Step-by-Step Guide: 7 Essential Ransomware Incident Response Steps

If you are under attack, immediately disconnect the internet and do NOT restart your computer. Follow these 7 steps to recover your data without paying the ransom.

The most obvious signs of a ransomware attack are a sudden inability to open your files, the appearance of unusual file extensions (like .locked or .encrypted), and a pop-up screen or text file (the ransom note) demanding payment to restore access. This is usually when the panic starts, but you must keep your calm, as what you do in the next 60 minutes is critical. The way you conduct your incident response plan and the time it takes will define your business’s reputation and future.

Ransomware attacks are becoming more common, with threat actors even adopting AI technology to target smaller and smaller businesses. So, Proven Data’s internal team of incident response experts and ransomware response specialists collaborated to create this easy-to-follow process to empower you to properly identify the threat and recover your encrypted files.

Important: Every ransomware attack is unique. Factors like industry regulations, network architecture, and the specific malware strain dictate the long-term response and recovery strategy. However, the immediate triage follows universal principles, explained in this guide.

1. Disconnect from the  internet – Unplug the Ethernet cable and disable WiFi to stop the spread
2. Do NOT restart or shut down – This erases decryption keys from memory
3. Call Proven Data 24/7 for immediate expert guidance
4. Do NOT pay the ransom – No guarantee of file recovery

The question of whether ransomware removal DIY is possible can be compared to the same question about removing a tooth. Yes, you probably could, but an experienced, qualified professional with the right tools and setting will definitely get the job done much less painfully and with a significantly higher success rate. 

So, no, do not attempt DIY ransomware removal. As a ransomware removal and decryption specialist, Hassan Faraz, alerts, “With ransomware, you often don’t get a second chance. Treating the attack like a standard IT issue by running scripts, deleting files, or even restarting the machine, can be a catastrophic error. These actions can wipe out the very data fragments or memory keys our DFIR team would use for a successful recovery.”

Even the smallest action (or even inaction) can make data recovery impossible. So before you consider pressing Ctrl-Z or closing a window, follow the protocol in your company’s incident response plan and call your in-house IT cybersecurity expert. If you don’t have that, call Proven Data’s 24/7 emergency response team. Meanwhile, following the steps below will increase the chances of a successful data recovery.

Unplug the Ethernet cable and immediately disconnect from Wi-Fi. This is the single most important step to stop the ransomware from spreading laterally across your network and encrypting other computers, servers, or cloud backups.

If you are on a company network, disconnect shared drives and immediately disable automated sync services (such as OneDrive or Dropbox) on the infected machine.

Warning: DO NOT PAY THE RANSOM. According to Sophos’s State of Ransomware 2025 report, 49% of organizations that paid the ransom to get their data back, 18% paid more than the original demand. Of those who paid more, 50% were because the attackers believed they could afford to pay more, and 48% because the attackers realized they were a high-value target. In other words, attackers now see you as an easy target for repeat attacks.

This may feel counterintuitive, but it is expert advice. Some ransomware variants keep the decryption key in the computer’s volatile memory (RAM).

Restarting the machine will erase this memory, potentially destroying the only copy of the key and making recovery impossible. Keep the system running, but completely disconnected from the internet and local network.

Use a separate, clean device (such as your phone) to photograph the ransom note and the screen. Do not rely on screenshots saved to the infected machine, as you may lose access to them. Pay close attention to:

• The Name: The ransomware family (e.g., “LockBit,” “Rancoz,” “Phobos“).
• The Extension: The file extension added to your data (e.g., .locked, .crypted, .enc).
• The Contact: The attacker’s email, TOR link, or payment ID.

This information is vital for identifying the strain and finding a specific ransomware decrypter later.

Note on Compliance: If you handle sensitive data (PII, PHI), now is the time to notify your legal counsel or Data Protection Officer (DPO) to determine whether you need to alert regulatory bodies (such as the FBI or CISA).

Once the threat is contained, your best path to recover encrypted files is a clean, offline backup. This is why a strong 3-2-1 backup strategy is crucial.

Warning: Do not simply connect your backup drive to the infected computer. You risk encrypting your backups, too. Follow this safe restoration checklist:

1. Verify: Confirm you have an offline backup dated before the infection timestamp.
2. Scan: Connect the backup drive to a separate, clean computer and scan it with updated antivirus software to ensure the backup itself isn’t compromised.
3. Wipe: Completely format the infected hard drive and reinstall the OS (Windows/macOS) from a trusted source.
4. Restore: Only transfer the verified backup files once the machine is fresh and patched.

If you have no backups, your next option is a free decrypter tool. These are tools built by cybersecurity researchers who have successfully cracked the encryption of specific ransomware strains.

• Upload the photos you took and an encrypted file sample to a free identifier tool, such as ID Ransomware.
• Check the No More Ransom Project to see if a public key exists for your specific variant.

Pro Tip: Never download a decrypter from a random forum or an untrusted source, as it may also be malware.

Before you run any tool, copy your encrypted files to a separate drive. A faulty decrypter can permanently corrupt them, making professional recovery impossible.

Ransomware recovery experts begin by creating a bit-for-bit forensic image of your drive, ensuring that only a clone is used for the decryption, to preserve original evidence and prevent further data loss. 

Proven Data’s engineers reverse-engineer the specific malware variant to identify encryption flaws. Finally, we use proprietary in-house tools for key extraction and decryption, which often enable us to recover your files.

Because every attack environment is unique, professional responders do not use a ‘one-size-fits-all’ script; we build a custom containment and recovery strategy based on your specific forensic evidence.

You should call a professional if you are in any of these situations:

• You have no backups, or your backups were also encrypted.
• No free decrypter tool exists for your strain.
• You have no technical training or knowledge of cybersecurity.
• The encrypted data is critical to a server or a database.
• The data is simply too valuable to risk losing (e.g., business records, irreplaceable family memories).

Getting your files back is only half the battle. The attacker is gone, but their tools (the malware) and entry point (the security vulnerability) may still be in place. Therefore, you must follow a plan to ensure your data safety before using devices and systems again.

1. Use a bootable, offline antimalware and antivirus scanner to scan and remove the malware.
2. Assume the attackers stole every password saved on the machine and go and change them all. This includes your local admin, email, online banking, and social media passwords.
3. Patch your system, browsers, antivirus software, and any other programs you use.
4. Use your digital forensics report to understand how the attack happened, then work to prevent new attacks by fixing the vulnerability.

The single most important action is to immediately isolate the infected device by disconnecting from all networks (ethernet and WiFi).

Yes, using a reputable antimalware program. You can also get your files back if a free decryption tool is available. Check the NoMoreRansom project for a secure public decryption tool.

But ransomware can leave “backdoors” for future attacks. That’s why a ransomware removal service is your best chance to make sure your system is completely ransomware-free.

Recovery timelines vary significantly based on several factors:

• Recovery method
• Typical timeline
• Success rate

The immediate response (isolation, documentation, assessment) takes 30-60 minutes. The actual file recovery can range from hours to days. According to IBM’s Cost of a Data Breach Report 2024, the average ransomware recovery time is 49 days when including full system restoration and security hardening.

No, ransomware cannot actively spread when a computer is completely powered off. However, we strongly advise against turning off an infected computer because it will erase the RAM memory, where, sometimes, a decryption key can be stored. Disconnect the computer from the network to prevent it from spreading to other systems.

No. Reporting requirements depend on your industry and location:

• All organizations: The FBI and CISA strongly recommend reporting all ransomware incidents to help track threat actors and potentially aid recovery.
• Healthcare (HIPAA): Must report breaches affecting 500+ individuals within 60 days.
• Financial (GLBA): Must notify regulators “as soon as possible.”
• EU/UK (GDPR): Must report within 72 hours if personal data is compromised.
• Critical infrastructure: CIRCIA requires covered entities to report within 72 hours.

If you suspect data loss or network breach, or are looking for ways to compile digital evidence through forensics and eDiscovery services – our team can help.

Our expert advisor will contact you to schedule your free consultation.

You’ll receive a customized proposal or quote for approval.

Our specialized team immediately jumps into action, as time is critical.