Ransomware

Rev. 9-2025

What is Ransomware?

Ransomware is malicious software that encrypts or disables access to files, systems, or networks, and then demands a ransom—often in cryptocurrency—in exchange for restoring access. Ransomware can disrupt business operations, expose customer data, and cause regulatory and reputational harm..

The data created may be stored locally or in the cloud. Backups may not happen until the device is returned to the office or the end-user manually backs it up. This new environment is ripe for cyber-attacks.

How Ransomware is Delivered

  • Phishing emails (malicious links or attachments)
  • Infected websites or malvertising (drive-by downloads)
  • Compromised remote access tools (RDP, VPN) or weak credentials
  • Malicious USB devices or infected media
  • Third-party/vendor breaches (supply-chain attacks)
  • AI-enhanced social engineering that convincingly impersonates trusted parties

Red Flags / Warning Signs

  • Unexpected email with attachment or link urging immediate action
  • Unusual system behavior (slow performance, files that won’t open)
  • Multiple users reporting the same error or inability to access files
  • Files with unfamiliar extensions or ransom notes appearing on screens
  • Unexplained account logins or admin changes

Prevention Best Practices

  • Keep systems and applications updated—apply patches promptly.
  • Use unique, strong passwords and enable multi-factor authentication (MFA) for all remote access and admin accounts.
  • Train employees to spot phishing and social engineering—verify before clicking.
  • Limit administrative privileges and use least-privilege principles.
  • Segment networks so a single compromise cannot easily spread.
  • Backup regularly and keep backups offline or air-gapped; test restores frequently.
  • Use endpoint protection and up-to-date anti-malware solutions.
  • Disable unused services (RDP, SMBv1) and block them at the firewall if not required.

If You Suspect a Ransomware Infection (Immediate Steps)

  1. If You Suspect a Ransomware Infection (Immediate Steps)
  2. Do not power down unless instructed by IT—preserve volatile evidence if directed.
  3. Isolate affected systems—do not attempt to open files or run tools unless directed by IT/security.
  4. Notify IT / Security immediately and follow escalation procedures.
    • Email: ITsupport@amerifirstbank.com
    • If urgent, contact Brooke at 334-799-1904.
  5. Document what you observed (times, messages, files affected) and who was using the system.
  6. Do not pay the ransom without direction from senior leadership, legal, and security specialists—payment does not guarantee recovery and may have legal/regulatory implications.
  7. Preserve logs and evidence for forensic analysis and regulatory reporting.

Post-Incident Recovery & Reporting

  • Follow IT/Security instructions for clean-up and restoration from verified backups.
  • Report incidents internally and to required regulatory or law enforcement bodies as instructed by your compliance team.
  • Cooperate with forensic investigators to determine root cause and prevent recurrence.

Resources & Support

  • For suspected ransomware or other cybersecurity incidents: itsupport@amerifirstbank.com
  • Urgent assistance: 334-799-1904 (Brooke)
  • Helpful federal resources: FTC (www.ftc.gov) and CISA guidance (for leadership/IT teams).
The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization’s end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization’s overall cyber security posture. This is especially critical if employees access their work network from their home computers. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.
Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.

If you would prefer, download the PDF here: Ransomware