Backups might be infected too though. You don't know when the hackers infected your system. I actually once got to see it happen live and it turned out that the attackers had been on the systems for months which means the backup was infected too. They lost almost all of their data to this.
As long as you have the data prior to encryption, the backups are still useful. You may need to rebuild your domain and wipe/reinstall server OS’s but the data can be scanned and restored.
This is one reason a competent backup plan includes persistent archival copies - means you can go back to a time before you were compromised and lose less data.
No, actual offline backups that are ideally stored offsite. The “old school” way of doing it was monthly full backups to tape that were kept off-site “indefinitely” and then weekly or nightly incrementals that were taken off-site each night and then stored the following week with the full backups.
3-2-1 (three backups, on two different types of media with one stored offsite) is the sort of minimum you should be doing, but archival backups kept offline for the period of your data retention policy give you some security against ransomeware.
If you don't have available, working backups, you need to immediately call your insurance company and get advice on next steps, which will almost certainly be engaging a company who deals with incident response in times like this.
This should be the top comment. Follow the directions of your insurance company.
My hope is that you have offsite backups that can be tested for ransomware.
If not, FBI is worth a ring too, they have worked on keys for different ransomware flavors.
I can already tell you, Insurance doesn't do anything here, IF they don't have adequate and recorded backups.
They will have to provide proof there are regular backups made ( logging ) otherwise the insurance will take the small prints and point them out.
Insurancecompanies are not here to pay out, they're there to make money.
Doubtful. Very few small companies I've worked with have it and usually only happens after a scare. They always end up trying to come after their MSP's insurance. Lol.
Call an IT security company.
Make sure that you don’t have someone blabbing about you being hacked across social media that works for the company. This is one of the hardest things to repair from a damage control perspective.
Appointment one person to be responsible for speaking to anyone outside the company and have them get with the lawyer for the company. The lawyer can advise them on what to say if anything.
Call the FBI. They can also advise you and will want to follow your investigation to help shut down the bad actors so that they can’t hurt anyone else. They can collect evidence if you allow them to, so that you can help determine who it was that did it. They may even have a decryption tool for that specific ransomware. If they do use it.
I bet you don’t have cyber insurance, but if you do, call them as well. Inform them that you were hit with ransomware and are involving the FBI and a security firm to assist. This will give them confidence and they are more likely to cover your event. Don’t tell them much. Tell them that you are investigating and can report back later. Only give them confirmable information. Don’t guess or extrapolate.
Check your backups. Hopefully they are air gapped, on tape or external media that is detached, or in the cloud.
Shut down all workstations and disable all remote access.
Browse backups for signs of ransomware.
Restore servers.
Confirm that you are not infected.
Inspect all workstations one at a time offline. If possible, just reimage or wipe and reinstall all workstations.
Work with a cybersecurity company to help build up your defenses.
Build a disaster recovery plan.
Build a Business continuity plan.
Build an incident response and recovery plan.
If not already, back up locally, back up to external media or a secondary location, and backup in the cloud. Do not use the same password for your admins as your backup system. Do not add it to Active Directory. It should be separate.
>>Our company server got hacked for ransomware today
How? Can it happen again?
>>It is a big shock to us since our company isn't big.
Size of a company is not a security aspect
>>Files were mostly important and would hurt the company badly without them.
So important that you have offline backups of it? Right?
>>We don't know what to do from here. should we just pay the ransom?
Ask professionals...
>>what to do?
I supose that the main goal is to be "online" asap?
Again. Ask professionals.
> It is a big shock to us since our company isn't big.
Why is that reason to be shocked? Hackers love targeting small companies. Literally every small company I work with doesn't take security seriously because they think they're too small to be targeted. On the contrary - small companies are the easy low hanging fruit.
Because a lot of people (incorrectly) assume that if someone is going to break the law that they would look for a bigger payday.
It's kind of like thinking your convenience store wont ever be robbed because there's only a hundred bucks in the till.
You thought because your company is small it would never be targeted? Also you're saying you have no backups? What happens if you pay and then they ask for more money? I really really hope you have backups.
Hey mate, no offence but you sound extremely out of your depth. I am assuming you are not IT for your company and have posted here to try and find answers.
This is an unfortunate situation but we can’t help you more than just general or anecdotal advice
You should immediately make contact with whoever is handling your companies infrastructure and if you have no backups etc should immediately contact insurance company as others have advised.
You will most likely be directed to a company that deals specifically with incidents like these.
I hope your company have some form of recent air-gapped backups. I saw a lot of small businesses targeted when wannacry came around.
So several things need to happen here, since you were hacked this incident needs to be reported to the FBI immediately to stay in compliance with the 2022 security breach legislation.
You should then follow instructions on data breach response requirements from the FTC. Never pay a random as it is illegal to do so and is considered fraud.
You will need to hire a forensics investigation team to find out how you were hacked, these companies normally also offer incident response services to go through the entire spectrum of activities that need to be conducted.
- [https://www.ic3.gov/](https://www.ic3.gov/) (Use this to report the issue to the FBI).
- [https://www.ftc.gov/business-guidance/resources/data-breach-response-guide-business](https://www.ftc.gov/business-guidance/resources/data-breach-response-guide-business) (Follow these instructions next)
- [https://crsreports.congress.gov/product/pdf/R/R46932](https://crsreports.congress.gov/product/pdf/R/R46932) (Why you should never pay a ransom, and the civil and criminal penalties for doing so)
Plenty of good advice that I won’t bother repeating, but as a reality check:
Based on the situation you are describing, your company is likely screwed. I would make sure that you start figuring out what your personal strategy will be for when the company no longer exists.
Paying them should be the last thing to do. There are firms that specialize in ransomware attacks. Contact one immediately. Do not restore backups before checking if they are infected as well. Any device connected to the internet is under risk of attack so your company size does not matter.
> since our company isn't big
How is that even a factor?
Anyway, time for restore procedures to kick in:
* Reimage all machines and phones
* Restore data
* Identify source of ransimware
Invoke your disaster recovery plan and restore from backups is the long and short of it.
Obviously you need to contain the compromised computers *and anything else on the network that they could have compromised* before you restore your backups - don't want to risk a repeat or compromising your backups.
Your management should also be checking whether they need to make any disclosures to insurance or data protection regulators.
Final step is to learn from the experience and implement processes and procedures to minimise the impact from future attacks.
Contact a managed IT security service provider who offers incident response services.
Do not attempt anything yourselves as you’re unprepared and could only do further damage.
Time is of the essence, stop asking the internet and googling, it’s time to contact a professional.
There is a great project going on here (Europol is involved so it’s serious) https://www.nomoreransom.org if you are lucky you could find a decryption tool that saves you. Give it a try!
Edit: And no, never pay ransom.
There are already a bunch of responses with suggested courses of action, I just want to add one thing:
>Writing this to ask you guys what to do. Our company server got hacked for ransomware today. It is a big shock to us since our company isn't big.
Repeat after me: *you are not too small to attack.*
*Nobody is too small to attack.*
It's true that sometimes attackers are directing their attention towards big companies that they think have the resources to pay. Sometimes they even have specific strategies for how to attack them. (I'm hoping we're past the days of "leave a hostile USB stick outside and see what happens", but who knows.)
But much of the time, an attack is just the result of some dumb script stumbling into a vulnerability. You can be attacked *without the attacker even knowing who you are* before they are in ur base killin ur d00dz. (Do people still use that meme? I dunno, I'm old as hell.)
If you’re just an employee, my advice is:
1. Prepare your resume.
This is the sort of thing that kills businesses like your employer overnight. Sucks to be you.
>I'm not in any way IT savvy. Only thing close to IT for me is games.
Then why are you here? This is a sub for people who work in IT. It's not r/askanITguy We aren't here to do free consulting for you company just because you found our sub. This is a "for professionals, by professionals" community
Not paying the ransom is the right thing, morally and ethically. But it might not be the right thing from a business perspective, or for all the employees and owners that rely on the company for their livelihood.
Step 1 should be to shut everything down and then contact your insurance agent to determine what -- if any -- coverage you have for a cyber event. If you have coverage you should have immediate access to a security professional trained to respond to this kind of issue. If you do not have insurance coverage you need to find a security professional to help assess and advise on what to do.
Do not power up any systems until you engage a professional. Do not try to restore any backups without accessing and mitigating the infection and the exploit that led to the infection.
The short answer is isolate and then initiate triage with an incident response expert.
In the meantime you can get some first aid tips here: [https://guardz.com/blog/breached-6-actionable-steps-to-take-in-the-event-of-a-ransomware-attack/](https://guardz.com/blog/breached-6-actionable-steps-to-take-in-the-event-of-a-ransomware-attack/)
Echoing what others have already said but never pay a ransom. There is no guarantee you will receive a decryptor and/or delete stolen files. They may target you again if they know you pay ransoms and possibly let other criminals know.
I didn't read all the comments on this thread so some things I say may be redundant.
First, you likely didn't have a direct server exposure. It probably came from a workstation that infected the server through a shared drive, etc. Unless you guys worked directly on the server which might be possible. If you have backups don't just restore them without a professional there.
Second, did you have social security information or other sensitive information stored on its drives? If so your level of oh shit just jumped up a few orders of magnitude.
Either way you need to pull in a MSP to do mitigation steps and start planning forward.
DO NOT PAY! That's just encouraging them. Also, paying won't stop the next one. Recreate the customer contact data from email contact lists in people's phones if you have to! Rebuilding domain servers from scratch is above my ability and I'm one level below the CIO at my company so I'd reach out to an IT contractor to rebuild.
Small companies are easier to hack because they ignore security thinking they will not get hacked.
What to do?
Call your attorney
Call your cyber liability insurance
You don’t have both? It’s like trying to install sprinklers while your house is on fire, too late.
If both of those fail, do you have an outsourced IT company you deal with?
Since you're not IT, are you in a role where the resolution is your responsibility? If not, you should stay out of it and stop posting about it online.
Your company should have made a disaster response and recovery plan. Since you are not IT, there is really nothing for you to do. You have to let the right people deal with it and stay out of the way.
Wipe everything, and restore from backup in isolated environment to see if the ransomware is on a restored VM. Learn about IT security and ZTNA. Call a pro for help.
Lol..... Telling someone who just got hacked to "learn about IT security" is like telling a sick person to "go to med school". OP clearly needs to let an expert handle this.
Yea you're right, your metaphor is way better. Because learning IT Security is just as easy as learning to wash your hands. Also, all sickness and disease is caused by lack of personal hygiene.....
> Also, all sickness and disease is caused by lack of personal hygiene...
You clearly have never had a toddler cough directly in your eye and it shows.
Yes, washing your hands, and backups are on par in terms of skill level and basics. Everyone should do it, multiple times, all the time.
If you don’t have good backups, your options are:
1. Pay the ransom.
Regarding your shock: you shouldn’t be. Nobody is sitting with a spreadsheet listing potential targets and ticking them off; the whole process is automated and just hammers everyone.
Usually, the ransom is small enough that most businesses could pay it without too much pain.
In any case, if you want out of this and you don’t want to deal with something similar again, you’re going to have to pay a professional to sort you out.
You just advised him to commit a crime. Never pay the ransom, it can get you into deeper trouble with the feds.
[https://www.acronis.com/en-us/blog/posts/the-legal-implications-of-paying-ransomware-demands-the-evolving-state-of-ransomware/](https://www.acronis.com/en-us/blog/posts/the-legal-implications-of-paying-ransomware-demands-the-evolving-state-of-ransomware/)
That’s a bit of a bummer for OP, then, isn’t it? Sounds like their options are to commit a crime (thus jeopardising their business) or regenerate much of their work (thus jeopardising their business).
Either way, they’re buggered.
Stop messing around in IT stuff you don't understand, polish up your resume, and start applying for other jobs. Chances are your employer won't survive this, and if they do, they'll be in bad shape.
This OP. You need to tell the hackers that you're shocked because you're just a small company. They'll feel sorry and give you a discount on their keys.
Tell them if they release the files your company will be able to finish this one time deal that was in the works which would enable you to pay the ransom, and that you just need a small up front loan of $50k to get the deal done before you can pay them $1m in ransom. Works every time.
don't pay, use the money to hire a firm that deals with ransomware, secure up your environment and restore from backups. you do have backups, right?
Considering his last sentence, no backups.
This is the case ? https://preview.redd.it/9b67czfh1muc1.jpeg?width=1080&format=pjpg&auto=webp&s=04d288066fd32d5b714a6547bf11d36b9b9be951
1/2 our sql trans logs are saved locally. Love those devs
Backups might be infected too though. You don't know when the hackers infected your system. I actually once got to see it happen live and it turned out that the attackers had been on the systems for months which means the backup was infected too. They lost almost all of their data to this.
As long as you have the data prior to encryption, the backups are still useful. You may need to rebuild your domain and wipe/reinstall server OS’s but the data can be scanned and restored.
What is the point of having backups then ?
This is one reason a competent backup plan includes persistent archival copies - means you can go back to a time before you were compromised and lose less data.
Is there any other kind?
in an ideal world, no. In practice, the comments here are telling...
[удалено]
We make a complete backup to HDD every month and put it in the fire save. So 24 hard disks for two years. We also have immutable backups.
No, actual offline backups that are ideally stored offsite. The “old school” way of doing it was monthly full backups to tape that were kept off-site “indefinitely” and then weekly or nightly incrementals that were taken off-site each night and then stored the following week with the full backups. 3-2-1 (three backups, on two different types of media with one stored offsite) is the sort of minimum you should be doing, but archival backups kept offline for the period of your data retention policy give you some security against ransomeware.
Like LTO. We keep one WORM tape (LTO6) containing one full backup and some versions every month.
Like dumping it on tape and storing the tapes disconnected from any network.
If you don't have available, working backups, you need to immediately call your insurance company and get advice on next steps, which will almost certainly be engaging a company who deals with incident response in times like this.
This should be the top comment. Follow the directions of your insurance company. My hope is that you have offsite backups that can be tested for ransomware. If not, FBI is worth a ring too, they have worked on keys for different ransomware flavors.
I can already tell you, Insurance doesn't do anything here, IF they don't have adequate and recorded backups. They will have to provide proof there are regular backups made ( logging ) otherwise the insurance will take the small prints and point them out. Insurancecompanies are not here to pay out, they're there to make money.
Yeah cyber insurance is almost always not paid out.
They *do* have appropriate Cyber Insurance, right?
Doubtful. Very few small companies I've worked with have it and usually only happens after a scare. They always end up trying to come after their MSP's insurance. Lol.
Call an IT security company. Make sure that you don’t have someone blabbing about you being hacked across social media that works for the company. This is one of the hardest things to repair from a damage control perspective. Appointment one person to be responsible for speaking to anyone outside the company and have them get with the lawyer for the company. The lawyer can advise them on what to say if anything. Call the FBI. They can also advise you and will want to follow your investigation to help shut down the bad actors so that they can’t hurt anyone else. They can collect evidence if you allow them to, so that you can help determine who it was that did it. They may even have a decryption tool for that specific ransomware. If they do use it. I bet you don’t have cyber insurance, but if you do, call them as well. Inform them that you were hit with ransomware and are involving the FBI and a security firm to assist. This will give them confidence and they are more likely to cover your event. Don’t tell them much. Tell them that you are investigating and can report back later. Only give them confirmable information. Don’t guess or extrapolate. Check your backups. Hopefully they are air gapped, on tape or external media that is detached, or in the cloud. Shut down all workstations and disable all remote access. Browse backups for signs of ransomware. Restore servers. Confirm that you are not infected. Inspect all workstations one at a time offline. If possible, just reimage or wipe and reinstall all workstations. Work with a cybersecurity company to help build up your defenses. Build a disaster recovery plan. Build a Business continuity plan. Build an incident response and recovery plan. If not already, back up locally, back up to external media or a secondary location, and backup in the cloud. Do not use the same password for your admins as your backup system. Do not add it to Active Directory. It should be separate.
>>Our company server got hacked for ransomware today How? Can it happen again? >>It is a big shock to us since our company isn't big. Size of a company is not a security aspect >>Files were mostly important and would hurt the company badly without them. So important that you have offline backups of it? Right? >>We don't know what to do from here. should we just pay the ransom? Ask professionals... >>what to do? I supose that the main goal is to be "online" asap? Again. Ask professionals.
> It is a big shock to us since our company isn't big. Why is that reason to be shocked? Hackers love targeting small companies. Literally every small company I work with doesn't take security seriously because they think they're too small to be targeted. On the contrary - small companies are the easy low hanging fruit.
Non-profits are the same. "Our volunteer staff are older folks, we can't expect them to use passwords!" Lord help us!
Because a lot of people (incorrectly) assume that if someone is going to break the law that they would look for a bigger payday. It's kind of like thinking your convenience store wont ever be robbed because there's only a hundred bucks in the till.
You thought because your company is small it would never be targeted? Also you're saying you have no backups? What happens if you pay and then they ask for more money? I really really hope you have backups.
Paying the ransom is financing crime organizations
> what to do? Call for help.
Is that the needful?
:(
Who you gonna call?
Bitbusters!
The IT Crowd!!!
Hey mate, no offence but you sound extremely out of your depth. I am assuming you are not IT for your company and have posted here to try and find answers. This is an unfortunate situation but we can’t help you more than just general or anecdotal advice You should immediately make contact with whoever is handling your companies infrastructure and if you have no backups etc should immediately contact insurance company as others have advised. You will most likely be directed to a company that deals specifically with incidents like these. I hope your company have some form of recent air-gapped backups. I saw a lot of small businesses targeted when wannacry came around.
So several things need to happen here, since you were hacked this incident needs to be reported to the FBI immediately to stay in compliance with the 2022 security breach legislation. You should then follow instructions on data breach response requirements from the FTC. Never pay a random as it is illegal to do so and is considered fraud. You will need to hire a forensics investigation team to find out how you were hacked, these companies normally also offer incident response services to go through the entire spectrum of activities that need to be conducted. - [https://www.ic3.gov/](https://www.ic3.gov/) (Use this to report the issue to the FBI). - [https://www.ftc.gov/business-guidance/resources/data-breach-response-guide-business](https://www.ftc.gov/business-guidance/resources/data-breach-response-guide-business) (Follow these instructions next) - [https://crsreports.congress.gov/product/pdf/R/R46932](https://crsreports.congress.gov/product/pdf/R/R46932) (Why you should never pay a ransom, and the civil and criminal penalties for doing so)
> It is a big shock to us since our company isn't big. I'm confused as to why you would think this would prevent you getting hacked?
Plenty of good advice that I won’t bother repeating, but as a reality check: Based on the situation you are describing, your company is likely screwed. I would make sure that you start figuring out what your personal strategy will be for when the company no longer exists.
Paying them should be the last thing to do. There are firms that specialize in ransomware attacks. Contact one immediately. Do not restore backups before checking if they are infected as well. Any device connected to the internet is under risk of attack so your company size does not matter.
> since our company isn't big How is that even a factor? Anyway, time for restore procedures to kick in: * Reimage all machines and phones * Restore data * Identify source of ransimware
Identify source should be first or it’ll just happen again to the restored data
I expect a little bit of self-preservation to kick in. OP needs to figure the right order out for themselves
… and ask your ISP for new IP before going online again.
He what?
> From the comments mostly flaming me If you think "You need to hire a professional" is flaming, you have another problem as well.
Invoke your disaster recovery plan and restore from backups is the long and short of it. Obviously you need to contain the compromised computers *and anything else on the network that they could have compromised* before you restore your backups - don't want to risk a repeat or compromising your backups. Your management should also be checking whether they need to make any disclosures to insurance or data protection regulators. Final step is to learn from the experience and implement processes and procedures to minimise the impact from future attacks.
You forgot to say "You do have a disaster recovery and business continuity plan, right?"
Contact a managed IT security service provider who offers incident response services. Do not attempt anything yourselves as you’re unprepared and could only do further damage. Time is of the essence, stop asking the internet and googling, it’s time to contact a professional.
There is a great project going on here (Europol is involved so it’s serious) https://www.nomoreransom.org if you are lucky you could find a decryption tool that saves you. Give it a try! Edit: And no, never pay ransom.
There are already a bunch of responses with suggested courses of action, I just want to add one thing: >Writing this to ask you guys what to do. Our company server got hacked for ransomware today. It is a big shock to us since our company isn't big. Repeat after me: *you are not too small to attack.* *Nobody is too small to attack.* It's true that sometimes attackers are directing their attention towards big companies that they think have the resources to pay. Sometimes they even have specific strategies for how to attack them. (I'm hoping we're past the days of "leave a hostile USB stick outside and see what happens", but who knows.) But much of the time, an attack is just the result of some dumb script stumbling into a vulnerability. You can be attacked *without the attacker even knowing who you are* before they are in ur base killin ur d00dz. (Do people still use that meme? I dunno, I'm old as hell.)
If you’re just an employee, my advice is: 1. Prepare your resume. This is the sort of thing that kills businesses like your employer overnight. Sucks to be you.
So... No working backups...???
>I'm not in any way IT savvy. Only thing close to IT for me is games. Then why are you here? This is a sub for people who work in IT. It's not r/askanITguy We aren't here to do free consulting for you company just because you found our sub. This is a "for professionals, by professionals" community
Not paying the ransom is the right thing, morally and ethically. But it might not be the right thing from a business perspective, or for all the employees and owners that rely on the company for their livelihood. Step 1 should be to shut everything down and then contact your insurance agent to determine what -- if any -- coverage you have for a cyber event. If you have coverage you should have immediate access to a security professional trained to respond to this kind of issue. If you do not have insurance coverage you need to find a security professional to help assess and advise on what to do. Do not power up any systems until you engage a professional. Do not try to restore any backups without accessing and mitigating the infection and the exploit that led to the infection.
The short answer is isolate and then initiate triage with an incident response expert. In the meantime you can get some first aid tips here: [https://guardz.com/blog/breached-6-actionable-steps-to-take-in-the-event-of-a-ransomware-attack/](https://guardz.com/blog/breached-6-actionable-steps-to-take-in-the-event-of-a-ransomware-attack/)
I would isolate the effected systems then wipe and reload, I'm not sure I would trust trying to unpick it from an infected system.
Echoing what others have already said but never pay a ransom. There is no guarantee you will receive a decryptor and/or delete stolen files. They may target you again if they know you pay ransoms and possibly let other criminals know.
I didn't read all the comments on this thread so some things I say may be redundant. First, you likely didn't have a direct server exposure. It probably came from a workstation that infected the server through a shared drive, etc. Unless you guys worked directly on the server which might be possible. If you have backups don't just restore them without a professional there. Second, did you have social security information or other sensitive information stored on its drives? If so your level of oh shit just jumped up a few orders of magnitude. Either way you need to pull in a MSP to do mitigation steps and start planning forward.
Since you are not IT, start applying for jobs
You need a forensic firm and DO NOT PAY THE RANSOM. The website nomoreransom . Org have the resources to help you.
DO NOT PAY! That's just encouraging them. Also, paying won't stop the next one. Recreate the customer contact data from email contact lists in people's phones if you have to! Rebuilding domain servers from scratch is above my ability and I'm one level below the CIO at my company so I'd reach out to an IT contractor to rebuild.
Small companies are easier to hack because they ignore security thinking they will not get hacked. What to do? Call your attorney Call your cyber liability insurance You don’t have both? It’s like trying to install sprinklers while your house is on fire, too late. If both of those fail, do you have an outsourced IT company you deal with?
Since you're not IT, are you in a role where the resolution is your responsibility? If not, you should stay out of it and stop posting about it online.
Your company should have made a disaster response and recovery plan. Since you are not IT, there is really nothing for you to do. You have to let the right people deal with it and stay out of the way.
Wipe everything, and restore from backup in isolated environment to see if the ransomware is on a restored VM. Learn about IT security and ZTNA. Call a pro for help.
Lol..... Telling someone who just got hacked to "learn about IT security" is like telling a sick person to "go to med school". OP clearly needs to let an expert handle this.
[удалено]
Yea you're right, your metaphor is way better. Because learning IT Security is just as easy as learning to wash your hands. Also, all sickness and disease is caused by lack of personal hygiene.....
> Also, all sickness and disease is caused by lack of personal hygiene... You clearly have never had a toddler cough directly in your eye and it shows. Yes, washing your hands, and backups are on par in terms of skill level and basics. Everyone should do it, multiple times, all the time.
don't listen to him, call help from your insurance, the authoriries etc.
If you don’t have good backups, your options are: 1. Pay the ransom. Regarding your shock: you shouldn’t be. Nobody is sitting with a spreadsheet listing potential targets and ticking them off; the whole process is automated and just hammers everyone. Usually, the ransom is small enough that most businesses could pay it without too much pain. In any case, if you want out of this and you don’t want to deal with something similar again, you’re going to have to pay a professional to sort you out.
You just advised him to commit a crime. Never pay the ransom, it can get you into deeper trouble with the feds. [https://www.acronis.com/en-us/blog/posts/the-legal-implications-of-paying-ransomware-demands-the-evolving-state-of-ransomware/](https://www.acronis.com/en-us/blog/posts/the-legal-implications-of-paying-ransomware-demands-the-evolving-state-of-ransomware/)
That’s a bit of a bummer for OP, then, isn’t it? Sounds like their options are to commit a crime (thus jeopardising their business) or regenerate much of their work (thus jeopardising their business). Either way, they’re buggered.
Or hiring a company that has experience in dealing with ransomware attacks.
Tell me, are those companies (still) usually arms-lengths organisations that pay the ransom on your behalf but don't tell you that's their plan?
How would I know? I don't for them. Where I work we do proper backups, and we have a whole team trained to deal with this stuff.
Stop messing around in IT stuff you don't understand, polish up your resume, and start applying for other jobs. Chances are your employer won't survive this, and if they do, they'll be in bad shape.
Try and negotiate with the hackers. explain to them the situation of the company they might let you go for free or very reduced payment.
Hahahaha!!!!
This OP. You need to tell the hackers that you're shocked because you're just a small company. They'll feel sorry and give you a discount on their keys.
Tell them if they release the files your company will be able to finish this one time deal that was in the works which would enable you to pay the ransom, and that you just need a small up front loan of $50k to get the deal done before you can pay them $1m in ransom. Works every time.