If you have detected a ransomware attack in progress, Fennel Aurora of F-Secure says to take these 5 steps:
1. If it is your work device which has been hit, don’t switch it off. Rather, disconnect it from all networks (this includes ethernet, wifi, bluetooth and mobile data networks). By turning it off, you will destroy evidence which the incident response team could use for finding out who the attackers are and what they have done.
2. Next, using pen and paper, write down everything that just happened.
3. Finally, contact your IT team and let them handle things from there.
4. We advise against paying ransoms.
5. If you don’t have backups, it is worth going online to see if there is a decryption tool available. This site is a good start.