What to Do If Ransomware Hits Your Business

Signs that a device is infected with ransomware:

• Files have strange extensions added (e.g. documents.docx.LOCKED, spreadsheet.xlsx.WNCRY)
• A ransom note file appears on the desktop or in folders (usually named README.txt, RECOVER-FILES.html or similar)
• Files cannot be opened and show errors
• The PC desktop wallpaper has changed to a ransom demand message
• Antivirus or security software has been disabled

Check shared network drives and file servers immediately – if files there are encrypted, multiple devices may already be affected.

For every device showing ransomware symptoms:

• Disconnect the Ethernet cable from the back of the PC
• Disable WiFi – click the WiFi icon and turn off
• Do NOT turn off or restart the PC – memory forensics may be possible later and some ransomware destroys evidence on shutdown
• If practical, also disable WiFi on your router to prevent further spread

Isolate the device from the network before attempting any investigation or cleanup. Ransomware actively scans for connected network shares to encrypt.

From an uninfected device, check:

• Are shared drives and file servers accessible and showing normal file extensions?
• Are other PCs on the network also showing symptoms?
• Is the backup server or NAS affected?
• What was the approximate time the attack started (check file modification timestamps)?

Create a list of affected devices and document the state of shared drives. This information is needed for recovery and reporting.

Immediately notify:

• Senior management or business owner
• Your IT team or managed IT provider (Cybergate support: +6013-256 2218)
• Finance team if the attack affects financial systems or if there is risk of BEC follow-up

Do not attempt recovery alone. Document everything – take photos of ransom notes with a phone, record what you observe.

Paying is rarely the right answer. Before considering payment:

• Check nomoreransom.org for a free decryptor for your specific ransomware strain
• Assess whether backups are available for recovery
• Consult your IT provider and legal counsel

If payment is being considered as a last resort, seek specialist ransomware negotiation advice first. Never pay directly from your main business bank account – it creates financial records that may complicate insurance claims.

Report the incident to:

• CyberSecurity Malaysia: cyber999.com.my or call 1-300-88-2999 (24/7)
• Royal Malaysia Police (Cybercrime): Report at the nearest police station or via rmp.gov.my
• PDPC/PDPD (if personal data was breached): Contact the Personal Data Protection Department
• Your cyber insurance provider (if you have a policy): notify them within the timeframe specified in your policy

Before restoring:

• Verify your backup is not also encrypted (check the most recent backup file dates)
• Restore to a clean machine or after wiping and reinstalling the OS on infected machines
• Scan restored data with updated antivirus before reconnecting to the network
• Do not reconnect to the network until the entry point is identified and patched

If using Synology NAS with snapshots: ransomware that encrypts files in shared folders will also encrypt the files in Synology shared folders. However, Btrfs snapshots are read-only and protected from ransomware. Open Synology DSM > Snapshot Replication and restore shared folders to a point before the attack.

Common ransomware entry points in Malaysian SMEs:

• Phishing email with malicious attachment or link (most common)
• RDP exposed to the internet with weak password
• Outdated software with known vulnerability (unpatched VPN, firewall or server)
• Compromised staff account credentials from data breach

Check email logs for the days before the attack for suspicious emails. Check RDP and VPN logs for unusual login activity. Check Windows Event Viewer Security logs on affected servers. Patch the identified entry point before reconnecting any device to the network.