3. Identify
To identify which devices have been infected with ransomware, look for recently encrypted files with unusual file extensions and reports of difficulty opening files. It is also a good idea to isolate and disable devices that have not been fully encrypted to prevent further spread of the ransomware. Make a comprehensive list of all affected systems, including NAS devices, cloud storage, external hard drives, smartphones, and laptops, and consider locking shares to stop ongoing encryption processes and prevent other shares from becoming infected. Before isolating and disabling devices, review the encrypted shares to gather additional information about the attack. For example, if one device has a higher than normal number of open files, it may be the first infected device in the chain. You can also check for alerts from your anti-malware system or monitoring platform and verify what people are doing with emails and attachments. Examining the properties of the files may also provide clues, such as the person listed as the owner of the file. Remember that most ransomware enters networks through malicious email links and attachments, so it is important to be cautious when interacting with these types of content.