Ransomware response: what to do first, what not to do, and how to recover

Ransomware is designed to force rushed decisions. The attacker wants you to panic, reconnect infected systems, pay quickly, and destroy evidence that could help recovery. Your advantage is running the response in the right order: contain, stabilize identity, restore from trusted backups, then harden.

Safety note: do not install "decryptors" offered in emails, pop-ups, or direct messages. Many are scams or additional malware. Use only tools from trusted security sources and official guidance.

First actions (what to do immediately)

• Isolate affected devices: disconnect from Wi-Fi and Ethernet. If you use a VPN, disconnect it.
• Stop the spread: disable remote access you do not need and pause shared drives if possible.
• Preserve evidence: take photos/screenshots of ransom notes, filenames, and error messages. Keep log files if you can.
• Do not wipe immediately: reimaging too early can destroy forensic signals and make it harder to understand entry and scope.
• Secure the control plane: protect email and admin accounts so the attacker cannot re-enter during recovery.

If you are unsure whether you are dealing with ransomware or another compromise, start with how to check if you've been hacked.

Contain, stabilize, restore: the order that prevents re-infection

Ransomware recovery fails when restoration happens before identity is secured. If the attacker still has credentials or remote access, they can re-encrypt or steal data again.

Common mistake: restoring systems while the attacker still has access through email, remote tools, or stolen admin credentials. That turns one incident into a loop.

Secure the control plane: email, admin accounts, and remote access

Ransomware often arrives through phishing, exposed remote access, stolen credentials, or compromised devices. The attacker may also compromise email to hide alerts and reset other systems.

1) Secure email first

• Change email passwords from a known-clean device.
• Enable 2FA on email and admin accounts.
• Check for malicious forwarding rules and filters.
• Review recent sign-ins and revoke unknown sessions.

2) Lock down remote access

Disable remote access paths you do not need during response. Common examples include remote desktop exposure, remote management tools, and overly broad VPN access. The goal is to reduce the attacker's ability to move laterally while you recover.

3) Rotate credentials in priority order

• Email and identity provider accounts
• Admin accounts and privileged service accounts
• VPN and remote access accounts
• Backups and backup-management consoles

Use unique passwords and store them in a password manager. If you are dealing with ongoing compromise signals, do not skip device checks.

Device integrity: why password changes may not stick

If an infostealer or remote access trojan is present, it can steal new passwords or sessions immediately after you change them. If compromise repeats after resets, treat it as a device problem.

Start with: how to detect spyware.

Backups: what to verify before you restore

Backups only help if they are safe to restore from. Verify these before you rely on them:

• Restore point: you have a backup from before the incident.
• Integrity: the backup is not corrupted and was not encrypted by the ransomware.
• Isolation: the attacker cannot modify or delete backups from compromised credentials.
• Test restore: you can restore a representative system or dataset successfully.

Key idea: sync is not the same as backup. If the ransomware encrypted local files, sync can replicate that encryption to the cloud.

Paying: decision factors without false certainty

Whether to pay is a high-stakes decision with legal, operational, and safety tradeoffs. Paying can fund crime, may fail to produce a usable decryptor, and can mark you as a future target. Not paying can be impossible for some organizations without viable backups or with safety-critical operations.

When you evaluate the decision, focus on what actually changes outcomes:

• Whether you have tested backups from before the incident.
• Whether you believe data was exfiltrated, not only encrypted.
• Whether the attacker still has access to your environment.
• Whether legal and insurance constraints apply to payment or negotiation.

Regardless of the decision, containment and identity control still matter. Paying does not remove persistence.

Reporting and external support

Ransomware is often a crime, not only an IT issue. Reporting can also help when you need assistance and documentation.

• CISA's StopRansomware hub and ransomware guide: StopRansomware, Ransomware guide.
• IC3 is a standard reporting path for internet crime in the U.S.: IC3 complaint portal.

If you are a business, involve leadership early. Ransomware response has operational, legal, and reputational implications. If you are an individual, consider professional help if the incident involves sensitive data, repeated extortion, or signs of spyware.

Hardening after recovery (the controls that prevent repeat access)

Post-incident hardening should be tied to the entry path and persistence, not generic advice. The high-yield controls are consistent:

• Patch operating systems and exposed services quickly, especially anything internet-facing.
• Reduce admin privileges and separate admin accounts from daily accounts.
• Enable MFA on email, VPN, admin consoles, and backup consoles.
• Segment backups and test restores regularly.
• Improve logging and alerting for privileged sign-ins and remote access changes.

Ransomware is survivable when containment is fast and restoration is real. Tested backups, strong authentication, and reduced admin access change the incident from an existential event into a hard day.

The recovery endpoint is not "files are back." It is a stable environment where the attacker cannot return using the same credentials, remote tools, or unmanaged devices.

If you can build only one durable advantage, build this: predictable recovery. That is what makes ransomware pressure fail.