The other half of ransomware

Almost everything written about ransomware is about keeping it out, and rightly so — the ransomware prevention playbook is where the leverage is. But prevention is never perfect, and the teams that survive an actual incident are the ones that thought about the other half in advance: what happens in the hours and days after someone discovers encrypted files and a ransom demand. That moment is chaotic, high-pressure, and legally fraught, and it is the worst possible time to invent a plan. This article is about the response — a topic that deserves the same planning attention as prevention.

To be clear about our role: this is a plan you build and rehearse, and our platform helps you organize your controls, evidence, and readiness so you are prepared. It does not detect or stop ransomware, and no honest tool should claim to be the thing standing between you and an attack. The real defenses are your backups, your plan, and the people you have lined up before you need them. (General education, not legal advice — a real incident should involve qualified counsel.)

The first hour: contain, do not panic-delete

The instinct on discovering ransomware is to start deleting things or wiping machines to "stop the spread." Resist it. The priorities in the first hour are containment and preservation, in that order:

  • Isolate, do not destroy. Disconnect affected systems from the network — pull the network cable, disable Wi-Fi, isolate the segment (this is where network segmentation pays off) — but do not power them off or wipe them if you can avoid it. Memory and disk state are evidence, and evidence matters for both recovery and any investigation.
  • Preserve the scene. Photograph the ransom note, note timestamps, and preserve logs before anything is overwritten. You will need this for your insurer, for law enforcement, and to understand how far it spread.
  • Assume it is still active. Ransomware often follows a period of quiet access. Rotating credentials and assuming the attacker may still be present is safer than assuming the encryption was the end of it.

Make the calls you decided on in advance

This is the part a plan makes possible. A ransomware response is the exact scenario your incident response plan exists for, and the plan should already name the people you call before you touch anything else:

  • Your cyber insurer, early. If you carry a policy — and cyber insurance readiness is worth having sorted beforehand — the insurer often must be notified promptly and frequently drives the response, providing the incident-response firm and breach counsel. Acting before you call them can jeopardize coverage.
  • Legal counsel. A ransomware event raises legal questions immediately: notification duties, potential data exfiltration, and the legality of any payment. Counsel also shapes how the investigation is handled so it stays protected.
  • An incident response firm. Unless you have deep in-house expertise, specialists do the forensic scoping and containment. Know who you would call — or that your insurer supplies one — before the day it happens.
  • Law enforcement. Reporting to the appropriate authorities is standard practice and sometimes expected by insurers and regulators.

The payment question — and why it is not yours alone

At some point the pressure to just pay and make it stop becomes intense. This decision should never be made alone or in the heat of the moment. It belongs with your counsel, your insurer, and your IR firm, for reasons that are practical and legal at once: paying does not guarantee working decryption or that stolen data is deleted; it may fund and invite repeat attacks; and depending on who is behind the attack, a payment can carry serious legal and sanctions exposure. The people you called in the previous section are precisely the ones who help weigh this. Your job in advance is to make sure that when the question arises, it goes to that group — not to a frightened administrator with the wallet.

Recovery is where the plan earns its keep

The fastest, cleanest exit from ransomware is almost always restore from backups you have already tested. This is the entire payoff of a real backup and disaster recovery strategy: offline or immutable backups that the ransomware could not reach, and — critically — restores you have actually practiced. Untested backups have a way of failing at the worst moment. Rebuild onto clean systems, restore from a known-good point, verify the attacker is truly out before reconnecting, and only then bring services back. Along the way you will also be assessing whether data was stolen, not just encrypted, which triggers a separate set of breach notification obligations your counsel will steer.

Close the loop before the next one

When systems are back, the incident is not over. Run a blameless review, fix the entry point and the gaps the attacker exploited, and rehearse the whole response so the next discovery is met with muscle memory instead of panic — which is exactly what tabletop exercises are for. The uncomfortable truth of ransomware is that prevention buys you the odds and response buys you survival. Build both, keep your backups tested and your call list current, and an event that ends some businesses becomes, for you, a hard but recoverable week.