Ransomware is malicious software that locks or encrypts your files, then demands payment to get them back. It's one of the most common and costly types of cyberattack, hitting individuals, small businesses, hospitals, and city governments alike.
This guide covers two things: what to do if it's happening to you right now, and the habits that stop it from happening again.
What is Ransomware?
Ransomware is software that denies you access to your own files or systems โ usually by encrypting them โ until you pay the attacker, with no guarantee they'll actually restore access.
It usually arrives through a phishing email attachment, a malicious link, an exposed remote-access service (like RDP), or a compromised software update. Once it runs, it spreads across connected drives and network shares, encrypting everything it can reach, then displays a ransom note with payment instructions โ typically in cryptocurrency.
Modern ransomware groups often add a second threat on top of encryption: they steal a copy of your data first and threaten to leak it publicly if you don't pay, even if you can restore your files from backup. This is called double extortion.
The First Hour: What to Do Right Now
If you suspect ransomware is actively running on a machine right now, speed matters more than anything else. Do this, in this order:
Step 1: Disconnect from the network immediately
Unplug the ethernet cable or turn off Wi-Fi on the affected device. This is the single most important action โ it stops the ransomware from spreading to other computers, servers, and backups on the same network.
Step 2: Don't turn the machine off
It's tempting to shut it down, but powering off can destroy evidence and, in some ransomware families, trigger additional damage. Disconnect from the network instead of shutting down, unless you have a specific reason to believe shutdown is safer for your situation.
Step 3: Identify what's been hit
Check other devices on the same network for unusual file extensions, ransom notes, or sluggish performance. Isolate any device showing signs of infection.
Step 4: Don't pay anything yet, and don't delete the ransom note
The ransom note often identifies which ransomware family you're dealing with, which matters for recovery options. Take a photo or screenshot of it before doing anything else.
Step 5: Call in help
If this is a business, loop in IT/security staff or an incident-response firm immediately. If it's personal, your antivirus vendor or a reputable local IT service can help. Many countries also have a national cybercrime reporting body worth contacting.
Removal and Recovery, Step by Step
1. Confirm the infection is contained
Before you do anything else, make sure the infected device(s) are fully isolated from the network and from any backup systems.
2. Identify the ransomware family
Tools like the "ID Ransomware" project and security vendors' free identification tools can match a ransom note or encrypted-file pattern to a known ransomware family. This matters because some older, less sophisticated ransomware families have free, publicly available decryption tools.
3. Wipe and reinstall, don't just "clean"
Removing the visible malware isn't the same as removing every backdoor it may have planted. The safest approach for an infected machine is a full wipe and clean operating system reinstall, not just deleting the malicious files.
4. Restore from backup
This is why backups matter more than any other single defense. Restore your files from a backup taken before the infection โ ideally one that was offline or otherwise unreachable by the ransomware when it ran.
5. Change every credential the infected device had access to
Assume any password, API key, or session token stored on or accessible from the infected machine may have been captured. Rotate them all once the environment is clean.
6. Investigate how it got in
Find and close the entry point โ a phishing email, an exposed remote desktop port, an unpatched VPN appliance โ before reconnecting anything to the network. Skipping this step is how organizations get hit by the same attacker again within weeks.
Should You Pay the Ransom?
Law enforcement agencies, including the FBI and most national cybersecurity authorities, generally advise against paying. The reasons are practical, not just ethical:
- Paying doesn't guarantee you'll actually get a working decryption key.
- It marks you as a "payer," which can attract repeat attacks from the same or other groups.
- It directly funds the criminal operations that will attack the next victim.
- In some jurisdictions, paying certain sanctioned ransomware groups can carry legal risk for the paying organization.
That said, organizations facing total data loss with no viable backup sometimes do pay as a last resort. If you're in that position, involve law enforcement and a professional incident-response firm before making that decision โ they can sometimes negotiate or verify a group's track record for actually delivering working keys.
Why This Matters to You
Ransomware doesn't just cost the ransom amount โ most of the real cost is downtime, lost business, recovery labor, and reputational damage, which routinely run far higher than what attackers initially demand. For individuals, it can mean losing irreplaceable photos and documents permanently. For a business, it can mean days or weeks of being unable to operate at all.
A Real-World Example
Imagine a small accounting firm where an employee opens an invoice attachment that looks legitimate. Within minutes, ransomware spreads across the office's shared drive, encrypting client tax files. Because the firm had been taking automated daily backups to a separate, offline storage account, IT disconnects the infected machines, wipes them, and restores the shared drive from yesterday's backup. The firm loses one afternoon of work and a few hours of IT time โ not their client data, not their reputation, and not a ransom payment.
Prevention: Stopping the Next Attack
Keep backups that ransomware can't reach
Follow the 3-2-1 rule: at least 3 copies of your data, on 2 different types of storage, with at least 1 copy offline or otherwise isolated from your main network. A backup that's permanently connected to the network can be encrypted right along with everything else.
Patch promptly, especially internet-facing systems
VPNs, remote desktop gateways, and firewalls are common ransomware entry points specifically because they're exposed to the internet and often run unpatched for too long.
Lock down remote access
Don't expose Remote Desktop Protocol (RDP) directly to the internet. Require multi-factor authentication (MFA) for any remote access, and use a VPN as the gateway rather than opening RDP ports directly.
Train people to spot phishing
Most ransomware still starts with a phishing email. See the companion guide below for specifics on recognizing these.
Use endpoint protection that can detect ransomware behavior
Modern endpoint security tools look for ransomware-like behavior (mass file encryption patterns) in addition to known malware signatures, which helps catch new or modified ransomware variants.
Segment your network
If every device on your network can reach every other device and every file share, ransomware on one machine can reach all of them. Network segmentation limits how far an infection can spread.
Common Mistakes to Avoid
Keeping backups permanently connected
An always-connected backup drive or always-mounted backup share gets encrypted along with everything else. At least one backup copy needs to be offline or access-isolated.
Assuming antivirus alone is enough
Antivirus catches known threats well, but ransomware groups constantly modify their tools to evade signature-based detection. Layer it with backups, patching, and access controls.
Rushing to restore before finding the entry point
Restoring data without closing the original hole that let the attacker in is how the same organization gets hit again, sometimes within days.
Trusting free "decryptor" tools from unknown sources
Search for decryptors only from reputable security vendors or recognized projects โ fake decryptor tools distributed by attackers themselves are a known secondary scam.
Frequently Asked Questions
Can I remove ransomware without losing my files?
You can remove the malware itself, but removing it doesn't decrypt files that are already encrypted. Getting files back requires either a backup, a known decryptor for that specific ransomware family, or, in rare cases, paying the ransom.
Will antivirus remove ransomware after the fact?
Antivirus can usually detect and delete the ransomware program itself, but it generally cannot decrypt files that have already been encrypted. Removal and decryption are two separate problems.
How do I know if my backups are safe from ransomware?
If your backup storage is reachable from the same network and credentials as your main systems, it should be treated as at risk. Offline backups, or backups with separate, isolated credentials and immutability settings, are far safer.
Is ransomware only a risk for big companies?
No. Individuals and small businesses are common targets precisely because they often have weaker defenses and are more likely to pay smaller ransoms quickly.
Conclusion
Ransomware recovery is a race against the clock once it starts: disconnect fast, don't panic-delete evidence, restore from a clean and isolated backup, and find the entry point before reconnecting anything. But the real win is never being in that position โ offline backups, prompt patching, locked-down remote access, and phishing awareness prevent the vast majority of ransomware attacks before they start.
Keep Learning on ITVedas
One of many free guides across 8 IT chapters โ all in plain English.
Explore All Chapters โ