Ransomware

Technical measures

• Check any backups and protect them immediately. Backups should be taken offline as quickly as possible.
• Disconnect all internet connections (web, email, remote access and site-to-site VPNs).
• Please report the incident to the police. You can find your nearest police station on the Suisse ePolice website (available in German, French and Italian). The NCSC is not a law enforcement agency and cannot conduct investigations.
• If you do not have the necessary expertise, contact an external security service provider to help you with the incident and carry out the required analysis.
• The NCSC recommends discussing and coordinating next steps with the police, rather than contacting the perpetrators. Paying the ransom does not guarantee that your data will be restored.

Organisational measures

• Consider whether public communication is appropriate. The NCSC recommends a proactive and transparent approach to communication in order to avoid rumours and manage media coverage.
• There is a risk that the perpetrators have stolen information about the company and are threatening to release it, or have already done so. You should be prepared for this scenario.
• Get an overview of the data that may have been leaked and assess the risk for each type of data.
• If customer data has been stolen, the NCSC strongly advises proactively informing the affected customers.
• Under Article 24 of the Federal Act on Data Protection (FADP) (available in German, French and Italian), data security breaches must be reported to the FDPIC if they are likely to result in a high risk to the personality or fundamental rights of those concerned. This requirement applies to private individuals, companies, and federal bodies. Reports to the FDPIC must be submitted as soon as possible. You can find the reporting form here:
• If personal data is affected, and depending on where the company is located, there may also be a need to comply with the European Union's General Data Protection Regulation (GDPR).

• Back up your data regularly. Keep backups offline, for example on an external hard drive, and disconnect the backup device from your computer once the process is complete. Otherwise, ransomware could encrypt your backup data and render it unusable.
• Train your employees on how to handle emails:
• You can further improve your IT security by using an application whitelisting product.
• Block the receipt of malicious email attachments on your email gateway. You can find a full and up-to-date list on the GitHub website.
• Ensure that such malicious email attachments are also blocked if they are sent to recipients within your company in archive files such as ZIP, RAR or in encrypted archive files (e.g. in a password-protected ZIP).
• Also block all email attachments that contain macros (e.g. Word, Excel or PowerPoint files).

Your report via the online form helps the NCSC identify trends. This makes it possible for the NCSC to raise public awareness in a targeted way.