What is a ransomware attack?

A ransomware attack is when criminals gain access to your systems, encrypt files (or lock you out), and demand payment for a decryption key or to prevent data being leaked. Many modern ransomware groups also steal data first (“double extortion”), meaning the risk isn’t just downtime — it can include data exposure, fraud, and reputational damage.

First 15 minutes: immediate actions

The goal here is to stop the spread and protect evidence.

1. Isolate affected devices immediately

2. Disconnect from the network (unplug ethernet, turn off Wi-Fi).

3. If it’s a server, isolate the host/network segment rather than powering off everything blindly.

4. Do not reboot, wipe, or “factory reset” yet

5. Preserve evidence for investigation and insurance requirements.

6. A rushed wipe can destroy logs that show how the attacker got in.

7. Document what you’re seeing

8. Screenshot ransom notes, file extensions, error messages.

9. Record the time you noticed it and which users/devices are affected.

10. Stop automated spread

11. Disable affected user accounts temporarily (especially admin).

12. If you suspect active encryption across the estate, consider temporarily disabling shared drives.

First hour: assess the blast radius

Now you’re working out what’s impacted and what’s at risk next.

Check:

• Endpoints: which laptops/desktops are encrypted?

• Servers & file shares: are shared drives affected?

• Backups: are backups online/connected and potentially encrypted too?

• Identity: any signs of compromised admin accounts, MFA changes, unusual logins?

• Email / Microsoft 365: forwarding rules, unusual sign-ins, malicious OAuth apps.

• Data exfiltration: evidence of large outbound transfers, new remote tools, unusual VPN activity.

This is where most organisations realise ransomware is rarely “one PC” — it’s often tied to credential theft, remote access, and lateral movement.

What NOT to do (common mistakes)

• Don’t pay immediately. Paying doesn’t guarantee recovery and can encourage repeat attacks.

• Don’t announce details publicly too early. Keep comms controlled until facts are confirmed.

• Don’t restore before containment. If you restore while the attacker still has access, you can be reinfected.

• Don’t assume backups are clean. Backups can be encrypted or poisoned if attackers had time.

Who to contact (and in what order)

Every business will be different, but a sensible order is:

1. Your IT/security provider (or incident response partner)

2. Cyber insurance provider (if applicable) Insurers often require using approved incident-response partners.

3. Law enforcement / reporting routes In the UK, many organisations report cybercrime via Action Fraud and follow NCSC guidance.

4. Legal/compliance support Especially if personal data or regulated data might be involved.

Regulatory considerations (UK)

If there’s a chance personal data is compromised, you may need to assess whether this is a reportable breach (e.g., to the ICO) and whether individuals need notifying. This depends on the type of data, likelihood of harm, and confirmed exposure — not just the presence of ransomware.

(Note: this is general guidance, not legal advice.)

Recovery: Contain → Eradicate → Restore (the safe order)

Containment

• Block known malicious IPs/domains (where identified).

• Remove remote tools the attacker used (or isolate systems until forensics is complete).

Eradication

• Patch exploited vulnerabilities.

• Remove persistence mechanisms (scheduled tasks, new admin accounts, malicious GPOs).

• Reset credentials (prioritise admins, service accounts, shared passwords).

• Review MFA, conditional access, and admin permissions.

Restoration

• Restore from known-good offline/immutable backups.

• Validate restored systems before reconnecting to the network.

• Monitor aggressively for re-entry attempts.

Post-incident hardening (so it doesn't happen again)

Most successful ransomware attacks exploit gaps in a few common areas:

• MFA everywhere (especially admin + remote access)

• Remove unnecessary admin rights and segment admin accounts

• Patch management for endpoints, servers, VPNs, firewalls

• Email security and user training for phishing

• Network segmentation (limit lateral movement)

• Backups: 3-2-1 strategy, offline/immutable copies, regular restore tests

• Logging/monitoring: central logs + alerting

Signs you may still be compromised

Even after recovery, watch for:

• New admin accounts

• MFA method changes you didn’t approve

• Unusual login locations

• New email forwarding rules

• Unknown scheduled tasks/services

• Endpoint tools disabled unexpectedly

If any of these appear, treat it as an active incident until proven otherwise.

People Also Ask

What should I do first in a ransomware attack?

Isolate affected devices from the network, document what you see, and begin assessing what systems/accounts are impacted. Avoid wiping or restoring until you’ve contained the threat.

Should you pay a ransomware ransom?

Paying is risky: it doesn’t guarantee recovery and can lead to repeat targeting. Decisions should be made with specialist advice, legal/compliance input, and your insurer (if applicable).

Can ransomware spread to Microsoft 365?

Ransomware typically encrypts local and network files, but attackers may also target cloud data by compromising accounts, deleting files, or encrypting synced folders. Identity security is critical.

How do you know if data was stolen?

Look for signs of large outbound transfers, unusual remote tools, and attacker activity before encryption. A proper investigation (logs + forensics) is often required to confirm exfiltration.

How long does recovery take?

It depends on the size of the environment, backup quality, and whether attackers maintained access. Many businesses underestimate the time needed for secure restoration and verification.