is important to record important details about the ransomware attack to help you:

• ask for help from a professional
• make an insurance, bank or legal claim that may follow after the attack
• make a report to the ASD's ACSC through ReportCyber
• tell your family, colleagues or authorities that there has been an issue.

Complete this step as quickly as possible, as the ransomware could still be spreading through your device and network.

What to record

The details you should try to record are:

• if the files that have been affected by ransomware have a new extension
• the name of any new file extension
• the ransom note
• anything else that has changed since the attack.

A quick way to record the information you need is to take a photo of your screen. It’s okay if you can’t record everything, but you should try to capture as much as possible, as quickly as you can.

As soon as you have recorded details about the ransomware attack, turn off the infected device by holding down the power button or unplugging it from the wall. For most people, this is the best way to stop the ransomware from spreading.

Ransomware can spread across networks. If there are other devices on your network, you should turn them off too. Start with the devices that are most important to you. Important devices typically include things like Network Attached Storage (NAS) devices, servers, computers, phones, tablets and any other devices that store valuable information.

Some forms of ransomware steal your passwords. It can be difficult to know what information ransomware has accessed so, as a precaution, you should change the passwords for your accounts as soon as possible. Start with your most important accounts first.

What’s important will be different for everyone, but important accounts typically include:

• cloud storage accounts
• email accounts
• bank accounts
• business accounts

The ASD's ACSC has published guidance on using password managers and guidance on creating passphrases (a strong type of password).

As you change your passwords, consider enabling multi-factor authentication on supported accounts. Multi-factor authentication makes it harder for cybercriminals to get access to your accounts. The ASD's ACSC has published guidance on using multi-factor authentication.

Check your backups

The ASD's ACSC recommends you keep backups of your information as a precaution against things like ransomware attacks.

If you have backups, make sure they are free from ransomware to avoid re-infecting your device. Your backups may be infected with ransomware if they are saved on your infected device or were on the same network as your infected device at any point since the infection. Your backups should be secure if they were never connected to the infected device or to the same network as the infected device.

If you think your backups may be infected with ransomware, don’t try to access them, ask an IT professional for support.

If you have backups that are free from ransomware, make sure you don’t connect them to your infected device or network. Remove the ransomware from the infected device or network first using the guidance in Step 6.

What to do if you don’t have a secure backup of your information

If you do not have a secure backup, it may still be possible to recover your information but you will likely need professional help. Consider how important the affected information is to you and how much you are willing to pay for professional help to restore it.

Remember, never pay a ransom. There is no guarantee your files will be restored, nor does it prevent the publication of any stolen data or its sale for use in other crimes. You may also be targeted by another attack.

Ransomware can be difficult to remove. For most people, the best way to remove ransomware is to wipe all infected drives and devices and reinstall their operating systems. Be aware that this step will permanently delete all of your information so make sure you’ve completed Step 5 and recovered what information you can first.

Remember that ransomware can spread across a network. We recommend following this step for all drives and devices that were on the same network as the infected device at any point since the infection.

The steps to wipe your drives and devices vary across manufacturers. The manufacturer of your drive or device will have guidance on their website. We’ve listed some resources below.

• Apple iPhone, iPad or iPod
• Apple Mac devices
• Microsoft Windows devices
• Samsung phones
• Google Pixel phones

Now that you have removed the ransomware from affected drives and devices, it is safe to connect them to your backups and restore your information. Remember the guidance in Step 5; only restore information from a backup if you are confident that it is free from ransomware. The ASD's ACSC’s guidance on backups includes information on restoring your information.

Report the incident to the ASD's ACSC through ReportCyber. Submitting a report helps to disrupt cybercrime operations and make Australia the most secure place to connect online. Include the information you recorded in Step 1.

Additional reporting responsibilities for businesses

If you’re a business, depending on the severity of the ransomware compromise, you may have to notify your customers of the attack.

If your business holds sensitive information (such as financial or personally identifiable information), or is part of a government supply chain, you may also need to report the incident to regulators.

If you think you need to make a report, consult with the Office of the Australian Information Commissioner or seek legal or government support.

Take some time to consider how your device was infected with ransomware so you can prevent the same thing from happening again. The ASD's ACSC has published advice to help you protect yourself against ransomware attacks. This advice outlines precautions you can take to reduce the impact of ransomware attacks or prevent them from happening in the first place.