Ransomware is one of the most destructive forms of malware because of how fast it moves. Modern strains can encrypt an entire file server in minutes. The decisions you make in the first hour after detection determine whether you lose everything or contain the damage. This is a step-by-step guide for exactly what to do, minute by minute, during a ransomware incident.
If you are actively experiencing a ransomware attack right now, go directly to Step 1: disconnect every affected device from the network immediately. Do not wait. Come back and read the details after.
What Is Ransomware?
Ransomware is malicious software that encrypts your files and demands payment — usually in cryptocurrency — in exchange for the decryption key. Modern ransomware attacks are often conducted by organized criminal groups (sometimes nation-state affiliated) that infiltrate a network, spread to as many systems as possible, exfiltrate sensitive data, and then detonate the ransomware simultaneously across the entire environment.
The ransom demand is secondary. Even if you pay, recovery from ransomware typically takes days to weeks — and about 20% of organizations that pay never receive a working decryption key.
Minutes 0–5: Disconnect Everything
Pull the network cable on every affected machine
Don't log off, don't shut down — physically unplug the Ethernet cable. On Wi-Fi devices, disable Wi-Fi immediately. Speed matters: every second the machine is connected, the ransomware may be spreading to other network shares and systems.
Disconnect any network-attached storage (NAS) devices
NAS drives and file servers are primary targets. Disconnect them from the network even if they don't appear affected — they may be mid-encryption.
Isolate any devices that show symptoms
Strange file extensions, desktop wallpaper replaced by a ransom note, files you can't open — these are symptoms. Isolate those devices. Keep unaffected devices off the network as well until you understand the scope.
Minutes 5–15: Document Everything
Before you do anything else, take photographs of every ransom note screen with your phone. Note the exact time you discovered the attack, which systems appear affected, and what you were doing on those systems in the hours before detection. This documentation is essential for your IT team, insurance claim, and potentially law enforcement.
Do not wipe or reimage machines yet — forensic investigators may need to examine them to determine the attack vector, and some ransomware decryptors require the original encrypted files.
Minutes 15–30: Identify the Scope
Walk through your environment and identify which systems are affected, which appear clean, and which you can't reach. Check your file servers for encrypted files (typically with an unusual file extension like .locked, .encrypted, or a variant of the ransomware family name). Check if your domain controller appears compromised — if it is, your entire environment may be compromised.
If you have a network switch with management capability, check which ports are active and consider disabling any port connected to a machine you're uncertain about.
Minutes 30–45: Make Your Calls
Call your IT provider or incident response team first. They can guide you through containment and have tools for identifying the ransomware variant, which affects your recovery options. If you don't have an IT provider, call Ray's Custom Computers at (931) 557-6104 — we have experience with ransomware incident response.
Contact your cyber insurance carrier if you have a policy. They have specific requirements for claims — you need to notify them early, and they often have preferred vendors for incident response that may be covered under your policy.
Report to the FBI IC3 at ic3.gov. Reporting doesn't obligate you to anything but helps law enforcement track ransomware groups and occasionally leads to decryptors being released publicly. For critical infrastructure or healthcare, CISA notification may be legally required.
Minutes 45–60: Check Your Backup Status
The most important question in a ransomware incident is: do you have clean backups, and when do they date from? Check your backup system immediately. Ransomware actors are sophisticated — they often compromise backup systems before detonating ransomware specifically to eliminate your recovery option.
Look for: offline or cloud backups that weren't network-accessible (and therefore couldn't be encrypted), the most recent clean backup date, and whether your backup media is physically disconnected from the affected network. If you have clean cloud backups from the last 24–48 hours, your recovery path is clear.
After the First Hour
Do not pay the ransom without professional advice. Payment doesn't guarantee decryption, doesn't remove the malware, and makes you a known paying target for future attacks. Your first path is always to restore from backups. If you don't have usable backups, check nomoreransom.org — this project provides free decryptors for some ransomware variants.
Recovery involves: building clean replacement systems, restoring data from clean backups, identifying and closing the initial attack vector (typically a phishing email, exposed RDP, or unpatched vulnerability), and implementing monitoring to confirm the attacker is fully evicted before bringing systems back online.
Prevention Is Far Cheaper
The most effective ransomware defenses are layered: offline or immutable cloud backups (the single most important control), MFA on all remote access and email, endpoint detection and response (EDR) software rather than basic antivirus, network segmentation to limit blast radius, and employee phishing awareness training. Most ransomware incidents start with a single phishing email clicked by one employee.
Don't wait for an incident to get your backups sorted.
Ray's Custom Computers configures ransomware-resilient backup systems for businesses across Tennessee and Alabama — offline backups, cloud redundancy, and tested recovery procedures.
Published by Ray's Custom Computers — serving Fayetteville, TN, Huntsville, AL, and McKinleyville, CA since 1996. Questions? Contact us or call (931) 557-6104.