Skip to content

Ransomware remediation workflow

Follow these steps to remediate a ransomware attack.



When you remediate an attack, you're likely to remove evidence of how the attack happened. We recommend backing up affected systems and files left over by the attack. If you aren't sure if the files are safe, you can zip them to prevent them from running.

More resources

How to use Microsoft Autoruns to locate undetected malware

Interesting Windows Event IDs - Malware/General Investigation

Ransomware: Recovery and removal

Ransomware: Information and prevention

Define the scope of the problem

To understand the scope of your problem, do as follows:

  1. Identify all the affected endpoints and servers.

    Affected devices have encrypted files and ransom notes in their folders.

    1. If you find encrypted files and ransom notes on file shares, you need to check which user or device created it.
    2. Make sure you store multiple samples of the encrypted files and ransom notes in an accessible location so that you can identify them later.
  2. Find out which account was compromised.

    If you know which account was compromised, you can find out the maximum extent of files, local and remote, that the ransomware has affected from this device since the user account's permissions limit this. To find the compromised account, do as follows:

    1. Find an encrypted file, right-click on the file, and select Properties.
    2. Click Details and look for the owner of the file.
    3. Make a note of the owner information for the file.
  3. Alternatively, you can use a folder to find out owner information. To use a folder, do as follows:

    1. In Windows Explorer, go to a folder with encrypted files.

      We recommend that you choose a network file share that is accessible to multiple users.

    2. Choose the Details view, which gives you different columns of information about the files.

    3. Right-click on a column header and then click More.
    4. Scroll down and select Owner from the list and then click OK.
  4. Different infected devices can have different compromised accounts. You need to repeat this process on all infected devices and create a list of compromised accounts.

  5. Make sure you note any compromised accounts that have administrative rights (local and domain).
  6. When you have the list of accounts, check which file shares those accounts have WRITE access to. You need to check all these shares.

Limit the impact of the malware

Now that you have the initial data, you need to do your investigation. First, you need to prevent the ransomware from encrypting any more data. To stop the ransomware, do as follows:

  1. Turn off all infected devices.

    Turning off your devices is your best chance to save your data. The longer an infected device runs, the more time the ransomware has to encrypt files.

  2. Identify the ransomware's attack method using Ransomware: How an attack works before testing. You could lose data due to further encryption.

  3. Some ransomware runs when you start a device. Image an infected device and then start the infected device to see if files are still being encrypted.
  4. If you can't determine the infected devices, you have a difficult choice. At this stage, to save your data, turn off all your devices.

    Doing this freezes things. Now you have the time to continue your investigation.

  5. Turn your devices on one-by-one to work on them. Clean an individual device and move on to the next.

    We recommend you contact us and purchase our Managed Detection and Response service. This is a highly trained team that can do this remediation for you. They can also provide root cause analysis and ongoing security advice.

Identify the ransomware author

Knowing the author of the ransomware gives you a lot of information about the exact impact you're facing. It helps define which files were encrypted, the most likely infection vector (how they got in), and whether you're facing a possible persistence issue. It can help prevent re-infection. If you have a ransom note from an infected device or samples of the encrypted files, you can identify the responsible malware group.

To identify the author, do as follows:

  1. Upload your ransom note or samples to


    This isn't a Sophos supported site.

Improve your security

To improve your security, do as follows:

  1. If you haven't moved over to Sophos Central with Intercept X and EDR, you need to migrate.

    This is our state-of-the-art security offering and provides the best protection against threats.

    • It contains CryptoGuard, which protects against ransomware.
    • Contact us if you have questions on why this is critical or how to migrate. We have a Rapid Response team that you can hire to assist with the migration.
  2. Confirm that you're following our best practices for threat protection policy settings. This is important because your environment has been recently compromised. You need to increase your security to help prevent re-infection. Check the following links for more information:

  3. Make sure all your devices have all the latest patches.

    This protects against many exploits since Microsoft fixes many vulnerabilities in their updates.

  4. Upgrade any devices using old operating systems versions, such as Windows Server 2003, Windows 2008 non-R2, Windows 7, or Windows XP.

    Windows operating systems that aren't officially supported by Microsoft have security vulnerabilities that don't have patches.

  5. Check you don't have any vulnerable devices publicly facing the internet.


    It's common to have SMB 445, RDP 3389, or other ports open. Malicious actors can exploit these ports.

    You must check your devices. You need to find out which ports you have open and reduce your risk. To check your devices, do as follows:

    1. You can use or with your public IPs to confirm what ports are viewable outside your environment.
    2. If you have any unnecessary publicly facing devices or open ports, alter your firewall policy to reduce your exposure.

Restore your data and normal operations

Now that you've cleaned all your devices and protected them with Sophos Central Intercept X Advanced with EDR, you're ready to get back up and running.

To do this, do as follows:

  1. Restore your data from your backups.


    If you want to do a root cause analysis, you need backups and images of the infected devices. Restoring your devices destroys this evidence and makes a root cause analysis impossible.

    1. Make sure you use data backups that you made before the infection.
    2. Make sure that you can access the data in the files in the backup.
  2. Bring your devices back online.

    1. If the operating system is damaged or you don't have sufficient backups of the infected devices, you need to repair or rebuild them.
    2. Follow the repair and rebuild processes given by your operating system manufacturer.
  3. Test to make sure that your devices are operating normally. To do this, do as follows:

    1. Check they can access the resources needed.
    2. Check the applications are running correctly.
    3. Do any other tests you need to confirm your devices are operating correctly.
  4. Allow your users to access the devices.

Root Cause Analysis

To protect your environment in the future, you need to know how the infection happened. This lets you identify the flaws in your network or environment design and configuration and allows you to improve it for the future. Do a root cause analysis to help with this.

To do a root cause analysis, you must have backups and images of your devices in their infected states.

Ransomware remediation video

This video covers this workflow.