Ransomware Attack¶
Your files have been encrypted and attackers are demanding payment (usually in cryptocurrency) to restore access. This is one of the most damaging types of cyber attacks for organizations.
Immediate Actions (First Hour)¶
- Do NOT pay the ransom immediately - Payment doesn't guarantee file recovery and funds criminal operations
- Isolate affected systems - Disconnect from network (unplug ethernet, disable WiFi) to prevent spread
- Do NOT turn off computers - Evidence in memory may be lost; isolate instead
- Document everything - Screenshot ransom notes, record affected systems
- Check backup status - Are your backups intact and unaffected?
Before Paying: Check for Free Decryption¶
Many ransomware variants have been cracked. Check these resources first:
No More Ransom Project¶
The #1 resource for free ransomware decryption tools.
- Website: nomoreransom.org
- Crypto Sheriff: Upload ransom note or encrypted file to identify the ransomware
- Decryption Tools: 170+ free decryption tools available
- Partners: Europol, Dutch Police, Kaspersky, McAfee, and 180+ partners
ID Ransomware¶
Identify the ransomware strain affecting you:
- Website: id-ransomware.malwarehunterteam.com
- Upload a ransom note OR an encrypted file to identify the variant
- Will tell you if decryption is possible
Emsisoft Decryption Tools¶
- Website: emsisoft.com/ransomware-decryption
- Free decryptors for many ransomware families
Kaspersky No Ransom¶
- Website: noransom.kaspersky.com
- Additional decryption tools
Swedish Resources¶
CERT-SE¶
- Report the incident: cert.se
- 24/7 hotline: +46 10 240 40 40
- Coordination with other affected organizations
- Threat intelligence sharing
Police Report¶
- File a report: polisen.se/anmal
- Required for insurance claims
- IT crime unit may investigate (large cases)
International Resources¶
CISA Ransomware Guide (US)¶
- Website: cisa.gov/stopransomware
- Comprehensive response guide
- Sector-specific guidance
NCSC Ransomware Guidance (UK)¶
- Website: ncsc.gov.uk/ransomware
- Mitigating malware and ransomware attacks
- Recovery guidance
ENISA Ransomware Threat Landscape¶
- Report: enisa.europa.eu
- European threat analysis
- Best practices
Evidence to Preserve¶
Before attempting recovery, preserve:
- [ ] Screenshots of ransom notes (all screens)
- [ ] Ransom note files (.txt, .html files left by attackers)
- [ ] Sample encrypted files (for identification)
- [ ] System logs (Windows Event Logs, syslog)
- [ ] Network logs (firewall, proxy)
- [ ] Memory dumps (if possible, before shutdown)
- [ ] List of affected systems and file shares
Recovery Options¶
Option 1: Restore from Backups¶
Best case scenario if backups are intact: - Verify backups are clean (not encrypted) - Wipe and rebuild affected systems - Restore data from backups - Change all credentials before reconnecting
Option 2: Free Decryption¶
If a decryptor exists: - Identify ransomware variant (No More Ransom, ID Ransomware) - Download appropriate decryptor - Test on a few files first - Document the process
Option 3: Pay Ransom (Last Resort)¶
We do not recommend paying, but if you must: - Paying does not guarantee recovery - You may be targeted again - Funds criminal operations - If you pay, report to nomoreransom.org so they can track the group
Guides & Documentation¶
NIST Ransomware Guide¶
- PDF: NIST Cybersecurity Framework - Ransomware Profile
- Technical guidance for prevention and recovery
SANS Ransomware Resources¶
- Poster: SANS Ransomware Defense
- Quick reference guides
Need Help?¶
If you're a Swedish organization that can't afford commercial incident response:
Apply to HackAid - Our BTH-trained volunteers provide free digital forensics assistance.
Last updated: 2026-01