What to Do If Your Business Gets Hit by Ransomware
Ransomware attacks are up 300% since 2023. If you're hit, the first 24 hours are critical. This step-by-step guide walks you through containment, recovery, and prevention.
Discovering that your files have been encrypted and a ransom note is on your screen is one of the most stressful moments a business owner can face. Your response in the first 24 hours will determine how quickly you recover — and whether you recover at all.
Immediate Response (First Hour)
- Disconnect affected machines from the network immediately — unplug ethernet cables and disable Wi-Fi
- Do NOT turn off the infected machines — forensic evidence may be lost
- Alert your IT team or managed service provider immediately
- Preserve the ransom note — photograph it and save any files left by the attackers
- Notify your cyber insurance carrier if you have a policy
Containment (Hours 2–6)
Your IT team's first priority is to stop the spread. Ransomware often propagates laterally across networks, encrypting shared drives and backup systems. Identify the patient zero machine, map which systems were affected, and isolate any systems that may have been exposed but not yet encrypted.
Assessment: To Pay or Not to Pay?
The FBI recommends against paying ransoms — it encourages further attacks and doesn't guarantee recovery. However, if you have no viable backups and the encrypted data is critical to your survival, the calculus changes. Before paying anything, consult with a cybersecurity professional and your legal counsel. Some ransomware groups are on OFAC sanctions lists, making payment illegal.
Recovery Process
- Identify the ransomware variant — tools like ID Ransomware can help, and some variants have free decryptors
- Wipe and rebuild affected systems from scratch — do not trust a "cleaned" infected machine
- Restore from the most recent clean backup
- Verify data integrity before reconnecting to the network
- Change all passwords and credentials — assume they were compromised
- Patch the vulnerability that allowed initial access
Prevention: How to Never Be Here Again
- Maintain offline, air-gapped backups that ransomware cannot reach
- Test your backups regularly — a backup you've never restored is not a backup
- Deploy endpoint detection and response (EDR) on every device
- Implement network segmentation to limit lateral movement
- Train employees to recognize phishing emails — the #1 ransomware entry point
- Apply patches within 48 hours of release for critical vulnerabilities
Don't Wait for an Attack to Have a Plan
Infinity Network Support offers ransomware readiness assessments, backup and disaster recovery solutions, and 24/7 incident response for South Florida businesses. Contact us before you need us — not after.
Infinity Network Support Team
Managed IT & Cybersecurity Specialists
Atendendo pequenas e médias empresas em Miami e no Sul da Flórida com suporte de TI gerenciado, cibersegurança e serviços de conformidade.
Tem Perguntas? Estamos Aqui para Ajudar.
Nossa equipe de especialistas de TI do Sul da Flórida está pronta para responder suas perguntas e ajudar a proteger seu negócio.