[](https://www.paloaltonetworks.com/?ts=markdown) * Sign In * Customer * Partner * Employee * [Login to download](https://www.paloaltonetworks.com/login?ts=markdown) * [Join us to become a member](https://www.paloaltonetworks.com/login?screenToRender=traditionalRegistration&ts=markdown) * EN * [USA (ENGLISH)](https://www.paloaltonetworks.com) * [AUSTRALIA (ENGLISH)](https://www.paloaltonetworks.com.au) * [BRAZIL (PORTUGUÉS)](https://www.paloaltonetworks.com.br) * [CANADA (ENGLISH)](https://www.paloaltonetworks.ca) * [CHINA (简体中文)](https://www.paloaltonetworks.cn) * [FRANCE (FRANÇAIS)](https://www.paloaltonetworks.fr) * [GERMANY (DEUTSCH)](https://www.paloaltonetworks.de) * [INDIA (ENGLISH)](https://www.paloaltonetworks.in) * [ITALY (ITALIANO)](https://www.paloaltonetworks.it) * [JAPAN (日本語)](https://www.paloaltonetworks.jp) * [KOREA (한국어)](https://www.paloaltonetworks.co.kr) * [LATIN AMERICA (ESPAÑOL)](https://www.paloaltonetworks.lat) * [MEXICO (ESPAÑOL)](https://www.paloaltonetworks.com.mx) * [SINGAPORE (ENGLISH)](https://www.paloaltonetworks.sg) * [SPAIN (ESPAÑOL)](https://www.paloaltonetworks.es) * [TAIWAN (繁體中文)](https://www.paloaltonetworks.tw) * [UK (ENGLISH)](https://www.paloaltonetworks.co.uk) * ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [What's New](https://www.paloaltonetworks.com/resources?ts=markdown) * [Get Support](https://support.paloaltonetworks.com/SupportAccount/MyAccount) * [Under Attack?](https://start.paloaltonetworks.com/contact-unit42.html) ![x close icon to close mobile navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/x-black.svg) [![Palo Alto Networks logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)](https://www.paloaltonetworks.com/?ts=markdown) ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg) * [](https://www.paloaltonetworks.com/?ts=markdown) * Products ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Products [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [AI Security](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise Device Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical Device Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [OT Device Security](https://www.paloaltonetworks.com/network-security/ot-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex AgentiX](https://www.paloaltonetworks.com/cortex/agentix?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Exposure Management](https://www.paloaltonetworks.com/cortex/exposure-management?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Cortex Advanced Email Security](https://www.paloaltonetworks.com/cortex/advanced-email-security?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Unit 42 Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * Solutions ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Solutions Secure AI by Design * [Secure AI Ecosystem](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [Secure GenAI Usage](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) Network Security * [Cloud Network Security](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Data Center Security](https://www.paloaltonetworks.com/network-security/data-center?ts=markdown) * [DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Intrusion Detection and Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Device Security](https://www.paloaltonetworks.com/network-security/device-security?ts=markdown) * [OT Security](https://www.paloaltonetworks.com/network-security/ot-device-security?ts=markdown) * [5G Security](https://www.paloaltonetworks.com/network-security/5g-security?ts=markdown) * [Secure All Apps, Users and Locations](https://www.paloaltonetworks.com/sase/secure-users-data-apps-devices?ts=markdown) * [Secure Branch Transformation](https://www.paloaltonetworks.com/sase/secure-branch-transformation?ts=markdown) * [Secure Work on Any Device](https://www.paloaltonetworks.com/sase/secure-work-on-any-device?ts=markdown) * [VPN Replacement](https://www.paloaltonetworks.com/sase/vpn-replacement-for-secure-remote-access?ts=markdown) * [Web \& Phishing Security](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) Cloud Security * [Application Security Posture Management (ASPM)](https://www.paloaltonetworks.com/cortex/cloud/application-security-posture-management?ts=markdown) * [Software Supply Chain Security](https://www.paloaltonetworks.com/cortex/cloud/software-supply-chain-security?ts=markdown) * [Code Security](https://www.paloaltonetworks.com/cortex/cloud/code-security?ts=markdown) * [Cloud Security Posture Management (CSPM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-security-posture-management?ts=markdown) * [Cloud Infrastructure Entitlement Management (CIEM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-infrastructure-entitlement-management?ts=markdown) * [Data Security Posture Management (DSPM)](https://www.paloaltonetworks.com/cortex/cloud/data-security-posture-management?ts=markdown) * [AI Security Posture Management (AI-SPM)](https://www.paloaltonetworks.com/cortex/cloud/ai-security-posture-management?ts=markdown) * [Cloud Detection \& Response](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response?ts=markdown) * [Cloud Workload Protection (CWP)](https://www.paloaltonetworks.com/cortex/cloud/cloud-workload-protection?ts=markdown) * [Web Application \& API Security (WAAS)](https://www.paloaltonetworks.com/cortex/cloud/web-app-api-security?ts=markdown) Security Operations * [Cloud Detection \& Response](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response?ts=markdown) * [Security Information and Event Management](https://www.paloaltonetworks.com/cortex/modernize-siem?ts=markdown) * [Network Security Automation](https://www.paloaltonetworks.com/cortex/network-security-automation?ts=markdown) * [Incident Case Management](https://www.paloaltonetworks.com/cortex/incident-case-management?ts=markdown) * [SOC Automation](https://www.paloaltonetworks.com/cortex/security-operations-automation?ts=markdown) * [Threat Intel Management](https://www.paloaltonetworks.com/cortex/threat-intel-management?ts=markdown) * [Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Attack Surface Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/attack-surface-management?ts=markdown) * [Compliance Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/compliance-management?ts=markdown) * [Internet Operations Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/internet-operations-management?ts=markdown) * [Extended Data Lake (XDL)](https://www.paloaltonetworks.com/cortex/cortex-xdl?ts=markdown) * [Agentic Assistant](https://www.paloaltonetworks.com/cortex/cortex-agentic-assistant?ts=markdown) Endpoint Security * [Endpoint Protection](https://www.paloaltonetworks.com/cortex/endpoint-protection?ts=markdown) * [Extended Detection \& Response](https://www.paloaltonetworks.com/cortex/detection-and-response?ts=markdown) * [Ransomware Protection](https://www.paloaltonetworks.com/cortex/ransomware-protection?ts=markdown) * [Digital Forensics](https://www.paloaltonetworks.com/cortex/digital-forensics?ts=markdown) [Industries](https://www.paloaltonetworks.com/industry?ts=markdown) * [Public Sector](https://www.paloaltonetworks.com/industry/public-sector?ts=markdown) * [Financial Services](https://www.paloaltonetworks.com/industry/financial-services?ts=markdown) * [Manufacturing](https://www.paloaltonetworks.com/industry/manufacturing?ts=markdown) * [Healthcare](https://www.paloaltonetworks.com/industry/healthcare?ts=markdown) * [Small \& Medium Business Solutions](https://www.paloaltonetworks.com/industry/small-medium-business-portfolio?ts=markdown) * Services ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Services [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Assess](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [AI Security Assessment](https://www.paloaltonetworks.com/unit42/assess/ai-security-assessment?ts=markdown) * [Attack Surface Assessment](https://www.paloaltonetworks.com/unit42/assess/attack-surface-assessment?ts=markdown) * [Breach Readiness Review](https://www.paloaltonetworks.com/unit42/assess/breach-readiness-review?ts=markdown) * [BEC Readiness Assessment](https://www.paloaltonetworks.com/bec-readiness-assessment?ts=markdown) * [Cloud Security Assessment](https://www.paloaltonetworks.com/unit42/assess/cloud-security-assessment?ts=markdown) * [Compromise Assessment](https://www.paloaltonetworks.com/unit42/assess/compromise-assessment?ts=markdown) * [Cyber Risk Assessment](https://www.paloaltonetworks.com/unit42/assess/cyber-risk-assessment?ts=markdown) * [M\&A Cyber Due Diligence](https://www.paloaltonetworks.com/unit42/assess/mergers-acquisitions-cyber-due-diligence?ts=markdown) * [Penetration Testing](https://www.paloaltonetworks.com/unit42/assess/penetration-testing?ts=markdown) * [Purple Team Exercises](https://www.paloaltonetworks.com/unit42/assess/purple-teaming?ts=markdown) * [Ransomware Readiness Assessment](https://www.paloaltonetworks.com/unit42/assess/ransomware-readiness-assessment?ts=markdown) * [SOC Assessment](https://www.paloaltonetworks.com/unit42/assess/soc-assessment?ts=markdown) * [Supply Chain Risk Assessment](https://www.paloaltonetworks.com/unit42/assess/supply-chain-risk-assessment?ts=markdown) * [Tabletop Exercises](https://www.paloaltonetworks.com/unit42/assess/tabletop-exercise?ts=markdown) * [Unit 42 Retainer](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * [Respond](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Cloud Incident Response](https://www.paloaltonetworks.com/unit42/respond/cloud-incident-response?ts=markdown) * [Digital Forensics](https://www.paloaltonetworks.com/unit42/respond/digital-forensics?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond/incident-response?ts=markdown) * [Managed Detection and Response](https://www.paloaltonetworks.com/unit42/respond/managed-detection-response?ts=markdown) * [Managed Threat Hunting](https://www.paloaltonetworks.com/unit42/respond/managed-threat-hunting?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Unit 42 Retainer](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * [Transform](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [IR Plan Development and Review](https://www.paloaltonetworks.com/unit42/transform/incident-response-plan-development-review?ts=markdown) * [Security Program Design](https://www.paloaltonetworks.com/unit42/transform/security-program-design?ts=markdown) * [Virtual CISO](https://www.paloaltonetworks.com/unit42/transform/vciso?ts=markdown) * [Zero Trust Advisory](https://www.paloaltonetworks.com/unit42/transform/zero-trust-advisory?ts=markdown) [Global Customer Services](https://www.paloaltonetworks.com/services?ts=markdown) * [Education \& Training](https://www.paloaltonetworks.com/services/education?ts=markdown) * [Professional Services](https://www.paloaltonetworks.com/services/consulting?ts=markdown) * [Success Tools](https://www.paloaltonetworks.com/services/customer-success-tools?ts=markdown) * [Support Services](https://www.paloaltonetworks.com/services/solution-assurance?ts=markdown) * [Customer Success](https://www.paloaltonetworks.com/services/customer-success?ts=markdown) [![](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/logo-unit-42.svg) UNIT 42 RETAINER Custom-built to fit your organization's needs, you can choose to allocate your retainer hours to any of our offerings, including proactive cyber risk management services. Learn how you can put the world-class Unit 42 Incident Response team on speed dial. Learn more](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * Partners ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Partners NextWave Partners * [NextWave Partner Community](https://www.paloaltonetworks.com/partners?ts=markdown) * [Cloud Service Providers](https://www.paloaltonetworks.com/partners/nextwave-for-csp?ts=markdown) * [Global Systems Integrators](https://www.paloaltonetworks.com/partners/nextwave-for-gsi?ts=markdown) * [Technology Partners](https://www.paloaltonetworks.com/partners/technology-partners?ts=markdown) * [Service Providers](https://www.paloaltonetworks.com/partners/service-providers?ts=markdown) * [Solution Providers](https://www.paloaltonetworks.com/partners/nextwave-solution-providers?ts=markdown) * [Managed Security Service Providers](https://www.paloaltonetworks.com/partners/managed-security-service-providers?ts=markdown) * [XMDR Partners](https://www.paloaltonetworks.com/partners/managed-security-service-providers/xmdr?ts=markdown) Take Action * [Portal Login](https://www.paloaltonetworks.com/partners/nextwave-partner-portal?ts=markdown) * [Managed Services Program](https://www.paloaltonetworks.com/partners/managed-security-services-provider-program?ts=markdown) * [Become a Partner](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerregistration?type=becomepartner) * [Request Access](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerregistration?type=requestaccess) * [Find a Partner](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerlocator) [CYBERFORCE CYBERFORCE represents the top 1% of partner engineers trusted for their security expertise. Learn more](https://www.paloaltonetworks.com/cyberforce?ts=markdown) * Company ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Company Palo Alto Networks * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Management Team](https://www.paloaltonetworks.com/about-us/management?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com) * [Locations](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Ethics \& Compliance](https://www.paloaltonetworks.com/company/ethics-and-compliance?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Military \& Veterans](https://jobs.paloaltonetworks.com/military) [Why Palo Alto Networks?](https://www.paloaltonetworks.com/why-paloaltonetworks?ts=markdown) * [Precision AI Security](https://www.paloaltonetworks.com/precision-ai-security?ts=markdown) * [Our Platform Approach](https://www.paloaltonetworks.com/why-paloaltonetworks/platformization?ts=markdown) * [Accelerate Your Cybersecurity Transformation](https://www.paloaltonetworks.com/why-paloaltonetworks/nam-cxo-portfolio?ts=markdown) * [Awards \& Recognition](https://www.paloaltonetworks.com/about-us/awards?ts=markdown) * [Customer Stories](https://www.paloaltonetworks.com/customers?ts=markdown) * [Global Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Trust 360 Program](https://www.paloaltonetworks.com/resources/whitepapers/trust-360?ts=markdown) Careers * [Overview](https://jobs.paloaltonetworks.com/) * [Culture \& Benefits](https://jobs.paloaltonetworks.com/en/culture/) [A Newsweek Most Loved Workplace "Businesses that do right by their employees" Read more](https://www.paloaltonetworks.com/company/press/2021/palo-alto-networks-secures-top-ranking-on-newsweek-s-most-loved-workplaces-list-for-2021?ts=markdown) * More ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) More Resources * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Unit 42 Threat Research](https://unit42.paloaltonetworks.com/) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Tech Insider](https://techinsider.paloaltonetworks.com/) * [Knowledge Base](https://knowledgebase.paloaltonetworks.com/) * [Palo Alto Networks TV](https://tv.paloaltonetworks.com/) * [Perspectives of Leaders](https://www.paloaltonetworks.com/perspectives/?ts=markdown) * [Cyber Perspectives Magazine](https://www.paloaltonetworks.com/cybersecurity-perspectives/cyber-perspectives-magazine?ts=markdown) * [Regional Cloud Locations](https://www.paloaltonetworks.com/products/regional-cloud-locations?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Security Posture Assessment](https://www.paloaltonetworks.com/security-posture-assessment?ts=markdown) * [Threat Vector Podcast](https://unit42.paloaltonetworks.com/unit-42-threat-vector-podcast/) * [Packet Pushers Podcasts](https://www.paloaltonetworks.com/podcasts/packet-pusher?ts=markdown) Connect * [LIVE community](https://live.paloaltonetworks.com/) * [Events](https://events.paloaltonetworks.com/) * [Executive Briefing Center](https://www.paloaltonetworks.com/about-us/executive-briefing-program?ts=markdown) * [Demos](https://www.paloaltonetworks.com/demos?ts=markdown) * [Contact us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) [Blog Stay up-to-date on industry trends and the latest innovations from the world's largest cybersecurity Learn more](https://www.paloaltonetworks.com/blog/) * Sign In ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Sign In * Customer * Partner * Employee * [Login to download](https://www.paloaltonetworks.com/login?ts=markdown) * [Join us to become a member](https://www.paloaltonetworks.com/login?screenToRender=traditionalRegistration&ts=markdown) * EN ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Language * [USA (ENGLISH)](https://www.paloaltonetworks.com) * [AUSTRALIA (ENGLISH)](https://www.paloaltonetworks.com.au) * [BRAZIL (PORTUGUÉS)](https://www.paloaltonetworks.com.br) * [CANADA (ENGLISH)](https://www.paloaltonetworks.ca) * [CHINA (简体中文)](https://www.paloaltonetworks.cn) * [FRANCE (FRANÇAIS)](https://www.paloaltonetworks.fr) * [GERMANY (DEUTSCH)](https://www.paloaltonetworks.de) * [INDIA (ENGLISH)](https://www.paloaltonetworks.in) * [ITALY (ITALIANO)](https://www.paloaltonetworks.it) * [JAPAN (日本語)](https://www.paloaltonetworks.jp) * [KOREA (한국어)](https://www.paloaltonetworks.co.kr) * [LATIN AMERICA (ESPAÑOL)](https://www.paloaltonetworks.lat) * [MEXICO (ESPAÑOL)](https://www.paloaltonetworks.com.mx) * [SINGAPORE (ENGLISH)](https://www.paloaltonetworks.sg) * [SPAIN (ESPAÑOL)](https://www.paloaltonetworks.es) * [TAIWAN (繁體中文)](https://www.paloaltonetworks.tw) * [UK (ENGLISH)](https://www.paloaltonetworks.co.uk) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [What's New](https://www.paloaltonetworks.com/resources?ts=markdown) * [Get support](https://support.paloaltonetworks.com/SupportAccount/MyAccount) * [Under Attack?](https://start.paloaltonetworks.com/contact-unit42.html) * [Demos and Trials](https://www.paloaltonetworks.com/get-started?ts=markdown) Search All * [Tech Docs](https://docs.paloaltonetworks.com/search) Close search modal [Deploy Bravely --- Secure your AI transformation with Prisma AIRS](https://www.deploybravely.com) [](https://www.paloaltonetworks.com/?ts=markdown) 1. [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) 2. [Threats](https://www.paloaltonetworks.com/cyberpedia/threat?ts=markdown) 3. [Ransomware](https://www.paloaltonetworks.com/cyberpedia/what-is-ransomware?ts=markdown) 4. [What is Ransomware Response and Recovery?](https://www.paloaltonetworks.com/cyberpedia/ransomware-response-and-recovery?ts=markdown) Table of Contents * [What Is Ransomware?](https://www.paloaltonetworks.com/cyberpedia/what-is-ransomware?ts=markdown) * [Ransomware Key Takeaways](https://www.paloaltonetworks.com/cyberpedia/what-is-ransomware#ransomware?ts=markdown) * [Why Ransomware Matters](https://www.paloaltonetworks.com/cyberpedia/what-is-ransomware#why?ts=markdown) * [Stages of a Ransomware Attack](https://www.paloaltonetworks.com/cyberpedia/what-is-ransomware#stages?ts=markdown) * [How Ransomware Uses Psychological Pressure](https://www.paloaltonetworks.com/cyberpedia/what-is-ransomware#how?ts=markdown) * [Types of Ransomware](https://www.paloaltonetworks.com/cyberpedia/what-is-ransomware#types?ts=markdown) * [Example Ransomware Strains](https://www.paloaltonetworks.com/cyberpedia/what-is-ransomware#example?ts=markdown) * [Role of Human Behavior in Cybersecurity](https://www.paloaltonetworks.com/cyberpedia/what-is-ransomware#role?ts=markdown) * [Ransom Payment and Prevention](https://www.paloaltonetworks.com/cyberpedia/what-is-ransomware#prevention?ts=markdown) * [Creating and Testing an Incident Response Plan](https://www.paloaltonetworks.com/cyberpedia/what-is-ransomware#creating?ts=markdown) * [Understanding if You Have a Ransomware Infection](https://www.paloaltonetworks.com/cyberpedia/what-is-ransomware#infection?ts=markdown) * [Difference Between Malware and Ransomware](https://www.paloaltonetworks.com/cyberpedia/what-is-ransomware#difference?ts=markdown) * [What is Multi-Extortion Ransomware?](https://www.paloaltonetworks.com/cyberpedia/what-is-ransomware#what?ts=markdown) * [Why Ransomware Is Illegal](https://www.paloaltonetworks.com/cyberpedia/what-is-ransomware#illegal?ts=markdown) * [Recovery from Ransomware Attacks](https://www.paloaltonetworks.com/cyberpedia/what-is-ransomware#recovery?ts=markdown) * [Is Ransomware Still a Threat?](https://www.paloaltonetworks.com/cyberpedia/what-is-ransomware#threat?ts=markdown) * [Future-Proofing Against Ransomware](https://www.paloaltonetworks.com/cyberpedia/what-is-ransomware#future?ts=markdown) * [Ransomware FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-ransomware#faqs?ts=markdown) * [What Are the Most Common Types of Ransomware?](https://www.paloaltonetworks.com/cyberpedia/what-are-the-most-common-types-of-ransomware?ts=markdown) * [Ransomware Types and How They Work](https://www.paloaltonetworks.com/cyberpedia/what-are-the-most-common-types-of-ransomware#ransomware?ts=markdown) * [How to Prevent Ransomware Attacks](https://www.paloaltonetworks.com/cyberpedia/what-are-the-most-common-types-of-ransomware#how?ts=markdown) * [The Evolution of Ransomware Attacks](https://www.paloaltonetworks.com/cyberpedia/what-are-the-most-common-types-of-ransomware#attacks?ts=markdown) * [Notable Ransomware Families](https://www.paloaltonetworks.com/cyberpedia/what-are-the-most-common-types-of-ransomware#notable?ts=markdown) * [The Emergence of Ransomware Groups](https://www.paloaltonetworks.com/cyberpedia/what-are-the-most-common-types-of-ransomware#groups?ts=markdown) * [How Nation-State Actors Have Embraced Ransomware](https://www.paloaltonetworks.com/cyberpedia/what-are-the-most-common-types-of-ransomware#actors?ts=markdown) * [Types of Ransomware FAQs](https://www.paloaltonetworks.com/cyberpedia/what-are-the-most-common-types-of-ransomware#faqs?ts=markdown) * What is Ransomware Response and Recovery? * [How to Respond to a Ransomware Attack](https://www.paloaltonetworks.com/cyberpedia/ransomware-response-and-recovery#how?ts=markdown) * [How Do Ransomware Attacks Begin?](https://www.paloaltonetworks.com/cyberpedia/ransomware-response-and-recovery#do?ts=markdown) * [Reducing Dwell Time](https://www.paloaltonetworks.com/cyberpedia/ransomware-response-and-recovery#reducing?ts=markdown) * [Common Threat Actor Techniques](https://www.paloaltonetworks.com/cyberpedia/ransomware-response-and-recovery#common?ts=markdown) * [Data Theft and Multi-extortion Ransomware](https://www.paloaltonetworks.com/cyberpedia/ransomware-response-and-recovery#what?ts=markdown) * [How to Uninstall Ransomware and Retrieve Data](https://www.paloaltonetworks.com/cyberpedia/ransomware-response-and-recovery#uninstall?ts=markdown) * [Steps to Recovery After a Ransomware Attack](https://www.paloaltonetworks.com/cyberpedia/ransomware-response-and-recovery#steps?ts=markdown) * [® Incident Response Methodology](https://www.paloaltonetworks.com/cyberpedia/ransomware-response-and-recovery#unit42?ts=markdown) * [Ransomware Removal and Recovery FAQs](https://www.paloaltonetworks.com/cyberpedia/ransomware-response-and-recovery#faqs?ts=markdown) * [What are Ransomware Attacks?](https://www.paloaltonetworks.com/cyberpedia/ransomware-common-attack-methods?ts=markdown) * [How Do Ransomware Attacks Happen?](https://www.paloaltonetworks.com/cyberpedia/ransomware-common-attack-methods#how?ts=markdown) * [What Are the 5 Main Ransomware Attack Vectors?](https://www.paloaltonetworks.com/cyberpedia/ransomware-common-attack-methods#what?ts=markdown) * [How to Protect Against Ransomware Attacks](https://www.paloaltonetworks.com/cyberpedia/ransomware-common-attack-methods#protect?ts=markdown) * [How to Assess Your Ransomware Readiness](https://www.paloaltonetworks.com/cyberpedia/ransomware-common-attack-methods#readiness?ts=markdown) * [Ransomware Attacks FAQs](https://www.paloaltonetworks.com/cyberpedia/ransomware-common-attack-methods#faqs?ts=markdown) * [What is Ransomware Prevention?](https://www.paloaltonetworks.com/cyberpedia/ransomware-prevention-what-your-security-architecture-must-do?ts=markdown) * [Step 1: Reduce the Attack Surface](https://www.paloaltonetworks.com/cyberpedia/ransomware-prevention-what-your-security-architecture-must-do#step1?ts=markdown) * [Step 2: Prevent Known Threats](https://www.paloaltonetworks.com/cyberpedia/ransomware-prevention-what-your-security-architecture-must-do#step2?ts=markdown) * [Step 3: Identify and Prevent Unknown Threats](https://www.paloaltonetworks.com/cyberpedia/ransomware-prevention-what-your-security-architecture-must-do#step3?ts=markdown) # What is Ransomware Response and Recovery? 5 min. read Table of Contents * * [How to Respond to a Ransomware Attack](https://www.paloaltonetworks.com/cyberpedia/ransomware-response-and-recovery#how?ts=markdown) * [How Do Ransomware Attacks Begin?](https://www.paloaltonetworks.com/cyberpedia/ransomware-response-and-recovery#do?ts=markdown) * [Reducing Dwell Time](https://www.paloaltonetworks.com/cyberpedia/ransomware-response-and-recovery#reducing?ts=markdown) * [Common Threat Actor Techniques](https://www.paloaltonetworks.com/cyberpedia/ransomware-response-and-recovery#common?ts=markdown) * [Data Theft and Multi-extortion Ransomware](https://www.paloaltonetworks.com/cyberpedia/ransomware-response-and-recovery#what?ts=markdown) * [How to Uninstall Ransomware and Retrieve Data](https://www.paloaltonetworks.com/cyberpedia/ransomware-response-and-recovery#uninstall?ts=markdown) * [Steps to Recovery After a Ransomware Attack](https://www.paloaltonetworks.com/cyberpedia/ransomware-response-and-recovery#steps?ts=markdown) * [® Incident Response Methodology](https://www.paloaltonetworks.com/cyberpedia/ransomware-response-and-recovery#unit42?ts=markdown) * [Ransomware Removal and Recovery FAQs](https://www.paloaltonetworks.com/cyberpedia/ransomware-response-and-recovery#faqs?ts=markdown) 1. How to Respond to a Ransomware Attack * * [How to Respond to a Ransomware Attack](https://www.paloaltonetworks.com/cyberpedia/ransomware-response-and-recovery#how?ts=markdown) * [How Do Ransomware Attacks Begin?](https://www.paloaltonetworks.com/cyberpedia/ransomware-response-and-recovery#do?ts=markdown) * [Reducing Dwell Time](https://www.paloaltonetworks.com/cyberpedia/ransomware-response-and-recovery#reducing?ts=markdown) * [Common Threat Actor Techniques](https://www.paloaltonetworks.com/cyberpedia/ransomware-response-and-recovery#common?ts=markdown) * [Data Theft and Multi-extortion Ransomware](https://www.paloaltonetworks.com/cyberpedia/ransomware-response-and-recovery#what?ts=markdown) * [How to Uninstall Ransomware and Retrieve Data](https://www.paloaltonetworks.com/cyberpedia/ransomware-response-and-recovery#uninstall?ts=markdown) * [Steps to Recovery After a Ransomware Attack](https://www.paloaltonetworks.com/cyberpedia/ransomware-response-and-recovery#steps?ts=markdown) * [® Incident Response Methodology](https://www.paloaltonetworks.com/cyberpedia/ransomware-response-and-recovery#unit42?ts=markdown) * [Ransomware Removal and Recovery FAQs](https://www.paloaltonetworks.com/cyberpedia/ransomware-response-and-recovery#faqs?ts=markdown) Ransomware response and recovery involves identifying [malware](https://www.paloaltonetworks.com/cyberpedia/what-is-malware?ts=markdown) and minimizing the harm inflicted on affected systems as a result of [ransomware attacks](https://www.paloaltonetworks.com/cyberpedia/ransomware-common-attack-methods?ts=markdown). Although data recovery from ransomware is often possible, the more difficult task is preventing the subsequent loss of productivity and revenue, damage to brand reputation, and potential exposure of sensitive information. ## How to Respond to a Ransomware Attack \  *BlackCat Ransomware Case Study - Palo Alto Networks* So much of the ransomware discussion centers on prevention that the hard realities regarding actual attacks, and the actions taken to affect ransomware removal and recovery, can get obscured. Knowing what to do when your organization falls victim to a ransomware attack and your best efforts fail is critical. Time is of the essence in ransomware attack situations. Knowing how to act quickly to halt the attack's progression, prevent it from spreading, and communicate with attack groups in the event you need to negotiate are all important skill sets. Organizations need to evolve defenses to address the various methods threat actors use to apply pressure. Today's [incident response plans](https://www.paloaltonetworks.com/cyberpedia/incident-response-plan?ts=markdown) need to involve not only technical considerations but also safeguards for an organization's reputation and how to protect employees or customers who may become targets for some of the extortionists' more aggressive tactics. Quick access to an [incident response team](https://www.paloaltonetworks.com/unit42/respond/incident-response?ts=markdown) and legal advisors is vital during extortion attempts. An effective response plan and crisis communication strategy will lessen uncertainty and clarify stakeholder roles and decision-making, such as payment approvals. Training employees on ransomware harassment and conducting a thorough post-incident review is essential to prevent future attacks. ## How Do Ransomware Attacks Begin? Ransomware attacks typically begin through the following vectors: ### [Phishing](https://www.paloaltonetworks.com/cyberpedia/what-is-phishing?ts=markdown) Emails Attackers send emails that appear to be from legitimate sources but contain malicious attachments or links. When the attachment is opened or the link is clicked, the initial payload is downloaded and installed on the user's device. ### [Exploit Kits](https://www.paloaltonetworks.com/cyberpedia/what-is-an-exploit-kit?ts=markdown) These are tools that cybercriminals use to exploit known vulnerabilities in software and operating systems. If a user's system is not updated with the latest security patches, exploit kits can provide an easy way for ransomware to infiltrate. ### Remote Desktop Protocol (RDP) Exploits RDP is a popular way to access computers remotely. Attackers can use brute-force attacks or stolen credentials to gain access to a network via RDP and then deploy ransomware. ### Drive-by Downloading Merely visiting a compromised website without interaction can lead to a ransomware infection if the site has a drive-by download setup to exploit browser vulnerabilities. ### Malvertising Malicious advertising can redirect users to ransomware distribution sites or trick users into downloading malicious software disguised as legitimate software. ### [Social Engineering](https://www.paloaltonetworks.com/cyberpedia/what-is-social-engineering?ts=markdown) Attackers use psychological manipulation to trick users into breaking security procedures, such as giving away sensitive information or granting access to critical systems. ### Software Vulnerabilities Attackers can also exploit unpatched vulnerabilities in widely used software, deploying ransomware without any user interaction. ### Supply Chain Attacks By compromising a software provider or a vendor, attackers can use the trust relationship between businesses to deploy ransomware. For instance, a malicious update from a vendor could contain ransomware. ### Network Propagation Once inside a network, some ransomware variants can move laterally across connected systems, using various techniques to identify and compromise additional machines. Understanding these vectors is crucial in developing effective defenses against ransomware. Regular security training, system patching, and vigilant monitoring of networks and emails are vital in preventing such attacks. Also, consider mitigating ransomware risk by performing targeted assessments and attack simulations designed to identify hidden vulnerabilities, weak security controls, or signs of compromise in your environment. \  ## Reducing Dwell Time Dwell time is the period of time a threat actor spends in your environment before being detected. If you can stop threat actors in the earlier stages of their attack, you can avoid downstream ransomware in your environment. To reduce dwell time and identify threat actor activity, ensure you monitor unusual indicators in your system. Look out for: * The installation and usage of unauthorized remote access tools * Unauthorized discovery activity (e.g., scanning, enumeration) * Atypical file access or downloads * Unusual network traffic ## Common Threat Actor Techniques As ransomware groups have evolved and maximized the effectiveness of [ransomware as a service](https://www.paloaltonetworks.ca/cyberpedia/what-is-ransomware-as-a-service) in recent years, multi-extortion techniques have allowed ransomware groups to increase leverage and maximize profit. Threat actors will look for any opportunity to gain the upper hand. With multi-extortion techniques, attackers do more than encrypt files and disrupt business operations. For example, they often post information about breached organizations on [dark web leak sites](https://www.paloaltonetworks.ca/cyberpedia/what-is-a-dark-web-leak-site) and threaten to release or sell stolen data if a ransom is not paid. The goal is to get you to pay more money faster. To minimize ransomware attacks, follow a defense-in-depth approach, implementing safeguards throughout all layers of your infrastructure (e.g., email, web applications, and network). You can also employ services that monitor your brand and associated communications (e.g., communications on the dark web). ![Common Threat Actor Techniques](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/ransomware-response-and-recovery/common-threat-actor-techniques.png "Common Threat Actor Techniques") ![BlackCat Ransom Note](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/ransomware-response-and-recovery/blackcat-ransom-note.png "BlackCat Ransom Note") *This is an example of a BlackCat ransom note that was dropped on a comprised system.* The ransomware landscape has continued to evolve, with specific extortion tactics becoming more prevalent. While the frequency of tactics can vary depending on the targets and attackers, the following were among the most commonly reported: ### [Encryption of Data](https://www.paloaltonetworks.com/cyberpedia/data-encryption?ts=markdown) The fundamental tactic of encrypting a victim's data and demanding a ransom for the decryption key remains very common, as it directly impacts the victim's operations and creates a clear incentive to pay. ### Data theft Attackers often steal sensitive data before or during encryption and then threaten to release it publicly if the ransom is unpaid. ### Multi-Extortion Ransomware In addition to encrypting the victim's files, [multi-extortion ransomware](https://www.paloaltonetworks.com/cyberpedia/what-is-multi-extortion-ransomware?ts=markdown) adds additional layers to the cyberattack involving the ransomware operator exfiltrating files and threatening to publicly release the victim's data unless the ransom is paid. The added threat increases the pressure on the victim to pay the ransom quickly and makes it more difficult for them to refuse to pay. These attacks can be particularly damaging because they disrupt the victim's ability to access their own data while also potentially exposing sensitive or confidential information to the public. ### Harassment of Employees and Customers Attackers increasingly contact employees and customers of the affected organization, pressuring the company from multiple angles to pay the ransom to avoid damage to its reputation and relationships. ### Time-Sensitive Ultimatums Many ransomware groups use countdown timers that threaten irreversible consequences if the ransom isn't paid within the given timeframe, exploiting the urgency to force quick decision-making. [![Download the 2023 Unit 42 Ransomware and Extortion Report](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/ransomware-response-and-recovery/banner-2023-unit-42-ransomware-and-extortion-report.jpg "Download the 2023 Unit 42 Ransomware and Extortion Report")](https://start.paloaltonetworks.com/2023-unit42-ransomware-extortion-report) The commonality of these tactics underscores the importance of comprehensive preventative measures, strong backup strategies, and incident response plans to mitigate the risks before an attack occurs and respond effectively if one does happen. It's also worth noting that the landscape can shift rapidly, and new tactics can emerge at any time, so continuous monitoring of cybersecurity trends is crucial. ## Data Theft and Multi-extortion Ransomware ![Industries most heavily impacted by extortion attacks](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/ransomware-response-and-recovery/industries-most-heavily-impacted-by-extortion-attacks.png "Industries most heavily impacted by extortion attacks") *Manufacturing, Professional and Legal Services and Wholesale and Retail are the most heavily impacted industries targeted by ransomware extortion.* Ransomware groups often threaten to leak data stolen from victims. Due to the efficacy of this tactic, many threat actors target regulated data sets or highly commercially sensitive information for maximum leverage. ### What is Data Theft? Data theft is the unauthorized taking or intercepting of files and personal information from a computer system. This can be accomplished through various means, such as hacking, malware, phishing, or [insider threats](https://www.paloaltonetworks.com/cyberpedia/insider-threat?ts=markdown). The stolen data may include sensitive personal information, intellectual property, business documents, customer databases, and other valuable digital assets. Cybercriminals can use this data for various malicious purposes, including identity theft, financial fraud, corporate espionage, or selling information on the dark web. ### What is Multi-Extortion Ransomware? Multi-extortion ransomware is an advanced attack that combines encrypting a victim's data with threats of leaking it, harassing stakeholders, launching additional attacks, and demanding further ransoms. This strategy amplifies the pressure on victims to pay to avoid greater damage, such as operational disruption, public exposure, and legal consequences. This multi-pronged approach significantly increases the pressure on victims to pay the ransom, as they face multiple potential consequences beyond losing access to their data. It also complicates the recovery process and increases possible damages, including reputational harm and regulatory issues, mainly if sensitive customer data is involved and privacy laws such as [GDPR](https://www.paloaltonetworks.com/cyberpedia/gdpr-compliance?ts=markdown) are violated. ## How to Uninstall Ransomware and Retrieve Data Uninstalling ransomware from a compromised system can be a challenging and complex task, but it is not impossible. To remove ransomware from your systems, follow these steps: 1. **Isolate the infected system:** Disconnect the compromised computer from the network to prevent the ransomware from spreading to other devices. 2. **Identify the ransomware:** Identify the ransomware type affecting your system. This is crucial for two reasons: to explore decryption tools and to understand the malware for effective removal. If available, trustworthy decryption tools can help recover encrypted files resources. 3. **Remove the ransomware:** Use reputable antivirus or anti-malware software to scan and remove the ransomware from your system. Make sure your antivirus definitions are up to date. Some ransomware variants may be resistant to removal. In such cases, you may need to consult with a professional computer security team, such as [Unit 42](https://start.paloaltonetworks.com/incident-response-checklist-unit42?utm_source=google-jg-amer-unit42-unrc-unpt&utm_medium=paid_search&utm_campaign=google-unit42-unit42_port-amer-multi-lead_gen-en-brand&utm_content=7014u000001VQ5nAAG&utm_term=unit%2042&cq_plac=&cq_net=g&gad_source=1&gclid=EAIaIQobChMIhtD004-jjAMVIM7CBB2gmwWrEAAYASAAEgJpAvD_BwE), or use specialized removal tools. 4. **Restore your files:** Restore files from a clean backup source if you have backups. Do not use backups made while the system is infected, as they may contain encrypted files, or the malware will restart the infection. If you don't have backups, you can recover your files using decryption tools if they are available for your specific ransomware variant. Law enforcement agencies, cybersecurity companies, and community-driven initiatives sometimes release such tools. 5. **Strengthen your security:** After removing the ransomware, improving your system's security is essential to prevent future infections. Update your operating system and software, and install a reliable security suite. Be cautious about email attachments, downloads, and links from untrusted sources. ## Steps to Recovery After a Ransomware Attack Even after a ransomware incident is resolved, it takes time for an organization to fully restore operations, remediate security issues, improve security controls, and recover the financial and reputational ground lost. After ransomware has been removed, the following steps should be taken to recover. ### Investigation Conduct a thorough investigation to understand how the ransomware entered your systems, the scope of the impact, and any data that might have been compromised or exfiltrated. ### Restoration and Recovery Restore data from backups, ensuring you do not reintroduce ransomware into the network. Validate that backups are clean before restoration. This should be done systematically and with caution to avoid reinfection. ### Communication Communicate with internal and external stakeholders about the incident, what is being done in response, and what steps will be taken to prevent future incidents. ### Enhancement of Security Posture Based on the findings from the investigation, enhance your security protections to prevent similar attacks. This may include patching vulnerabilities, improving email filtering, and enhancing [endpoint protection](https://www.paloaltonetworks.com/cyberpedia/what-is-endpoint-protection?ts=markdown). ### Training and Awareness Provide training for employees to recognize and respond to phishing attempts and other malicious activities that could lead to a ransomware infection. ### Continuous Monitoring Implement continuous monitoring strategies to detect and respond to future incidents quickly. ### Compliance and Reporting Follow any necessary compliance regulations regarding [data breaches](https://www.paloaltonetworks.com/cyberpedia/data-breach?ts=markdown), including reporting the incident to government bodies or notifying affected individuals. Specific recovery steps can vary depending on the nature of the attack, the type of data involved, and the affected organization's pre-existing incident response protocols. Consulting with cybersecurity professionals and legal experts during the recovery process is often crucial to ensure proper incident handling. ## Unit 42^®^ Incident Response Methodology ![Threat Intelligence-Unit 42 Incident Response Methodology](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/ransomware-response-and-recovery/threat-intelligence-unit-42-incident-response-methodology.png "Threat Intelligence-Unit 42 Incident Response Methodology") *Palo Alto Networks follows a proven methodology as outlined in this image.* Unit 42, the threat intelligence and incident response team at Palo Alto Networks, helps customers respond to and recover from ransomware attacks through a combination of expert-led services, threat intelligence, and proactive defense strategies. **Scope** For an accurate understanding of the incident, getting the scoping phase right is critical. This allows us to align the right resources and skill sets to get your organization back up and running as quickly as possible and accurately estimate the effort needed to assist you. **Investigate** We work to fully understand the incident as we investigate what happened, leveraging the available data and working alongside your team. **Secure** As the incident is contained and the threat actor and their tools are eradicated from your environment, we concurrently assist your organization with rapidly restoring operations. **Support and Report** Unit 42 will also assist you in understanding the incident's root cause and potential impact, including any unauthorized access or acquisition of sensitive information that may trigger legal obligations. **Transform** A key step in incident response is helping ensure an improved security posture going forward. We work with you to apply specific improvements and build out incident response plans that will help protect against future and similar attacks. Read [Mitigating Cyber Risks with MITRE ATT\&CK](https://start.paloaltonetworks.com/2023-unit42-mitre-attack-recommendations) for an in-depth set of recommendations by Unit 42 incident responders. ## Ransomware Removal and Recovery FAQs ### What immediate steps should be taken when ransomware is detected in a network? Isolate the infected system from the network to prevent the spread of ransomware. Turn off Wi-Fi and Bluetooth, and unplug any storage devices. Use antivirus software to scan and remove the ransomware from the system if possible. Contact a cybersecurity professional for assistance. ### Can ransomware files be decrypted without paying the ransom? It depends on the type of ransomware. Some decryption tools are available for certain ransomware strains, which can be found on websites like No More Ransom. However, there's only a guarantee for decryption with the specific key, and efforts should focus on restoring files from backups. ### Is paying the ransom recommended when affected by ransomware? Law enforcement agencies and cybersecurity experts generally advise against paying the ransom. Paying does not guarantee file recovery and may encourage future attacks. Instead, focus on removing the malware and restoring systems from backups. ### How can one ensure all traces of ransomware have been removed from the system? After removing the ransomware using antivirus or anti-malware tools, it's crucial to conduct a thorough scan of the entire network and validate the system's integrity. Engaging a cybersecurity firm for a post-mortem analysis is recommended to ensure all backdoors and malware traces are eradicated. Regularly update security patches and change all system passwords as a precaution. Related Content [What is multi-extortion ransomware? Multi-extortion ransomware is a malicious software that not only encrypts files to demand payment but also threatens victims with additional harm to coerce further payments.](https://www.paloaltonetworks.ca/cyberpedia/what-is-multi-extortion-ransomware) [Cortex XSOAR's Ransomware Content Pack Cortex XSOAR's ransomware content pack can help accelerate incident response and orchestrate threat intelligence by enabling SecOps teams to standardize and speed-up post-intrusion...](https://cortex.marketplace.pan.dev/marketplace/details/Ransomware/) [Rebuilding a Healthcare Provider's Environment After a Ransomware Attack Following a ransomware attack on a healthcare provider, the Unit 42 experts quickly jumped in to analyze, respond, recover data, and secure the network against future threats.](https://www.paloaltonetworks.ca/customers/rebuilding-a-healthcare-providers-environment-after-a-ransomware-attack) [Surviving Ransomware: How to Defend Against Today's Attacks Combat ransomware! Get insights on evolving tactics, common methods, vulnerable targets, new extortion forms, and proactive preventions.](https://start.paloaltonetworks.com/surviving-ransomware) ![Share page on facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/facebook-circular-icon.svg) ![Share page on linkedin](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/linkedin-circular-icon.svg) [![Share page by an email](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/email-circular-icon.svg)](mailto:?subject=What%20is%20Ransomware%20Response%20and%20Recovery%3F&body=Learn%20effective%20ransomware%20response%20and%20recovery%20tactics%20to%20secure%20your%20data%20and%20prevent%20future%20attacks.%20Expert%20tips%20for%20quick%20response%20and%20protection.%20at%20https%3A//www.paloaltonetworks.com/cyberpedia/ransomware-response-and-recovery) Back to Top [Previous](https://www.paloaltonetworks.com/cyberpedia/what-are-the-most-common-types-of-ransomware?ts=markdown) What Are the Most Common Types of Ransomware? [Next](https://www.paloaltonetworks.com/cyberpedia/ransomware-common-attack-methods?ts=markdown) What are Ransomware Attacks? {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2025 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language