What to Do When You’ve Been Hit With Ransomware: A Step-by-Step Response Guide

A ransomware attack doesn’t announce itself politely. One moment your systems are running normally — the next, files are encrypted, operations are frozen, and a ransom note is demanding payment in cryptocurrency. What you do in the next few hours determines whether you recover cleanly or make the situation significantly worse.

This guide walks through exactly what to do, in order, from the moment you detect a ransomware attack through to full recovery.

Step 1: Don’t Panic and Don’t Touch Anything Yet

The instinct is to start unplugging things, deleting files, or rebooting machines. Resist it. Hasty action after a ransomware attack can destroy forensic evidence, corrupt recoverable data, and eliminate your best path to recovery.
Before you do anything else: stop, breathe, and call a ransomware recovery specialist. Early expert guidance is the single most valuable thing you can do in the first 15 minutes.

Step 2: Isolate Infected Systems Immediately

Once you’ve made contact with a recovery team, your next priority is containment. Ransomware spreads laterally across networks with alarming speed — every connected device is a potential target.
Disconnect infected machines from the network by unplugging Ethernet cables and disabling Wi-Fi. If your environment includes shared drives, cloud sync services, or remote access tools, disable those connections too. The goal is to stop the spread, not to fix the problem yet.
Do not shut down or restart infected machines. Doing so can overwrite memory artifacts that experts use to identify the ransomware strain and trace how the attack entered your environment.

Step 3: Preserve Evidence — This Matters More Than You Think

Ransomware attacks are not just IT incidents — they are legal events. Depending on the data affected, you may be required to notify regulators, customers, or law enforcement. If litigation follows, you’ll need defensible documentation of everything that happened.
Preserve the ransom note exactly as it appeared. Document the timeline of events: when you first noticed the issue, which systems were affected, and any unusual activity in the days prior. Avoid communicating about the incident over email systems that may be compromised.
Total Data Migration’s forensic team provides chain-of-custody imaging and incident documentation designed to hold up in legal proceedings — a critical resource if your organization faces regulatory scrutiny or litigation tied to the breach.

Step 4: Assess Your Backups — Carefully

Backups are your best-case recovery path, but ransomware groups increasingly target backup infrastructure first. Before assuming your backups are clean, verify them from a device that was not on the compromised network.
Look for signs your backups have been encrypted, deleted, or corrupted. If your cloud sync was running during the attack, synced backups may reflect encrypted versions of your files rather than clean ones.
If your backups are intact, a qualified recovery team can help you restore from them safely. If they’ve been compromised — or if you didn’t have robust backups to begin with — professional ransomware data recovery is still possible. TDM’s proprietary technology is specifically built to recover encrypted data without relying on decryptors or engaging threat actors, even in cases where backups are unavailable or corrupted.

Step 5: Don’t Pay the Ransom

It bears saying clearly: paying the ransom is rarely the right move, and never the first move.
Payment does not guarantee you’ll receive a working decryption key. Roughly half of organizations that pay the ransom report they were unable to fully recover their data afterward. Beyond that, paying signals to attackers that you’re a willing target — and marks you for follow-up attacks. It also, in some jurisdictions, creates legal exposure if the group you’ve paid turns out to be on a sanctions list.
Before considering payment as a last resort, exhaust professional recovery options. Modern ransomware recovery has advanced dramatically. TDM’s decryptor-free recovery approach has helped organizations reclaim data from even severe attacks without ever engaging the threat actor.

Step 6: Notify the Right People

Depending on your organization type and the data involved, you may have legal notification obligations that have their own clocks running. Consider notifying:

  • Your cyber insurance provider — most policies require prompt notification to preserve your claim
  • Legal counsel — especially if sensitive client or patient data was affected
  • Law enforcement — the FBI’s Internet Crime Complaint Center (IC3) and CISA both accept ransomware reports and may have intelligence relevant to your attack
  • Affected parties — if personal data was exposed, state and federal breach notification laws may apply

TDM works directly alongside legal teams, litigation directors, and insurance providers throughout the recovery process, providing the documentation and expert testimony needed to support claims and proceedings.

Step 7: Begin Formal Recovery

Once the environment is contained and evidence is preserved, formal recovery can begin. A qualified ransomware recovery team will assess the scope of damage, identify the ransomware variant involved, and develop a recovery plan tailored to your environment.
TDM’s recovery process covers the full scope: reconstructing damaged file systems, restoring virtual and on-premise data systems, recovering corrupted databases, and validating data integrity before anything is returned to production. The goal is not just getting files back — it’s getting your operations back to a fully functional, trusted state.

Step 8: Close the Vulnerability and Rebuild Stronger

Recovery without remediation is just a matter of time before the next incident. After restoring operations, conduct a thorough post-incident review to identify how the attackers gained entry — whether through a phishing email, exposed RDP, a compromised credential, or an unpatched vulnerability — and close that vector.
TDM’s forensic and incident response add-ons include data breach triage, timeline reconstruction, and attack vector analysis, giving your team the information needed to harden your environment against future threats.

When You Need Help Fast

Ransomware attacks move quickly. The longer encrypted systems sit idle, the greater the operational and financial damage. TDM provides 24/7 emergency response for ransomware incidents, with a team experienced in working alongside legal counsel, IT departments, insurers, and executive leadership to move from crisis to resolution as efficiently as possible.
If you’ve been hit — or you’re seeing early warning signs of an attack — contact Total Data Migration now. Early engagement protects evidence, improves recovery outcomes, and can make the difference between a contained incident and a catastrophic one.