What to Do After a Ransomware Attack: A Step-by-Step Recovery Guide

Ransomware attacks are among the most disruptive cybersecurity incidents anyone can face. Whether you are an individual whose personal computer has been locked or a business dealing with encrypted servers, the first moments after discovering an attack are critical. The decisions you make in the next few hours will determine how much data you recover, how much it costs, and whether you become a repeat target. This guide walks you through every step of the recovery process.

Step 1: Isolate Affected Systems Immediately

The moment you suspect a ransomware attack, your top priority is containment. Ransomware spreads laterally across networks, encrypting every device it can reach. Every second counts.

• Disconnect from the network: Unplug Ethernet cables and disable Wi-Fi on all affected machines. Do not wait for IT to arrive.
• Disconnect external storage: Remove USB drives, external hard drives, and any NAS connections immediately.
• Isolate cloud syncing: Pause or disconnect cloud storage services like OneDrive, Google Drive, and Dropbox to prevent encrypted files from overwriting clean cloud copies.
• Do not power off: Unless absolutely necessary, leave infected systems running. Forensic analysts may be able to recover encryption keys from system memory.

Step 2: Document Everything

Before you begin any recovery efforts, create a thorough record of the attack. This documentation will be essential for law enforcement, insurance claims, and your post-incident review.

• Take screenshots of ransom notes, encrypted file extensions, and any error messages
• Record the timeline: Note when the attack was first noticed, which systems showed symptoms first, and what actions were taken
• Preserve ransom communications: Save copies of ransom notes (they typically appear as text files or browser pop-ups on infected systems)
• Log affected systems: Create a list of every device and server that shows signs of encryption

Step 3: Report to Authorities

Reporting is not optional — it is a critical step that helps law enforcement track ransomware gangs and may provide you with recovery resources you would not otherwise have.

1. FBI Internet Crime Complaint Center (IC3): File a report at ic3.gov. The FBI maintains decryption keys from past operations that may help you.
2. CISA: Report to the Cybersecurity and Infrastructure Security Agency at cisa.gov/report. CISA can provide technical assistance and connect you with relevant resources.
3. Local law enforcement: File a police report, especially if personal data or financial information was compromised.
4. State attorney general: If personal data of customers or residents was exposed, most states require notification within a specific timeframe.

Step 4: Assess the Damage

With the attack contained and documented, conduct a thorough assessment of what was affected.

• Identify the ransomware variant: Use tools like ID Ransomware (id-ransomware.malwarehunterteam.com) or No More Ransom (nomoreransom.org) to identify the specific strain. Free decryption tools exist for many older and less sophisticated variants.
• Determine the scope: Map out exactly which systems, databases, and files were encrypted
• Check for data exfiltration: Modern ransomware gangs frequently steal data before encrypting it, using the threat of public exposure as additional leverage. Review network logs for unusual outbound data transfers in the days or weeks before the attack.
• Evaluate backup integrity: Confirm that your backups were not compromised. Ransomware increasingly targets backup systems.

Step 5: Recover From Backups

Backup-driven recovery is the only dependable method for restoring your data after a ransomware attack. If you have clean, verified backups, this is your path forward.

1. Verify backup integrity: Before restoring, scan backups with updated antivirus software to ensure they are not infected
2. Rebuild from clean images: Wipe affected systems completely and reinstall operating systems from known clean images
3. Restore data systematically: Prioritize critical systems and data first. Restore in stages rather than all at once.
4. Test before reconnecting: Validate that restored systems function correctly in an isolated environment before connecting them to the network

Step 6: Staged Reconnection

Do not bring all systems back online at once. A staged reconnection process prevents reinfection and allows you to verify security at each step.

1. Start with the most critical infrastructure (domain controllers, email servers, core databases)
2. Monitor each system closely for 24 to 48 hours before bringing the next set online
3. Verify that security tools are running and updated on every system before it rejoins the network
4. Re-enable internet connectivity only after internal systems are verified clean

Step 7: Reset All Credentials

Assume every password in your environment has been compromised. Ransomware operators typically have access to your systems for days or weeks before deploying encryption, giving them ample time to harvest credentials.

• Reset all user passwords, service account passwords, and administrative credentials
• Revoke and reissue API keys, tokens, and certificates
• Enable two-factor authentication on every account that supports it
• Review Active Directory for any accounts created by the attackers

For Individuals: Protecting Your Personal Information

If you were affected by a ransomware attack — whether directly on your personal device or through a company that held your data — take these additional steps:

• Check if personal data was exposed: If the ransomware gang exfiltrated data, your Social Security number, financial records, and personal details may be at risk
• Freeze your credit: Place a credit freeze at all three bureaus (Equifax, Experian, TransUnion) to prevent identity thieves from opening accounts in your name
• Monitor financial accounts: Watch bank and credit card statements closely for unauthorized transactions for at least 12 months
• Set up fraud alerts: Place initial fraud alerts with each credit bureau

After a ransomware attack exposes personal data, that information often ends up on data broker sites where anyone can find it. PrivacyOn continuously monitors over 100 data broker sites and automatically submits removal requests on your behalf, helping ensure that your exposed personal details do not remain searchable online. This is especially important after a breach, when your data is most likely to be aggregated and resold.

Post-Recovery: Strengthen Your Defenses

Once you have recovered, conduct a thorough security audit and implement improvements to prevent future attacks.

• Implement offline backups: Maintain at least one backup that is physically disconnected from your network
• Enforce multi-factor authentication: Require MFA for all remote access, email, and administrative accounts
• Conduct employee training: Most ransomware enters through phishing emails. Regular security awareness training dramatically reduces this risk.
• Patch aggressively: Keep all software, operating systems, and firmware updated. Many ransomware attacks exploit known vulnerabilities that already have patches available.
• Segment your network: Divide your network into isolated segments so that a breach in one area cannot spread to the entire organization
• Deploy endpoint detection and response (EDR): Modern EDR tools can detect and contain ransomware behavior before it spreads
• Create an incident response plan: Document your response procedures so everyone knows their role during the next incident. Test the plan regularly through tabletop exercises.

Recovery from a ransomware attack is stressful and time-consuming, but it is entirely possible with the right approach. By following these steps methodically, you can restore your data, secure your systems, and come out better protected than before the attack occurred.