Ransomware Defenders
Blog/Incident Response Guide
Incident Response

What to Do When Hit by Ransomware: Step-by-Step Response

The first 60 minutes after discovering a ransomware attack are critical. Every action you take or fail to take can mean the difference between a contained incident and a catastrophe.

February 25, 202612 min readIncident Response

Under Attack Right Now?

Call our 24/7 emergency hotline immediately for guided incident response.

866-903-2097

You arrive at work on Monday morning. Screens across the office display the same menacing message: your files have been encrypted, and the attackers demand payment in cryptocurrency. The clock is ticking. What do you do?

Panic is natural, but it is the enemy of effective response. This guide walks you through exactly what to do, step by step, from the moment you discover ransomware until your systems are fully restored. Print this out, share it with your team, and keep it accessible because you may need it when your digital systems are down.

Step 1: Do Not Panic and Do Not Pay

The ransom note is designed to create urgency and panic. Countdown timers, threatening language, and escalating demands are all psychological tactics. Take a breath and focus on containment.

The FBI, CISA, and all major cybersecurity organizations advise against paying the ransom. Here is why:

Only 8% of organizations that pay recover 100% of their data
Paying marks you as a willing payer, increasing the chance of repeat attacks
Payment funds criminal operations and encourages more attacks globally
There is no guarantee the decryption key will work or that attackers will not leak your data anyway
In some cases, paying may violate OFAC sanctions and expose your organization to legal liability

Step 2: Isolate Affected Systems Immediately

The single most important immediate action is to prevent the ransomware from spreading further. Ransomware actively seeks out network shares, connected drives, and other systems to encrypt.

Isolation Checklist

Disconnect affected machines from the network (unplug Ethernet cables, disable Wi-Fi)
Do NOT power off affected systems — you need the forensic data in memory
Disconnect shared drives and network-attached storage
Disable remote access services (VPN, RDP, remote desktop tools)
Block lateral movement by segmenting network zones if possible
Disconnect backup systems from the network to protect them from encryption
Document which systems are affected and which are confirmed clean

Critical Warning

Do NOT shut down or reboot infected systems. Forensic investigators need the data stored in volatile memory (RAM) to identify the attack vector, determine the ransomware variant, and potentially recover encryption keys. Shutting down destroys this evidence permanently.

Step 3: Activate Your Incident Response Team

If you have an incident response retainer with a cybersecurity firm, call them immediately. If not, assemble your internal response team and consider engaging external help. Ransomware incidents require specialized expertise.

IT/Security Lead

Coordinate technical containment and investigation

Executive Leadership

Authorize resources and make critical decisions

Legal Counsel

Advise on regulatory obligations and liability

Communications

Prepare internal and external messaging

HR/Operations

Coordinate business continuity procedures

Cyber Insurance Broker

Notify carrier and initiate claims process

Step 4: Preserve Evidence

Evidence preservation is critical for forensic investigation, law enforcement cooperation, insurance claims, and regulatory compliance. Every piece of evidence tells part of the story of how the attackers got in and what they did.

Screenshot the ransom note — capture the exact text, payment address, and any contact information
Document the file extensions of encrypted files (e.g., .locked, .encrypted, .crypt)
Preserve system and security logs from firewalls, SIEM, and endpoint protection
Record timestamps of when the attack was discovered and when it likely began
Save copies of any communication from the attackers
Take memory dumps of affected systems if your team has the capability
Maintain a detailed timeline of all actions taken during the response

Step 5: Assess Damage and Begin Recovery

Once the threat is contained, shift focus to understanding the full scope of the damage and planning your recovery. This phase requires methodical assessment before taking any restoration actions.

Recovery Priority Order

1

Identify the ransomware variant

Tools like ID Ransomware can help. Some variants have known decryptors available for free.

2

Verify backup integrity

Confirm that your backups are clean and were not compromised before restoration.

3

Patch the entry point

Before restoring, fix the vulnerability that allowed the attack to prevent immediate re-infection.

4

Restore from clean backups

Begin with the most critical business systems. Use a clean, isolated environment for initial restoration.

5

Validate restored systems

Scan restored systems for dormant threats before reconnecting to the production network.

6

Monitor for re-infection

Implement enhanced monitoring for at least 90 days following the incident.

Step 6: Notification and Reporting

Depending on your industry and the data involved, you may have legal obligations to notify regulators, customers, and law enforcement. Getting this right is critical.

Report the incident to the FBI's Internet Crime Complaint Center (IC3) and CISA
Notify your cyber insurance carrier within the policy's required timeframe
Assess regulatory notification requirements (HIPAA, PCI DSS, GDPR, state breach laws)
Prepare customer notification if personal data was compromised
Brief employees on what happened and what information they can share externally
Document all notifications with dates, recipients, and content for compliance records

After the Storm: Post-Incident Hardening

Recovery is not the end. The weeks following an attack are your opportunity to build stronger defenses and ensure it never happens again. Organizations that skip this step are frequently re-victimized.

Conduct a thorough root cause analysis identifying the exact attack vector and timeline
Implement multi-factor authentication on all remote access and privileged accounts
Deploy or upgrade endpoint detection and response (EDR) across all systems
Implement network segmentation to limit future lateral movement
Upgrade backup strategy to include immutable, air-gapped backups
Conduct security awareness training focused on the specific attack type
Schedule a tabletop exercise to practice the response plan
Review and update your incident response plan based on lessons learned

Key Takeaways

  • Do not panic, do not pay — focus on containment and evidence preservation
  • Isolate affected systems immediately but do not shut them down
  • Activate your incident response team and external partners
  • Preserve all evidence for forensics, insurance, and law enforcement
  • Recover from clean backups only after patching the entry point
  • Use the incident as a catalyst to strengthen your security posture permanently

Related Articles

Should You Pay the Ransom? Pros, Cons, and Legal Implications

An in-depth analysis of the ransom payment decision, including legal risks, recovery statistics, and alternative strategies.

Read Article

The 3-2-1 Backup Strategy: Your Last Line of Defense

When prevention fails, backups are your lifeline. Learn how to implement the 3-2-1 backup strategy for ransomware resilience.

Read Article

Be Prepared Before an Attack Happens

The best time to prepare for ransomware was yesterday. The second best time is now. Get your defenses assessed by our experts.