Ransomware is a type of malware that denies a victim access to a system or data until they pay a sum of money. When ransomware infects a device, it renders the system unusable or encrypts its storage, preventing access to the information and systems. Threat actors have evolved their tactics and often leverage data theft as the primary method of extortion.
Threat actors can exploit vulnerabilities and leverage many attack vectors to infect your network, systems, and devices with ransomware. Regardless of skill, this can be done by using malicious code and services purchased from the dark web. This is known as ransomware-as-a-service. Additionally, threat actors can use artificial intelligence tools to write effective ransomware. This automates the discovery of weak points in a network, bypassing defences, deploying malware and erasing evidence of the intrusion.
This publication provides tips to help your organization prepare for and recover from ransomware attacks.
On this page
- How ransomware infects devices
- How to prepare your organization
- How to protect your organization
- How to recover from a ransomware attack
- Risks of paying the ransom
- Learn more
How ransomware infects devices
Threat actors can use a compromised device to spread the ransomware to other connected systems and devices on the same network. Ransomware can infect devices when users:
- open legitimate-looking but malicious attachments in messages
- click on malicious links or attachments embedded in websites
- open personalized and targeted content in phishing emails, texts and social media
Threat actors shape their malicious content by scouting social and professional contacts for information they can exfiltrate. They may also monitor communication habits before deploying the ransomware.
If a device is infected with ransomware, you will receive a ransom notice on your screen indicating your files have been encrypted and are inaccessible until the ransom is paid. Cybercriminals often request payment in the form of cryptocurrency because of the anonymity it provides. Cryptocurrency enables cybercriminals to move profits internationally, expanding their reach and complicating law enforcement efforts. Other ransom payment methods often include prepaid credit or gift cards. Threat actors typically give a deadline for paying the ransom, after which they may increase the ransom amount, destroy your files or leak your data.
How to prepare your organization
There are several approaches you can take to better protect your networks, systems and devices. The following is a list of actions you can take to strengthen your cyber security.
Plan ahead
Developing an incident response plan for your organization is the cornerstone to your cyber defence strategy. An incident response plan helps you detect and respond to cyber security incidents. Your organization should consider major events that could cause an unplanned outage and require you to activate your incident response.
It should include a risk assessment, backup, recovery and communications plans. It should also designate roles for your employees and provide them with detailed instructions in the event of an incident. Your plan should be available offline in the event your systems are unavailable. Additionally, your organization should develop and frequently test a business continuity and disaster recovery plan.
- Developing your incident response plan (ITSAP.40.003)
- Developing your IT recovery plan (ITSAP.40.004)
Prepare for recovery
Once an incident has been contained or resolved, your organization should have a recovery plan in place, which should be tested by conducting simulations or walk-through exercises. The scenarios should test the effectiveness of your response and highlight areas for improvement.
Back up your data
Having reliable backups can significantly enhance your ability to recover from a ransomware attack. A backup is a copy of your data and systems that can be restored and provides access to your critical systems in the event of an incident. You should back up your data frequently to ensure it is as close to real time as possible. Create many security barriers between your production systems and your backups. Ensure your backups are encrypted and stored offline without connection to the Internet or local networks. If your backups are connected to your networks, threat actors can infect them, which will hinder your recovery efforts. Testing your backup process is also crucial to a quick and effective recovery.
- Tips for backing up your information (ITSAP.40.002)
- Using encryption to keep your sensitive data secure (ITSAP.40.016)
Provide security awareness training for employees
Provide employees with tailored, continuous training on cyber security and device management. This will ensure they don't fall victim to malicious activities such as phishing emails and infected downloads. To learn more about cyber security event management training, consult the Cyber Centre Learning Hub. The Learning Hub offers a comprehensive event management course that can be tailored to your organization's business and information technology (IT) needs.
Consider cyber insurance
Research insurance providers and policy details to determine whether cyber insurance would benefit your organization. An insurance policy may add an additional layer of protection and provide your organization with incident response expertise in the event of a ransomware attack. However, you should make sure insurance policy documents are properly protected in both of your systems. If not, sophisticated ransomware actors could obtain sensitive information on coverage amounts and leverage it in ransom negotiations. Be aware that insurance companies may deny coverage if they deem that your organization did not have adequate cyber security measures in place.
How to protect your organization
Ransomware is among the most common type of malware and can be one of the most damaging cyber attacks to your organization. Use the following guidance to protect your organization from ransomware attacks.
Enforce strong authentication methods
Activate phishing-resistant multi-factor authentication (MFA) and use strong and unique passphrases or passwords on all devices and for every account.
In addition to using MFA, you should encourage employees to use a password manager. Password managers can help users remember and secure passwords or passphrases. Your organization should also consider implementing password vaults for administrative accounts. Password vaults provide greater protection as the passwords or passphrases are cycled and synchronized with your systems.
- Steps for effectively deploying multi-factor authentication (ITSAP.00.105)
- Best practices for passphrases and passwords (ITSAP.30.032)
- Password managers: Security tips (ITSAP.30.025)
Implement the principle of least privilege
Applying the principle of least privilege can help you manage and monitor user accounts and access. Provide employees with access to only the functions and privileges necessary to complete their tasks. One way to accomplish this is to implement role-based access control which maps users' access rights to their role within the organization.
Restrict administrative privileges
You should limit the number of administrative or privileged users for operating systems and applications. Users should never have privileged access on their desktop or laptop systems. Users with administrative privileges should have a separate administrative account with separate credentials, regardless of whether your organization has a cloud, on-premises or hybrid environment.
You should also create different levels of administrative accounts to limit the level of exposure if an administrative account is compromised. In addition, you should Implement required confirmation for any actions that need elevated permissions.
Managing and controlling administrative privileges (ITSAP.10.094)
Update and patch systems and devices
Check for updates and patches to improve usability and performance and repair known bugs and vulnerabilities in your software, firmware and operating systems. Threat actors can easily exploit unpatched or unsupported systems and devices.
How updates secure your device (ITSAP.10.096)
Deactivate macros
Ensure you deactivate macros as your default to reduce the risk of ransomware being spread through Microsoft Office attachments. Newer versions of Microsoft Office will deactivate macros from the Internet by default.
How to protect your organization from malicious macros (ITSAP.00.200)
Segment networks
Divide your network into several smaller components. This makes it more difficult for ransomware to spread across the entire network. Your organization should have an inventory of its essential business information that is classified and categorized based on its level of sensitivity or privacy impact. Segment and group infrastructure services that have the same information protection requirements or that must adhere to the same communications security policies.
Action no. 5 segment and separate information (ITSM.10.092)
Set up security tools
Install antimalware and antivirus software on your devices to detect malicious activity and secure your network with a firewall to protect connected devices. Consider installing domain name system (DNS) filtering on your mobile devices to block malicious websites and filter harmful content. The Canadian Internet Registration Authority offers a free protective DNS service, Canadian Shield, that prevents you from connecting to malicious websites that may infect your devices or steal personal information.
Implement Domain-based Message Authentication, Reporting and Conformance (DMARC), an email authentication and reporting protocol that helps protect your organization's domains from spoofing, phishing and other malicious activities.
Ensure users access your network using your virtual private network (VPN). A VPN creates a secure connection between 2 points and can be used to protect sensitive data while it is in transit.
- Protective Domain Name System (ITSAP.40.019)
- Implementation guidance: Email domain protection (ITSP.40.065 v1.1)
- Virtual private networks (ITSAP.80.101)
Seek professional cyber security assistance
Engaging with a cyber security professional early on may allow you to recover your systems and data more quickly than relying on your internal IT staff when facing a cyber incident.
How to recover from a ransomware attack
Consider the following steps to help remove and reduce the spread of ransomware.
Isolate the devices immediately
Take your devices offline to stop the ransomware from spreading to other connected devices. We recommend you do not power down the device once it's isolated. This allows forensic evidence to be preserved.
Some ransomware strains are designed to stay dormant on a device and quietly spread to other network‑connected devices before encrypting files. In these cases, you may not be able to stop the ransomware from spreading.
Report the incident
Consider reporting cyber incidents to law enforcement, such as local police or the Canadian Anti-Fraud Centre, as well as to the Cyber Centre online through My Cyber Portal
If you are comfortable doing so, share your findings, including the tools, techniques and procedures used by the threat actor, with the Cyber Centre
Communicate the incident to the employees listed in your incident response plan and give them clear direction as to their roles and responsibilities to help manage the incident. This should already be defined within your recovery plan.
Change passphrases
Reset credentials including passphrases on all systems, devices and accounts. Threat actors often save this information for future attacks.
Identify the type of ransomware
Use the information in the ransom note (such as listed URLs) and the new file extensions your encrypted files inherited to research possible reoccurring attacks and identify the ransomware. This information will also be useful for law enforcement and/or your contracted managed security service if you have one.
If you locate a decryption tool online, or if law enforcement can provide you with one, proceed to remediation.
If there is no decryption tool available online for your strain of ransomware, sanitize your device and reinstall the operating system if law enforcement or a managed security service is not involved.
Remediate the point of entry
Before reconnecting your systems and devices to your network or the Internet, identify how the threat actor entered your environment. Once the vectors have been identified, you should apply appropriate security measures to prevent a repeat attack.
Restore from your backup
Store your backups offline to mitigate the chance of ransomware infecting your backup files.
Analyze/scan your backup files and ensure they are free of ransomware or any other malware.
Once you are confident, restore your systems and devices from your secure backup.
Update and patch
Apply any available updates to your devices, hardware and software. Patch your operating system and ensure all antivirus, antimalware and firewall software is up to date.
Review the incident and provide ongoing training
Review the incident with your employees.
You should also provide ongoing training that addresses preventative actions against ransomware attacks, such as learning how to identify suspicious emails and attachments.
Use common threat examples and past occurrences to keep up to date and prepared for the future.
Risks of paying the ransom
The decision to pay a cyber threat actor to release your files or devices should not be taken lightly. Before you consider paying ransom, we recommend you contact your local police department to report the cybercrime. Paying the ransom will not guarantee access to your encrypted data or systems. Even if you pay, threat actors may still:
- demand more money
- continue to infect your devices and systems or those of other organizations
- retarget your organization with a new attack
- copy, leak or sell your data
Learn more
Consult the following guidance to learn more:
- Ransomware playbook (ITSM.00.099)
- Ransomware threat outlook 2025-2027
- Cyber security considerations for consumers of managed services (ITSM.50.030)
- Have you been hacked? (ITSAP.00.015)
- Preventative security tools (ITSAP.00.058)
- Spotting malicious email messages (ITSAP.00.100)