How do I know I have been attacked by ransomware?

The first sign may be a “ransom letter” appearing in a new text file, your browser or desktop created by the ransomware alerting you to on-going damage with instructions and threats. Your work files may appear corrupted or unusable.

How did I get attacked?

Ransomware is usually first received as a disguised email attachment or by mistakenly downloading from a deceptive website or link. It could be an .exe disguised as another type of file or an Office file may contain a malicious macro. This video demonstrates an attack via a Word file macro:

Should I pay the ransom?

The recommendation is to not attempt to pay the ransom. The Australian Cyber Security Centre states the reasoning here:

“If affected by ransomware, the ACSC advises against paying the ransom. There is no guarantee cybercriminal s will decrypt files once the ransom is paid, and there is a chance that files may not be recoverable – wiper malware, where files are permanently modified or deleted, sometimes masquerades as ransomware. Further, the link provided to the victim directing them to information about payment and contacts may inadvertently install further malware onto the victim’s system or network.

Payment of a ransom demonstrates a willingness to give in to criminal demands. The willingness of Australian organisations to pay ransoms can perpetuate further criminal activity and may result in unnecessary diversion of investment s away from the Australian economy.”

First steps in response to ransomware

  • IMPORTANT! Quarantine the infected computer. Disconnect it from networks, this could mean unplugging it’s network cable, turning off it’s Wi-Fi or both. Remove USB drives. Stop using the quarantined device for tasks and switch to an alternate device or computer to work from.
  • Take note of the “ransom letter”, what kind of ransomware it claims to be, what the Bitcoin address is if listed. You may need to have this information on hand to assist a technician to identify ransomware.
  • Don’t turn off the device until instructed to by your technician.
  • Contact your technical support promptly. If they are not familiar with your back up routine, you may need to be prepared with information on where back-ups are stored eg cloud storage, off site drives etc.
  • Check if your organisation has a response plan in place, discuss this with your technical support.
  • Once the attack is confirmed, alert colleagues to the issue, they may be targeted or at risk of the same malicious email etc.
  • Check if other devices on your network are effected.


Learn more about ransomware in the latest publication from the Australian Cyber Security Centre –