STEP 1- Disconnect
- Immediately disconnect the infected device from any network it is on.
- Turn of any wireless capabilities such as Wi- Fi or Bluetooth.
- Unplug any storage devices such as USB or external hard drives.
- Do not erase anything or clean up any files or anti-virus.
- To find out which computer is patient zero, check the properties of any encrypted file
STEP 2- Determine the Scope
It is important to know whether the first infected machine have access to any of the following:
- Shared or unshared drives or folders
- Network storage of any kind.
- External hard drives
- USB memory sticks with valuable files.
- Cloud based storage such as Dropbox, Box, Google Drive and Microsoft OneDrive/ Skydrive
STEP 3- Determine the Strain
- Some infect just the files, others do the hardware.
- Some have options other than BTC for payment.
- There are some free decryption tools for certain strains.
- Different strains have different ransom amounts and ability to spread.
STEP 4- Evaluate your Responses
To put it bluntly, you have 4 options, listed here from best to worst:
- Restore from a recent backup.
- Decrypt your files using a third party decryptor (this is a very slim chance).
- Do nothing (lose your data).
- Negotiate/ pay the ransom.