Step Inside Our CERT: A Full Breakdown of a Ransomware Incident Response
David Quesada, Director of the Advens CERT, walks us through the detailed steps of our Computer Emergency Response Team’s intervention. Exclusive interview!
What is a ransomware attack?
A ransomware attack involves sending malicious software to a target which, once activated, encrypts files and all data on the affected information system. A ransom is then demanded in exchange for a decryption key.
What are the early warning signs of a ransomware attack?
There are weak signals, but they are difficult to detect.
The attacker’s goal is to remain unnoticed for as long as possible. Once inside a system, they may wait months before launching the attack. Warning signs may include unusual behavior, such as activity during the night or abnormal network transfers.
What happens once the attack becomes visible?
IT tools stop responding or behave abnormally. Users may notice unexpected behavior on their workstations—software no longer working, desktop backgrounds changing, etc. Then a text file often appears, typically titled “Read me,” containing the dreaded message: “We have encrypted your data. Call this number to recover it in exchange for XX €.”
Should you contact the attacker?
We strongly advise against contacting the attacker or negotiating the ransom. There’s no guarantee you’ll recover your data, and you may not save time.
Instead, every minute counts. If a user discovers the attack, they must immediately alert the cybersecurity team—or the IT support team if no dedicated team exists—and absolutely not try to handle the incident alone.
What are the first steps taken by Advens CERT in a ransomware attack?
The identification phase unfolds in several steps—essentially “first aid” actions.
Our CERT begins with a phone-based assessment to understand the extent of the damage, what actions have already been taken, and then sends a list of priority actions via an emergency email address while the team prepares to deploy on-site.
The team aims to arrive within 24 hours in France. Meanwhile, the client must:
- Isolate the information system from the internet.
- Disconnect Active Directory to prevent attacker movement.
- Back up any data not yet encrypted.
Simultaneously, management activates the crisis management plan (if one exists), which may include a business continuity plan: What’s affected? How? Why? What are the impacts? Which services must remain operational?
Once on-site, we map the damage and identify the first actions to take over the next 2–3 days.
What happens during the containment and remediation phase?
After a week of investigation, we establish a “trust core”—a secure environment where only verified systems are allowed. This is critical because the attack may still be evolving or new vulnerabilities may emerge.
We continue to support the client’s crisis unit, sharing updates and helping prioritize which business functions to restore first.
Two scenarios are possible:
- A Business Impact Analysis (BIA) exists, helping prioritize service restoration.
- No prior planning exists, requiring us to help define priorities—often a time-consuming process.
How do you restore the system and return control to the client?
We then begin rebuilding the information system—a process that can take 4 to 6 weeks or even longer.
Once operational, the CERT gradually steps back, and other Advens teams take over to implement a supervised SOC, maintain security conditions, define new procedures, and provide training.
At the end of the intervention, we deliver a full report: digital investigations, a timeline of the incident, an attack diagram, and technical conclusions with an action plan.
The client then resumes control of remediation and business restoration, with or without continued support from Advens.
