Why scope assessment matters before recovery
Businesses under pressure to get back online often skip or rush the assessment phase and go straight to restoration. This is a serious mistake. If you restore systems before understanding how the attackers got in, you will almost certainly be reinfected — sometimes within hours. If you don't know which systems were affected, you may restore data that was already encrypted or exfiltrated.
The assessment phase is uncomfortable because it takes time when every instinct says to act immediately. But a thorough assessment is what makes recovery permanent rather than temporary.
Identify which systems and files are encrypted
Walk through your environment systematically — servers first, then workstations, then shared storage. For each system, determine:
- Is the machine encrypted? Can you open files normally?
- Are there ransom note files present? Note their exact filenames and locations.
- What file extensions have been changed? This identifies the ransomware variant.
- When did the encryption appear to start? Check file modification timestamps.
Document every affected system — make, model, hostname, IP address, operating system, and what was encrypted. This information will be needed for insurance claims, law enforcement reporting, and recovery planning.
Determine if the attack is still active
Some ransomware variants continue encrypting files even after initial detection. Signs that an attack may still be active:
- File modification timestamps continuing to update on previously clean machines
- New ransom notes appearing on systems that hadn't shown them before
- Unusual outbound network traffic (if you have network monitoring in place)
- New user accounts appearing in Active Directory or Microsoft 365
- Scheduled tasks or services you don't recognize appearing on servers
If the attack appears to still be active, additional isolation steps are needed. Contact your incident response team immediately.
Check for data exfiltration
Modern ransomware attacks are frequently double-extortion attacks — attackers exfiltrate data before encrypting it, then threaten to publish it publicly if the ransom isn't paid. Determining whether data was exfiltrated is critical for legal notification obligations and cyber insurance claims.
Signs of potential data exfiltration:
- Unusual outbound network traffic in your firewall or network logs in the days or weeks before the attack
- Large file transfers to unknown external IP addresses or cloud storage services
- Use of tools like WinRAR, 7-Zip, or rclone that weren't installed by your IT team
- Access to sensitive file shares outside of normal business hours
- VPN or remote access connections from unusual geographic locations
Document everything
From the moment you become aware of the attack, document everything. Take screenshots of ransom notes, error messages, and affected systems. Write down the date and time you discovered the attack and every action taken since. This documentation is required for:
- Cyber insurance claims — most policies require prompt notification and documentation of the incident timeline
- Law enforcement reporting — the FBI IC3 and local law enforcement will need this information
- Regulatory notifications — if client or patient data was exposed, you may have legal notification obligations
- Post-incident review — understanding exactly what happened is essential for preventing recurrence
Quick Reference Checklist
- Inventory every affected system — document hostnames, IPs, what was encrypted
- Note the ransomware variant (from file extensions or ransom note)
- Determine if the attack is still active or contained
- Review network logs for signs of data exfiltration
- Screenshot all ransom notes and error messages
- Document a timeline of when the attack was discovered and what actions were taken
- Identify which data may have been exposed — needed for notification decisions