Step-by-Step Guide: 6 Essential Ransomware Incident Response Steps
If you are under attack, immediately disconnect the internet and do NOT restart your computer. Follow these steps to recover your data without paying the ransom.
Ransomware attacks are becoming more common, with threat actors even adopting AI technology to target smaller and smaller businesses. So, Proven Data’s internal team of incident response experts and ransomware response specialists collaborated to create this easy-to-follow process to empower you to properly identify the threat and recover your encrypted files.
Important: Every ransomware attack is unique. Factors like industry regulations, network architecture, and the specific malware strain dictate the long-term response and recovery strategy. However, the immediate triage follows universal principles, explained in this guide.
Under Ransomware Attack Right Now? Do This Immediately:
- Disconnect from the internet: Unplug the Ethernet cable and disable WiFi to stop the spread.
- Do NOT restart or shut down: This erases decryption keys from memory.
- Call professional DFIR services: Proven Data’s 24/7 emergency cyber response team offers immediate expert guidance.
- Do NOT pay the ransom: There is no guarantee of file recovery.
Is it possible to DIY ransomware removal?
No, do not attempt DIY ransomware removal. As a ransomware removal and decryption specialist, Hassan Faraz, alerts, “With ransomware, you often don’t get a second chance. Treating the attack like a standard IT issue by running scripts, deleting files, or even restarting the machine, can be a catastrophic error. These actions can wipe out the very data fragments or memory keys our DFIR team would use for a successful recovery.”
The question of whether ransomware removal DIY is possible can be compared to the same question about removing a tooth. Yes, you probably could, but an experienced, qualified professional with the right tools and setting will definitely get the job done much less painfully and with a significantly higher success rate.
Even the smallest action (or even inaction) can make data recovery impossible. So before you consider pressing Ctrl-Z or closing a window, follow the protocol in your company’s ransomware readiness plan and call your in-house IT cybersecurity expert. If you don’t have that, call Proven Data’s 24/7 emergency response team. Meanwhile, following the steps below will increase the chances of a successful data recovery.
Step 1: Isolate infected devices to stop lateral movement
Unplug the Ethernet cable and immediately disconnect from Wi-Fi. This is the single most important step to stop the ransomware from spreading laterally across your network and encrypting other computers, servers, or cloud backups.
If you are on a company network, disconnect shared drives and immediately disable automated sync services (such as OneDrive or Dropbox) on the infected machine.
Warning: DO NOT PAY THE RANSOM. According to Sophos’s State of Ransomware 2025 report, 49% of organizations that paid the ransom to get their data back, 18% paid more than the original demand. Of those who paid more, 50% were because the attackers believed they could afford to pay more, and 48% because the attackers realized they were a high-value target. In other words, attackers now see you as an easy target for repeat attacks.
Step 2: Keep systems powered on to preserve volatile memory
This may feel counterintuitive, but it is expert advice. Some ransomware variants keep the decryption key in the computer’s volatile memory (RAM).
Restarting the machine will erase this memory, potentially destroying the only copy of the key and making recovery impossible. Keep the system running, but completely disconnected from the internet and local network.
Step 3: Document evidence and identify the ransomware strain
Use a separate, clean device (such as your phone) to photograph the ransom note and the screen. Do not rely on screenshots saved to the infected machine, as you may lose access to them. Pay close attention to:
- The Name: The ransomware family (e.g., “LockBit,” “Rancoz,” “Phobos“).
- The Extension: The file extension added to your data (e.g., .locked, .crypted, .enc).
- The Contact: The attacker’s email, TOR link, or payment ID.
This information is vital for identifying the strain and finding a specific ransomware decrypter later.
Note on Compliance: If you handle sensitive data (PII, PHI), now is the time to notify your legal counsel or Data Protection Officer (DPO) to determine whether you need to alert regulatory bodies (such as the FBI or CISA).
Ransomware Response Timeline Checklist
| Done | Timeframe | Action Required | Why This Window Matters | Risk If Delayed |
|---|---|---|---|---|
| 0-5 minutes | Isolate infected device(s) | Ransomware can spread laterally across networks within minutes | Critical: Entire network encryption, cloud backup infection | |
| 5-15 minutes | Document the attack | Ransom notes may disappear; forensic evidence is volatile | High: Loss of critical recovery information, weakened legal position | |
| 15-30 minutes | Assess backup viability | Determines if self-recovery is possible | Medium: Wasted time pursuing wrong recovery path | |
| 30-60 minutes | Contact professionals if needed | Early professional intervention increases recovery success rates significantly | High: Permanent data loss, corrupted recovery attempts | |
| 1-24 hours | Begin controlled recovery | System forensics must be preserved for investigation and compliance | Medium: Evidence contamination, compliance violations | |
| 24-72 hours | Complete system restoration | Business continuity is critical; prolonged downtime multiplies costs | High: Extended downtime costs, customer/revenue loss, reputation damage |
Source: Cybersecurity & Infrastructure Security Agency
Step 4: Restore data using a secure backup strategy
Once the threat is contained, your best path to recover encrypted files is a clean, offline backup. This is why a strong 3-2-1 backup strategy is crucial.
Warning: Do not simply connect your backup drive to the infected computer. You risk encrypting your backups, too. Follow this safe restoration checklist:
- Verify: Confirm you have an offline backup dated before the infection timestamp.
- Scan: Connect the backup drive to a separate, clean computer and scan it with updated antivirus software to ensure the backup itself isn’t compromised.
- Wipe: Completely format the infected hard drive and reinstall the OS (Windows/macOS) from a trusted source.
- Restore: Only transfer the verified backup files once the machine is fresh and patched.
Step 5: Search for verified ransomware decrypter tools
If you have no backups, your next option is a free decrypter tool. These are tools built by cybersecurity researchers who have successfully cracked the encryption of specific ransomware strains.
- Upload the photos you took and an encrypted file sample to a free identifier tool, such as ID Ransomware.
- Check the No More Ransom Project to see if a public key exists for your specific variant.
Pro Tip: Never download a decrypter from a random forum or an untrusted source, as it may also be malware.
Before you run any tool, copy your encrypted files to a separate drive. A faulty decrypter can permanently corrupt them, making professional recovery impossible.
Step 6: When to call professional ransomware incident response experts
Ransomware recovery experts begin by creating a bit-for-bit forensic image of your drive, ensuring that only a clone is used for the decryption, to preserve original evidence and prevent further data loss.
Proven Data’s experts reverse-engineer the specific malware variant to identify encryption flaws. Finally, we use proprietary in-house tools for key extraction and decryption, which often enable us to recover your files.
Because every attack environment is unique, professional responders do not use a ‘one-size-fits-all’ script; we build a custom containment and recovery strategy based on your specific forensic evidence.
You should call a professional if you are in any of these situations:
- You have no backups, or your backups were also encrypted.
- No free decrypter tool exists for your strain.
- You have no technical training or knowledge of cybersecurity.
- The encrypted data is critical to a server or a database.
- The data is simply too valuable to risk losing (e.g., business records, irreplaceable family memories).
Aftermath: Post-incident response, security hardening, and prevention
Getting your files back is only half the battle. The attacker is gone, but their tools (the malware) and entry point (the security vulnerability) may still be in place. Therefore, you must follow a plan to ensure the safety of your data before using devices and systems again.
- Use a bootable, offline antimalware and antivirus scanner to scan and remove the malware.
- Assume the attackers stole every password saved on the machine and go and change them all. This includes your local admin, email, online banking, and social media passwords.
- Patch your system, browsers, antivirus software, and any other programs you use.
- Use your digital forensics report to understand how the attack happened, then work to prevent new attacks by fixing the vulnerability.
The most obvious signs of a ransomware attack are a sudden inability to open your files, the appearance of unusual file extensions (like .locked or .encrypted), and a pop-up screen or text file (the ransom note) demanding payment to restore access. This is usually when the panic starts, but you must stay calm, as what you do over the next 60 minutes is critical. The way you conduct your incident response plan and the time it takes will define your business’s reputation and future. If you suspect your business is vulnerable to attacks, contact Proven Data’s experts for immediate help.
