If you have fallen victim to a Ransomware attack, the first thing you should do is to isolate affected systems from the network and the internet to prevent the malware from spreading. This includes infected computers, laptops and tablets, whether wired, wireless or mobile phone based.
In a very serious case, consider whether turning off your Wi-Fi, disabling any core network connections (including switches), and disconnecting from the internet might be necessary to limit contagion.
Find the source. Any system with out-of-date or misconfigured software is easily compromised, and it’s vital to remember that even SaaS productivity apps like Microsoft 365 are vulnerable.
Reset credentials including passwords (especially for administrator and other system accounts) - but verify that you are not locking yourself out of systems that are needed for recovery. Also be aware that the adversary likely has multiple credentials, or worse, has access to your entire Active Directory and may try to create new credentials.
Safely wipe the infected devices and reinstall the OS. Then begin to recover data from backups.
Before you restore from a backup, verify that it is free from any malware. You should only restore from a backup if you are very confident that the backup and the device you're connecting it to are clean. You should ideally use a quarantined environment that is entirely sandboxed and isolated from other systems in order to load and verify your data and return to a ‘last known good’ state before ransomware struck.
Retain all log data for at least one year. If critical log types are not collected, or are not retained for a sufficient length of time, key information about the incident may not be determinable.
Install, update, and run antivirus software.
Reconnect to your network.
Monitor network traffic and maintain strict antivirus protocols to identify if any infection remains.