Ransomware Attack — What to Do Before, During, and After

Ransomware is the most financially devastating cyberattack facing small businesses today. In a ransomware attack, criminals encrypt all your business files and demand payment — often tens of thousands of dollars — for the decryption key. Without preparation, a ransomware attack can shut your business down permanently. With preparation, it’s a serious but survivable incident. This guide covers everything you need to know about ransomware — before, during, and after an attack.

What Is Ransomware and How Does It Work?

Ransomware is malicious software that encrypts your files — documents, spreadsheets, databases, photos, everything — and demands a ransom payment in cryptocurrency to provide the decryption key. Modern ransomware attacks are sophisticated, multi-stage operations:

1. Initial access: Attackers gain entry through phishing email, compromised credentials, unpatched software vulnerability, or exposed remote desktop protocol (RDP)
2. Reconnaissance: Attackers quietly explore your network, identifying valuable data, backup locations, and security tools — often for days or weeks before encrypting anything
3. Lateral movement: Attackers move from the initial entry point to other systems, often gaining administrative access
4. Data exfiltration: Many modern attackers steal data before encrypting — creating additional leverage (“pay or we publish your customer data”)
5. Encryption: The ransomware executes, encrypting files across your network
6. Ransom demand: A ransom note appears with payment instructions — typically a cryptocurrency wallet address and a deadline

The Scale of the Problem

• Average ransom demand for small businesses: $50,000–$200,000
• Average total cost of a ransomware incident (including downtime, recovery, legal): $500,000–$2,000,000
• Average downtime: 21 days
• Percentage of ransomware victims who pay and still don’t get all their data back: approximately 20%
• Percentage of businesses that experience ransomware more than once after paying: approximately 80%

BEFORE an Attack — Prevention and Preparation

Prevention Controls

Email security: Most ransomware enters through phishing emails. Advanced email filtering, employee training, and DMARC implementation reduce this vector significantly.

Patch management: Keep operating systems, applications, and firmware updated. Many high-profile ransomware campaigns exploited vulnerabilities that had patches available for months — patching eliminated the exposure.

Disable or secure RDP: Remote Desktop Protocol exposed to the internet is a primary ransomware entry point. Either disable it if not needed, put it behind a VPN, change the default port, enable Network Level Authentication, and use strong credentials with MFA.

Endpoint protection: Modern EDR tools with behavioral detection catch ransomware based on suspicious file encryption behavior — even previously unseen strains. This is significantly better than signature-based antivirus alone.

Least privilege access: Limit user account privileges. Standard user accounts shouldn’t have administrator rights — ransomware running as a standard user causes far less damage than ransomware with admin privileges.

Multi-factor authentication: MFA prevents attackers who’ve stolen credentials from using them to access your systems — blocking one of the most common initial access methods.

Backup Strategy — Your Most Important Defense

Good backups are the difference between a ransomware attack being a catastrophe and being an inconvenience. The key elements:

Follow the 3-2-1 rule: 3 copies of data, 2 different media types, 1 offsite or cloud copy.

Immutable backups: Ransomware increasingly targets and encrypts backup files. Immutable backups (where data cannot be modified or deleted for a defined period) protect against this. Most cloud backup providers offer immutability options.

Air-gapped backups: At least one backup copy completely disconnected from your network — a drive taken offsite, or a cloud backup with access credentials stored separately from your main systems.

Tested backups: An untested backup is worthless. Conduct quarterly restore tests. For critical systems, test full server restoration annually. Document the recovery time — knowing it will take 4 hours vs 4 days changes your incident response planning.

Backup frequency: How much data can you afford to lose? If backups run nightly and an attack happens at 4 PM, you lose a full day’s work. Continuous or near-continuous backup dramatically reduces the recovery point.

Incident Response Planning

Create a written ransomware response plan before you need it. Under the stress of an active attack, nobody makes good decisions from scratch. Your plan should define:

• Who is on the incident response team and how to reach them
• Your cyber insurance policy number and the 24/7 incident response hotline
• Your IT provider’s emergency contact
• How to isolate systems from the network
• Where backups are stored and credentials to access them
• Legal counsel contact for breach notification guidance
• Communication plan — what to tell employees, customers, and if required, regulators

DURING an Attack — Immediate Response Steps

Discovering ransomware on your network is terrifying. Follow these steps in order:

Step 1 — Isolate Immediately

The moment you suspect ransomware, disconnect affected systems from the network. Unplug ethernet cables. Disconnect from Wi-Fi. The longer ransomware runs, the more files it encrypts and the more systems it spreads to. Isolation stops the spread.

This means disconnecting even systems that appear unaffected — if ransomware is on your network, it may already be on other systems but hasn’t triggered yet.

Step 2 — Don’t Turn Systems Off (Yet)

Counter-intuitive as it sounds, don’t immediately power off affected systems. Forensic investigators may be able to recover the encryption key from memory on a running system — turning it off destroys that possibility. Consult your incident response team before shutting down.

Step 3 — Call Your Cyber Insurance Carrier

If you have cyber insurance, call the incident response hotline immediately — not after you’ve tried to handle it yourself. Insurers have 24/7 response teams with ransomware specialists. They coordinate forensic investigators, legal counsel, ransom negotiators, and recovery experts. Attempting to handle it independently before involving your insurer can jeopardize coverage.

Step 4 — Call Your IT Provider

Your IT provider or managed security service provider needs to know immediately. They can assist with isolation, assessment, and recovery planning.

Step 5 — Preserve Evidence

Before any recovery action, preserve evidence:

• Photograph the ransom note on screen
• Note the time and date of discovery
• Document which systems appear affected
• Don’t delete or modify anything yet — forensic investigators need the evidence

Step 6 — Assess the Scope

Working with your incident response team, determine:

• Which systems are affected
• Whether backups are intact and unaffected
• Whether data was exfiltrated (check for unusual network traffic in logs)
• The ransomware variant (this affects recovery options)

Step 7 — To Pay or Not to Pay

The FBI recommends against paying ransoms — it funds criminal operations and doesn’t guarantee recovery. However, the decision is more complex in practice:

Don’t pay if:

• You have clean, tested backups that can restore all affected systems
• The encrypted data isn’t critical to operations
• The ransom demand exceeds the value of the data

Organizations sometimes pay when:

• No backups exist or backups are also encrypted
• The downtime cost exceeds the ransom demand
• Patient safety or critical operations are at risk

If paying is considered, professional ransom negotiators (often engaged through cyber insurance) typically reduce demands by 30–80%. Never pay directly — use a professional negotiator.

AFTER an Attack — Recovery

Clean Recovery

Never restore from backup onto a system that may still be compromised. The correct sequence:

1. Wipe affected systems completely
2. Rebuild operating systems from clean media
3. Restore data from clean backups
4. Verify systems are clean before reconnecting to the network
5. Reset all credentials — assume all passwords are compromised
6. Enable MFA on all accounts immediately

Post-Incident Review

Conduct a thorough review within 30 days of recovery:

• How did the attackers get in? Fix that entry point.
• How long were they in the network before encrypting? Improve detection.
• What did the incident response plan get right and wrong? Update it.
• What would have been different with better backups? Fix backup gaps.

Regulatory and Legal Obligations

Depending on the data involved, you may have legal notification obligations:

• State breach notification laws — most states require notification within 30–90 days
• HIPAA breach notification — 60 days for individuals, annual report to HHS for small breaches
• PCI-DSS — notification to payment card brands if cardholder data was involved

Free Resources

• No More Ransom: nomoreransom.org — free decryption tools for many ransomware variants; check before paying
• FBI IC3: ic3.gov — report ransomware attacks (reports help law enforcement build cases)
• CISA Ransomware Guide: cisa.gov/ransomware — comprehensive free guidance

The Bottom Line

Ransomware preparation comes down to three pillars: prevent (email security, patching, EDR, MFA), protect (tested backups including immutable offsite copies), and plan (written incident response plan before you need it). Businesses with all three pillars in place survive ransomware attacks. Businesses without them often don’t. The investment is modest compared to the risk — start today.