When ransomware strikes, every minute matters. The first hour often determines whether an incident remains a temporary disruption or becomes a business-wide crisis. Panic leads to poor decisions, while preparation allows your team to contain the attack before it spreads further.

The goal isn’t to restore everything immediately. The goal is to stop the attack, preserve evidence, and keep the situation from getting worse while your incident response plan begins.

1. Isolate affected devices immediately

If a workstation or server shows signs of ransomware—encrypted files, ransom notes, or unusual activity—disconnect it from the network immediately. Remove wired connections, disable Wi-Fi, and disconnect VPN sessions. Isolation prevents malware from spreading to shared drives and additional systems.

2. Don’t immediately power the device off

Unless instructed by your security team, avoid shutting the computer down. Memory and running processes may contain valuable forensic information that helps determine how attackers entered your environment and what systems were affected.

3. Activate your incident response plan

Every organization should know exactly who gets called first, who communicates with leadership, and who is responsible for technical response. If your response depends on figuring things out during the incident, valuable time is already being lost.

“The fastest recoveries aren’t always the companies with the biggest IT budgets—they’re the ones that already knew exactly what to do.”

4. Identify the scope of the attack

Determine whether the incident affects a single device, multiple users, shared storage, or critical servers. Understanding the scope helps prioritize containment and prevents unnecessary disruption to unaffected systems.

5. Protect your backups

Verify that backup repositories remain isolated and untouched. Modern ransomware often attempts to encrypt or delete backups before demanding payment. Disconnect backup systems if necessary until they’re confirmed safe.

6. Communicate internally

Notify employees that an incident is being investigated. Instruct users not to reconnect disconnected devices, open suspicious emails, or attempt their own fixes. Clear communication reduces confusion and prevents additional mistakes.

7. Document everything

Record the timeline of events, affected systems, user reports, screenshots, and actions taken. This information supports forensic investigations, cyber insurance claims, legal reporting, and future security improvements.

What happens next?

Once the attack has been contained, recovery begins. That typically includes forensic analysis, restoring clean backups, rotating compromised credentials, patching vulnerabilities, and reviewing how attackers gained access in the first place. Businesses with tested backup and disaster recovery plans often recover dramatically faster than those creating procedures during the crisis.

Ransomware recovery starts long before an attack occurs. Organizations that invest in layered security, employee awareness training, endpoint protection, and verified backups consistently experience lower recovery costs and significantly less downtime when incidents occur.