If you are under attack, immediately disconnect the internet and do NOT restart your computer. Follow these 7 steps to recover your data without paying the ransom.
The most obvious signs of a ransomware attack are a sudden inability to open your files, the appearance of unusual file extensions (like .locked or .encrypted), and a pop-up screen or text file (the ransom note) demanding payment to restore access. This is usually when the panic starts, but you must keep your calm, as what you do in the next 60 minutes is critical. The way you conduct your incident response plan and the time it takes will define your business’s reputation and future.
Ransomware attacks are becoming more common, with threat actors even adopting AI technology to target smaller and smaller businesses. So, Byte Forensic’s internal team of incident response experts and ransomware response specialists collaborated to create this easy-to-follow process to empower you to properly identify the threat and recover your encrypted files.
Important: Every ransomware attack is unique. Factors like industry regulations, network architecture, and the specific malware strain dictate the long-term response and recovery strategy. However, the immediate triage follows universal principles, explained in this guide.
Under Ransomware Attack Right Now? Do This Immediately:
- Disconnect from the internet – Unplug the Ethernet cable and disable WiFi to stop the spread
- Do NOT restart or shut down – This erases decryption keys from memory
- Call Byte Forensic 24/7 for immediate expert guidance
- Do NOT pay the ransom – No guarantee of file recovery
Is it possible to DIY ransomware removal?
The question of whether ransomware removal DIY is possible can be compared to the same question about removing a tooth. Yes, you probably could, but an experienced, qualified professional with the right tools and setting will definitely get the job done much less painfully and with a significantly higher success rate.
So, no, do not attempt DIY ransomware removal. As a ransomware removal and decryption specialist, Hassan Faraz, alerts, “With ransomware, you often don’t get a second chance. Treating the attack like a standard IT issue by running scripts, deleting files, or even restarting the machine, can be a catastrophic error. These actions can wipe out the very data fragments or memory keys our DFIR team would use for a successful recovery.”
Even the smallest action (or even inaction) can make data recovery impossible. So before you consider pressing Ctrl-Z or closing a window, follow the protocol in your company’s incident response plan and call your in-house IT cybersecurity expert. If you don’t have that, call Byte Forensic’s 24/7 emergency response team. Meanwhile, following the steps below will increase the chances of a successful data recovery.
Step 1: Isolate infected devices to stop lateral movement
Unplug the Ethernet cable and immediately disconnect from Wi-Fi. This is the single most important step to stop the ransomware from spreading laterally across your network and encrypting other computers, servers, or cloud backups.
If you are on a company network, disconnect shared drives and immediately disable automated sync services (such as OneDrive or Dropbox) on the infected machine.
Warning: DO NOT PAY THE RANSOM. According to Sophos’s State of Ransomware 2025 report, 49% of organizations that paid the ransom to get their data back, 18% paid more than the original demand. Of those who paid more, 50% were because the attackers believed they could afford to pay more, and 48% because the attackers realized they were a high-value target. In other words, attackers now see you as an easy target for repeat attacks.
Step 2: Keep systems powered on to preserve volatile memory
This may feel counterintuitive, but it is expert advice. Some ransomware variants keep the decryption key in the computer’s volatile memory (RAM).
Restarting the machine will erase this memory, potentially destroying the only copy of the key and making recovery impossible. Keep the system running, but completely disconnected from the internet and local network.
Step 3: Document evidence and identify the ransomware strain
Use a separate, clean device (such as your phone) to photograph the ransom note and the screen. Do not rely on screenshots saved to the infected machine, as you may lose access to them. Pay close attention to:
- The Name: The ransomware family (e.g., “LockBit,” “Rancoz,” “Phobos“).
- The Extension: The file extension added to your data (e.g., .locked, .crypted, .enc).
- The Contact: The attacker’s email, TOR link, or payment ID.
This information is vital for identifying the strain and finding a specific ransomware decrypter later.
Note on Compliance: If you handle sensitive data (PII, PHI), now is the time to notify your legal counsel or Data Protection Officer (DPO) to determine whether you need to alert regulatory bodies (such as the FBI or CISA).
Ransomware Response Timeline Checklist
Track your incident response progress and ensure no critical steps are missed
| Done | Timeframe | Action Required | Why This Window Matters | Risk If Delayed |
|---|---|---|---|---|
| 0-5 minutes | Isolate infected device(s) | Ransomware can spread laterally across networks within minutes | Critical: Entire network encryption, cloud backup infection | |
| 5-15 minutes | Document the attack | Ransom notes may disappear; forensic evidence is volatile | High: Loss of critical recovery information, weakened legal position | |
| 15-30 minutes | Assess backup viability | Determines if self-recovery is possible | Medium: Wasted time pursuing wrong recovery path | |
| 30-60 minutes | Contact professionals if needed | Early professional intervention increases recovery success rates significantly | High: Permanent data loss, corrupted recovery attempts | |
| 1-24 hours | Begin controlled recovery | System forensics must be preserved for investigation and compliance | Medium: Evidence contamination, compliance violations | |
| 24-72 hours | Complete system restoration | Business continuity is critical; prolonged downtime multiplies costs | High: Extended downtime costs, customer/revenue loss, reputation damage |
Step 4: Restore data using a secure backup strategy
Once the threat is contained, your best path to recover encrypted files is a clean, offline backup. This is why a strong 3-2-1 backup strategy is crucial.
Warning: Do not simply connect your backup drive to the infected computer. You risk encrypting your backups, too. Follow this safe restoration checklist:
- Verify: Confirm you have an offline backup dated before the infection timestamp.
- Scan: Connect the backup drive to a separate, clean computer and scan it with updated antivirus software to ensure the backup itself isn’t compromised.
- Wipe: Completely format the infected hard drive and reinstall the OS (Windows/macOS) from a trusted source.
- Restore: Only transfer the verified backup files once the machine is fresh and patched.
Step 5: Search for verified ransomware decrypter tools
If you have no backups, your next option is a free decrypter tool. These are tools built by cybersecurity researchers who have successfully cracked the encryption of specific ransomware strains.
- Upload the photos you took and an encrypted file sample to a free identifier tool, such as ID Ransomware.
- Check the No More Ransom Project to see if a public key exists for your specific variant.
Pro Tip: Never download a decrypter from a random forum or an untrusted source, as it may also be malware.
Before you run any tool, copy your encrypted files to a separate drive. A faulty decrypter can permanently corrupt them, making professional recovery impossible.
Step 6: When to call professional ransomware incident response experts
Ransomware recovery experts begin by creating a bit-for-bit forensic image of your drive, ensuring that only a clone is used for the decryption, to preserve original evidence and prevent further data loss.
Byte Forensic’s engineers reverse-engineer the specific malware variant to identify encryption flaws. Finally, we use proprietary in-house tools for key extraction and decryption, which often enable us to recover your files.
Because every attack environment is unique, professional responders do not use a ‘one-size-fits-all’ script; we build a custom containment and recovery strategy based on your specific forensic evidence.
You should call a professional if you are in any of these situations:
- You have no backups, or your backups were also encrypted.
- No free decrypter tool exists for your strain.
- You have no technical training or knowledge of cybersecurity.
- The encrypted data is critical to a server or a database.
- The data is simply too valuable to risk losing (e.g., business records, irreplaceable family memories).
Step 7: Post-incident response, security hardening, and prevention
Getting your files back is only half the battle. The attacker is gone, but their tools (the malware) and entry point (the security vulnerability) may still be in place. Therefore, you must follow a plan to ensure your data safety before using devices and systems again.
- Use a bootable, offline antimalware and antivirus scanner to scan and remove the malware.
- Assume the attackers stole every password saved on the machine and go and change them all. This includes your local admin, email, online banking, and social media passwords.
- Patch your system, browsers, antivirus software, and any other programs you use.
- Use your digital forensics report to understand how the attack happened, then work to prevent new attacks by fixing the vulnerability.
FAQ: Common questions on ransomware incident response steps
What is the best course of action to take after a ransomware attack?
The single most important action is to immediately isolate the infected device by disconnecting from all networks (ethernet and WiFi).
Can I remove ransomware myself?
Yes, using a reputable antimalware program. You can also get your files back if a free decryption tool is available. Check the NoMoreRansom project for a secure public decryption tool.
But ransomware can leave “backdoors” for future attacks. That’s why a ransomware removal service is your best chance to make sure your system is completely ransomware-free.
How long does ransomware recovery take?
Recovery timelines vary significantly based on several factors:
- Recovery method
- Typical timeline
- Success rate
The immediate response (isolation, documentation, assessment) takes 30-60 minutes. The actual file recovery can range from hours to days. According to IBM’s Cost of a Data Breach Report 2024, the average ransomware recovery time is 49 days when including full system restoration and security hardening.
Will ransomware spread if my computer is off?
No, ransomware cannot actively spread when a computer is completely powered off. However, we strongly advise against turning off an infected computer because it will erase the RAM memory, where, sometimes, a decryption key can be stored. Disconnect the computer from the network to prevent it from spreading to other systems.
Do I need to report a ransomware attack to authorities?
No. Reporting requirements depend on your industry and location:
- All organizations: The FBI and CISA strongly recommend reporting all ransomware incidents to help track threat actors and potentially aid recovery.
- Healthcare (HIPAA): Must report breaches affecting 500+ individuals within 60 days.
- Financial (GLBA): Must notify regulators “as soon as possible.”
- EU/UK (GDPR): Must report within 72 hours if personal data is compromised.
- Critical infrastructure: CIRCIA requires covered entities to report within 72 hours.
