East Bay Cyber
FAQs 6 min read

What Should I Do After a Ransomware Attack?

What to do after ransomware starts with a few urgent priorities: isolate affected systems, preserve evidence, activate your incident response process, and determine the scope before rebuilding anything. Do not rush to wipe devices or restore backups until you understand how the attacker got in and whether they still have access. A ransomware attack is usually both a security incident and a business continuity event, so disciplined response matters more than speed alone.

Short Answer

Immediately isolate affected systems, preserve evidence, activate your incident response plan, and determine the scope. Notify leadership, legal counsel, cyber insurance, and external responders as needed. Do not wipe or rebuild systems yet. Recover from verified clean backups only after containment, credential resets, and validation that the attacker no longer has access.

Why a Ransomware Attack Requires More Than File Recovery

A ransomware attack is not just an encryption problem. It may also involve stolen data, compromised credentials, disabled security tools, and attacker persistence in your environment. Your goal is to contain the incident, preserve evidence, and recover safely without triggering a second compromise.

Many organizations focus first on getting files back. That is understandable, but it can lead to mistakes. If you restore too early, fail to reset exposed accounts, or ignore signs of data theft, you may end up with reinfection, longer downtime, or reporting failures.

1. Isolate Affected Systems Immediately

Disconnect infected endpoints and servers from the network. If necessary:

  • disable Wi-Fi
  • unplug network cables
  • remove VPN access
  • block known malicious traffic at the firewall
  • disconnect shared storage if encryption is spreading

Containment matters more than convenience in the first hour. If you are unsure whether a system is affected, treat it as suspect until verified.

If your remote access is part of the attack path, you may need to disable it temporarily while you assess the scope. For organizations that depend heavily on remote work, a secure VPN setup becomes important during recovery planning. If you are reviewing remote access options after the incident, NordVPN or Surfshark may be worth comparing for smaller teams and individual use cases, but they are not a substitute for proper enterprise incident response controls.

2. Do Not Reboot, Wipe, or Reimage Too Early

A common mistake is to start rebuilding devices before anyone has collected evidence. Memory contents, logs, scheduled tasks, ransomware notes, command history, and lateral movement artifacts may help determine:

  • how the attacker got in
  • what credentials were used
  • whether data was stolen
  • which systems are still at risk

Preserve disk images, memory captures if possible, authentication logs, firewall logs, EDR alerts, and ransom notes. Even small organizations should retain copies of what they can before cleanup begins.

If endpoint protection was missing or failed to catch early activity, this is also a good time to review your layered defenses for the future. For example, tools such as Malwarebytes can be useful as part of an endpoint security stack, though they will not replace forensic investigation during an active event.

3. Activate Your Incident Response Process

If you have an internal incident response plan, use it. If not, establish an emergency command structure immediately. Assign owners for:

  • technical containment and forensics
  • executive decision-making
  • legal and compliance review
  • employee and customer communications
  • business continuity and recovery

If you have cyber insurance, review policy reporting requirements before taking major actions that could affect coverage. Many policies require prompt notification and use of approved breach coaches or forensic firms.

If you do not already have a written process, see /content/how-to-build-a-ransomware-incident-response-plan.

4. Assess Scope and Impact

Do not assume only visibly encrypted systems are affected. Determine:

  • which endpoints and servers are impacted
  • whether backups were touched
  • whether domain admin or privileged accounts were compromised
  • whether cloud services, email, or identity systems were accessed
  • whether data exfiltration occurred before encryption

This step drives every downstream decision, including reporting obligations, customer communications, and recovery sequencing.

Modern ransomware operations often include exfiltration and extortion. That means your incident may involve privacy, contract, and regulatory consequences even if restoration is technically successful.

5. Reset Credentials Strategically

Ransomware operators often steal passwords before detonating payloads. Prioritize resetting:

  • privileged and admin accounts
  • service accounts
  • remote access and VPN accounts
  • backup platform credentials
  • identity provider and email admin accounts

If your identity infrastructure is compromised, plan resets carefully so you do not lock out responders or break recovery processes.

Long term, stronger password hygiene and credential management can reduce future risk. For teams and individuals looking to tighten credential practices after recovery, a password manager such as 1Password can help support unique passwords and controlled sharing.

6. Notify the Right Parties

Depending on your location, industry, and the data involved, you may need to notify:

  • legal counsel
  • cyber insurance carrier
  • managed security provider or incident response firm
  • law enforcement
  • regulators
  • affected customers, employees, or partners

Reporting obligations vary. If personal data, health data, payment data, or regulated business information may have been exposed, involve counsel early.

You should also preserve a clear timeline of decisions, notifications, and technical findings. That record will help with insurance, legal review, and post-incident analysis.

For more on reporting considerations, see /content/when-to-report-a-cyberattack-to-regulators-or-customers.

7. Decide Carefully on Ransom Demands

Paying a ransom is a business, legal, ethical, and operational decision. It is not a guaranteed fix. Even if a decryptor is provided, recovery may be slow, incomplete, or unsafe. Payment also does not guarantee stolen data will be deleted.

Before any decision, evaluate:

  • whether restoration from clean backups is feasible
  • whether decryption is technically viable
  • whether sanctions, legal, or regulatory issues apply
  • whether attackers still have access to the environment

This decision should not be made by IT alone.

8. Restore From Clean, Verified Backups

Only begin restoration after you have confidence that attacker access has been removed or materially reduced. Otherwise, you risk reinfection. Before restoring:

  • validate backup integrity
  • confirm backup systems were not tampered with
  • rebuild from known-good images
  • apply patches and hardening
  • re-enroll systems into monitoring and EDR

Restore in phases. Start with identity, core infrastructure, critical business applications, and then lower-priority systems.

A staged recovery is usually safer than trying to bring everything back at once. Validate each restored segment before moving to the next.

9. Monitor Aggressively After Recovery

Recovery is not the end of the incident. Watch for:

  • suspicious logins
  • re-created admin accounts
  • disabled security tools
  • unusual outbound traffic
  • persistence mechanisms on restored systems

Treat the environment as high risk until you complete post-incident validation.

You should also review security tooling coverage, logging retention, and alerting thresholds. Many organizations discover after the fact that they lacked enough telemetry to confirm when the intrusion began.

10. Conduct a Post-Incident Review

Once operations stabilize, document:

  • initial access vector
  • timeline of attacker activity
  • systems and data affected
  • control failures
  • lessons learned
  • remediation roadmap

This review should lead to concrete fixes such as:

  • MFA expansion
  • network segmentation
  • better backup isolation
  • improved logging
  • tighter admin controls
  • tested response playbooks
  • stronger email and identity protections

The most valuable post-incident reviews produce specific action items with owners and deadlines.

Common Mistakes to Avoid

Reconnecting systems too soon

Reconnecting an infected or unverified device can reintroduce malware, trigger encryption on other assets, or alert the attacker that you are responding.

Assuming encryption is the full incident

Not necessarily. Modern ransomware often includes data theft and credential compromise. Encryption may be the final stage, not the first.

Wiping everything immediately

Not before evidence is preserved. Fast cleanup without investigation often causes longer downtime and leaves the root cause unresolved.

Believing payment guarantees recovery

It may not. Decryptors can fail, restoration can still take days, and attackers may have copied data or retained access.

Trusting backups without validation

Backups help, but only if they are clean, accessible, tested, and isolated from the attacker. Many ransomware groups target backup infrastructure first.

Final Takeaway

If you are dealing with an active ransomware event, focus first on containment, evidence preservation, scope validation, and expert help. Do not rush into restoration until you have reduced the chance of reinfection. The first decisions you make after a ransomware attack often determine whether recovery takes days, weeks, or much longer.

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-05-13

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.