Skip to main content

Ransomware Triage

Ransomware Triage

If you think you are the victim of Ransomware,
STOP what you are doing and call the IT Helpdesk at
(337) 475-5995.

General Triage when Dealing with Ransomware

Immediate Action (Containment)

Mid-incident Action (Assessment & Recovery)

  • Identify the type and sensitivity of data which has been compromised
  • Initiate data restoration procedures from backups if a decision is made to restore
  • Assume all passwords on the affected devices have been compromised and change them using a non-affected device
  • Consider shutting down remote access or implementing more secure measures such as two factor authentication (Remote Access Protocol is common threat entry point)
  • If other restore attempts do not work, attempt to recover using tools such as:
  • If in doubt, wipe the disk clean and reload the OS — Don’t take chances
  • If Personally Identifiable Information (PII) is affected:
    • If PII is involved, consider student/personnel data breached - All affected tokens, passwords, etc MUST be reset or re-issued immediately
    • If student/personnel data is breached, watch out for fraud or impersonation. Some level of fraud detection/control should be offered
    • Inform appropriate regulators (if necessary)

Post-Incident Action (Long term remediation)

  • Set up a proper backup strategy and test it
  • Continue security awareness training for end users - (UCS)
  • Evaluate network segmentation - (Network Services)
  • Conduct penetration tests - (UCS)
  • Evaluate incident response planning and assessment - (IT)
  • Continue on-going threat detection - (UCS)
  • Evaluate identification and classification of data within the university
  • Evaluate Identification of technical controls and their respective effectiveness - (IT)
  • Consider generating playbooks for response and hardening (e.g., Playbook for Handling Ransomware Infections) - (UCS)
  • Collect workable threat intelligence or at least data from, Alienvault OTX, etc. - (UCS)
Note: If the data must be recovered (i.e., data is mission critical), ensure that the systems are hardened and defenses are working prior to paying any ransom; you don’t want to get blindsided by another attack the moment you pay.
Source: adapted from, Security without Borders, Contributors: Rorybyrne, Swap (accessed: January 26, 2017)
Osterman Research Inc., (2016).Understanding the Depth of the Ransomware Problem in the United States. [online] Available at: [Accessed 26 January 2017].