What to Do Immediately After a Ransomware Attack: A Step-by-Step Guide

Discovered ransomware on your business network? Follow this step-by-step incident response guide to contain the attack, minimize damage, and recover your systems safely. Time is critical.

You've just discovered ransomware on your business network. Your files are encrypted, systems are locked, and a ransom note demands payment in cryptocurrency. Your heart is racing, and you're wondering: What do I do right now?

The next 24 hours are critical. The actions you take immediately after discovering a ransomware attack will determine whether you recover quickly with minimal damage—or face weeks of downtime, data loss, and regulatory penalties.

This guide walks you through the exact steps to take, in order, when you're under attack.

Step 1: Isolate Infected Systems Immediately (Within 5 Minutes)

Time is your enemy. Modern ransomware spreads laterally across your network in minutes. Your first priority is containment.

What to do:

• Disconnect infected machines from the network – Pull network cables or disable Wi-Fi immediately. Don't rely on software disconnection; physically isolate the systems.
• Leave systems powered on – Shutting down may trigger additional encryption or destroy forensic evidence in volatile memory.
• Identify the scope – Check other machines, servers, and network-attached storage for signs of infection.
• Disconnect backup systems – If your backups are network-connected, isolate them immediately before the ransomware encrypts them too.

Critical: Many ransomware variants specifically target backups. If your backups are already encrypted, you've lost your primary recovery option.

Step 2: Activate Your Incident Response Team (Within 15 Minutes)

A ransomware attack is not a one-person job. You need a coordinated response across IT, management, legal, and potentially law enforcement.

Who to contact immediately:

• Your IT/Security team – Bring in all available technical staff
• Senior management/C-suite – They need to authorize spending for recovery and make payment decisions
• Cyber insurance provider – If you have cyber insurance, notify them immediately (often required within 24 hours)
• External incident response firm – Consider bringing in specialists who handle ransomware daily
• Legal counsel – You may have regulatory reporting obligations depending on your industry

If you don't have an incident response plan in place, contact Cloud Vanguard IT immediately. We provide emergency incident response services and can be on-site or remote within hours.

Step 3: Document Everything (Start Immediately)

From the moment you discover the attack, start documenting:

• Time of discovery and who discovered it
• Screenshots of ransom notes and encrypted files
• List of affected systems and files
• Every action taken during response
• Timeline of events
• Communication logs with attackers (if any)

This documentation is critical for insurance claims, law enforcement investigations, and regulatory compliance reporting.

Step 4: Identify the Ransomware Variant (Within 1 Hour)

Knowing which ransomware strain hit you is crucial for understanding your options.

How to identify it:

1. Look at the ransom note – Many variants identify themselves
2. Check file extensions – Encrypted files often have unique extensions (.lockbit, .ryuk, .conti)
3. Use ID Ransomware – Upload the ransom note and an encrypted file to id-ransomware.malwarehunterteam.com

Why this matters:

• Some ransomware variants have free decryption tools available
• Known flaws in some encryption implementations can enable recovery
• Understanding the threat actor helps assess their reliability if you consider payment

Check No More Ransom to see if a free decryption tool exists for your variant.

Step 5: Determine the Extent of Data Breach (Within 4 Hours)

Modern ransomware isn't just about encryption – it's also about data theft. Over 70% of ransomware attacks now involve data exfiltration before encryption (double extortion).

Investigate:

• Review network logs for unusual outbound data transfers
• Check if the ransom note mentions stolen data
• Look for evidence of data staging (large collections of files moved to unusual locations)
• Determine what types of data were accessible (customer records, financial data, health information, etc.)

Critical: If regulated data (PII, PHI, financial records) was potentially exfiltrated, you have strict reporting deadlines:

• GDPR: 72 hours to report to supervisory authority
• HIPAA: 60 days for breach notification
• State breach notification laws: Vary by state, often 30-90 days

Step 6: Assess Your Recovery Options (Within 6 Hours)

Now that you understand what you're dealing with, evaluate your recovery paths:

Option 1: Restore from Backups

This is always the preferred option if available.

• Verify your backups weren't encrypted
• Test restore on a clean, isolated system first
• Determine data loss window (time between last backup and attack)
• Ensure the threat is eradicated before restoring to production

Option 2: Free Decryption Tools

For certain ransomware variants, security researchers have developed free decryption tools.

• Check No More Ransom and Emsisoft's decryption tools
• Test on a few files before full decryption
• Keep encrypted files backed up in case decryption fails

Option 3: Pay the Ransom (Last Resort)

Payment should only be considered when:

• No viable backups exist
• No free decryption tool is available
• The data is critical to business survival
• The threat actor is known to provide working decryption keys

Important: Paying doesn't guarantee decryption (about 20% of victims who pay never get working decryption keys). It also funds criminal operations and makes you a target for future attacks.

Step 7: Eradicate the Threat (Before Restoration)

Do not restore systems until the threat is completely removed. Ransomware actors often maintain persistent access even after initial deployment.

Eradication steps:

1. Identify the initial access vector – Phishing email? RDP brute force? Vulnerability exploit?
2. Find and remove all malware – Don't just remove the ransomware executable; look for backdoors, trojans, and other tools
3. Reset all credentials – Every password, API key, and service account
4. Patch vulnerabilities – Update all systems and close security gaps
5. Rebuild compromised systems from clean images – In many cases, reimaging is safer than trying to clean infected systems
6. Review and harden security controls – Implement lessons learned

Step 8: Restore Operations Carefully

Once the threat is eradicated, begin restoration in phases:

1. Restore critical systems first – Prioritize based on business impact
2. Test each system before bringing it online – Verify functionality and absence of malware
3. Monitor intensively – Watch for signs of reinfection or persistent access
4. Keep backups of encrypted data – Store offline for at least 6-12 months in case issues arise

Expect the restoration process to take days or weeks, not hours.

Step 9: Report to Authorities and Learn from the Incident

File a report with law enforcement:

• FBI Internet Crime Complaint Center (IC3)
• Local FBI field office
• CISA (Cybersecurity and Infrastructure Security Agency)

Law enforcement reporting helps:

• Track threat actors and potentially recover funds
• May be required for cyber insurance claims
• Contributes to broader threat intelligence

Conduct a post-incident review:

• How did the attackers get in?
• What security controls failed?
• How can we prevent this in the future?
• What worked well in our response?
• What should we improve?

What NOT to Do During a Ransomware Attack

• Don't panic and immediately pay the ransom – Assess your options first
• Don't delete ransomware files before analysis – They contain valuable forensic information
• Don't restore systems before eradicating the threat – You'll just get reinfected
• Don't negotiate directly with attackers without expert guidance – Specialized negotiators can often reduce demands
• Don't hide the incident from stakeholders – Transparency is critical for legal and regulatory compliance

Prevention: Essential Protections for Your Business

The best ransomware response is prevention. Here are the seven essential protections every business needs:

1. Immutable, offline backups – Following the 3-2-1 rule (3 copies, 2 different media, 1 offsite)
2. Multi-factor authentication (MFA) – On all accounts, especially administrative access
3. Email security and anti-phishing training – Most ransomware enters via email
4. Endpoint Detection and Response (EDR) – Advanced threat detection beyond traditional antivirus
5. Network segmentation – Limit lateral movement if attackers get in
6. Regular patching and updates – Many attacks exploit known vulnerabilities
7. Incident response plan – Tested and updated annually

Need Help Right Now? We're Here.

If you're currently dealing with a ransomware attack, contact Cloud Vanguard IT's emergency response team immediately. We provide:

• 24/7 emergency incident response
• Rapid threat containment and eradication
• Forensic analysis and recovery support
• Ongoing security hardening to prevent reinfection

Not currently under attack but want to ensure you're protected? Schedule a free ransomware risk assessment to identify your vulnerabilities before attackers do.

Related Resources

• Common Cybersecurity Mistakes
• Understanding Managed Security Services
• Business Continuity Planning