What should you do if you experience a ransomware attack?

A ransomware attack is one of the most serious cyber incidents an organisation can face. Systems may become unavailable, data may be inaccessible, and attackers will try to create urgency and fear to force rushed decisions.

The first few hours matter most. Calm, disciplined actions can prevent wider damage, preserve recovery options, and protect the organisation legally and financially.

This guide sets out the correct response.

Why ransomware incidents escalate so quickly

Ransomware rarely begins with encryption.

By the time ransom messages appear, attackers have often:

• Moved laterally through the network
• Stolen credentials
• Accessed or deleted backups
• Exfiltrated sensitive data

Attackers rely on confusion, poor communication, and pressure. A structured response dramatically reduces harm.

Fast checklist for immediate response

• Contain the spread
• Preserve evidence
• Maintain secure communication
• Understand what is affected
• Recover safely

Immediate actions to take

Step 1: Isolate affected systems

Immediately disconnect infected or suspected systems from the network.

• Remove network cables
• Disable Wi-Fi
• Block access at the switch or firewall if needed

If ransomware is actively spreading and isolation is not possible, powering down systems may be necessary as a last resort to stop further damage.

However, powering off systems can destroy volatile forensic evidence (such as memory, running processes and active network connections). Where possible, isolate first and involve incident-response or forensic specialists before shutting systems down.

For cloud systems:

• Restrict access
• Preserve logs
• Take controlled snapshots through cloud or security administrators

Do not allow compromised systems to remain connected.

Step 2: Preserve evidence

Preserving evidence is essential for investigation, insurance and potential legal action.

Document every action taken and the time it occurred. Take photos or screenshots of ransom messages and affected screens. Do not delete files or wipe systems until advised by security or forensic specialists.

Do not log into compromised systems using administrative accounts “just to check” their status, as this can expose credentials and contaminate evidence.

Good records help teams understand how the attack happened and reduce the risk of repeat incidents.

Step 3: Use out-of-band communication

Assume that compromised systems may be monitored.

Avoid using affected email accounts, messaging platforms or internal tools to coordinate the response. Use phone calls or other secure, unaffected channels to communicate with response teams and leadership.

This reduces the risk of tipping off attackers or exposing sensitive response discussions.

Investigation and containment

Step 4: Identify the ransomware involved

Where safe and appropriate, identify the ransomware strain using:

• Incident-response providers
• Security consultancies
• Law-enforcement or national cyber agencies

Do not upload live malware or sensitive data to public websites.

Identification helps determine:

• Whether decryption tools exist
• Whether the group is sanctioned
• How the attackers typically operate

Step 5: Scope the attack

Understand what has been affected.

Identify where ransom messages appear, which systems and drives are impacted, and how the attackers gained access. Look for signs of lateral movement and data exfiltration.

Do not begin large-scale system restoration until initial access, attacker persistence and lateral movement have been identified and contained.

Accurate scoping prevents reinfection during recovery.

Step 6: Quarantine impacted systems

Apply strict access controls and remove infected systems from production networks.

Do not reconnect devices until they have been properly cleaned, rebuilt or replaced. Partial restoration without full containment can allow attackers to regain access.

Eradication and recovery

Step 7: Restore from clean backups

Only restore systems from known clean backups.

Follow the 3-2-1 rule where possible by maintaining multiple backups, stored on different media, including offline copies. Test backups regularly so restoration does not introduce further issues.

Where possible, ensure backups and cloud snapshots are protected with immutability, separation of duties and restricted administrator access to prevent attackers deleting or altering them.

Never restore backups without confirming they are free from compromise.

Step 8: Prioritise critical systems

Use a predefined list of critical assets to guide recovery.

Focus first on systems that support safety, core operations and essential services. A phased restoration approach helps reduce pressure and supports controlled recovery.

Step 9: Remove malware and validate the environment

Use specialist tools and expertise to remove ransomware completely.

Confirm that no persistence mechanisms remain and that attackers have not maintained access through alternative accounts or tools. Validate that systems are clean before returning them to service.

Communication and reporting

Step 10: Notify key stakeholders

Inform senior leadership, legal teams and relevant risk owners as soon as possible.

If cyber insurance is in place, notify the insurer immediately, as many policies require early notification and the use of approved incident-response providers.

If there is any indication of data exposure, legal and regulatory obligations may apply. Early involvement supports better decision-making and compliance.

Step 11: Report the incident

Report the incident to the appropriate authorities.

In the UK, this normally includes reporting to the National Cyber Security Centre (NCSC) and to Report Fraud.

If personal data may have been compromised, organisations must assess whether notification to the Information Commissioner’s Office (ICO) is required and, where it is, report within 72 hours of becoming aware of the breach, and keep an internal breach log.

Some sectors (such as financial services, energy, healthcare or critical infrastructure) have additional regulators and reporting duties that must also be followed.

Reporting supports wider disruption of criminal activity and may be required by insurers.

Should you pay the ransom?

In most cases, paying the ransom is not recommended.

Payment does not guarantee data recovery and may encourage further attacks. It can also fund criminal activity. The UK government does not condone ransom payments, and payment may be unlawful if it involves sanctioned individuals or groups.

Any decision regarding payment should involve legal, executive and specialist security advice.

Preparing for future ransomware incidents

Ransomware resilience is built before an attack occurs.

Organisations should:

• Develop and regularly test ransomware response playbooks
• Implement strong identity controls such as multi-factor authentication
• Secure backups and restrict administrative access
• Train staff to recognise phishing and social engineering
• Encourage early reporting of suspicious activity

Preparation reduces panic and improves outcomes when incidents occur.

Frequently asked questions