What to Do Immediately After a Ransomware Attack

Q: Should I pay the ransomware ransom?

Generally no. Payment doesn't guarantee you'll get your files back, funds criminal operations, and marks you as a paying target for future attacks. In some cases the decryption key provided doesn't even work. Explore backup restoration and professional recovery first.

Q: Can ransomware spread through a network?

Yes — many ransomware strains are designed to spread laterally across shared drives, mapped network folders, and connected computers. This is why isolating the infected device immediately is the most important first step.

Q: Can files be recovered after ransomware without paying?

Sometimes. Recovery depends on whether you have unaffected backups, whether the ransomware strain has a known decryption tool (some do), and whether the encrypted files can be partially recovered through forensic methods. A technician can assess what's actually possible before you make any decisions.

Ransomware moves fast. By the time the ransom note appears on your screen, the encryption process may already be finished — or still spreading. The decisions you make in the first 15–30 minutes after discovery have a larger impact on your recovery options than almost anything else.

This guide covers exactly what to do (and what not to do) if you've been hit, whether it's a home computer, a home office, or a small business.

If you're in the middle of an active attack right now: disconnect the affected computer from your network immediately — unplug the ethernet cable or turn off Wi-Fi — then call 832-224-1001. Every minute of network connectivity gives ransomware more time to encrypt additional files and spread to other devices.

Step-by-step: the first hour

Isolate the infected device immediately

Unplug the ethernet cable or disable Wi-Fi on the infected computer. If it's a business machine connected to a switch, unplug it from the switch entirely. Many ransomware strains — especially those targeting businesses — are designed to spread laterally across shared drives and network folders. Cutting the connection stops the spread before it reaches other machines or your backup drive (if it's network-attached).

Do not turn the computer off yet

This is counterintuitive, but powering down immediately can make recovery harder. Forensic tools can sometimes recover encryption keys from memory while the system is still running — and a hard shutdown can also corrupt partially encrypted files in ways that make them unrecoverable. Leave the machine on, isolated from the network, and call a technician before doing anything else.

Check what else is connected to your network

While waiting for help, walk through what other devices were connected to the same network: other computers, a NAS (network-attached storage), an external drive mapped as a network share, or cloud sync folders. Check each one quickly for signs of encrypted or renamed files. If another device looks affected, isolate it the same way.

Photograph the ransom note

Use your phone to photograph the ransom note exactly as it appears — including any contact address, wallet ID, or payment amount. Don't type it, don't copy-paste it, just photograph it. This information can help identify the specific ransomware strain, which in some cases determines whether a free decryption tool exists at nomoreransom.org.

Identify whether you have a recent backup — and where it is

This is the single biggest factor in how your recovery goes. Think through: do you have a backup drive that was disconnected from the computer at the time of the attack? A cloud backup that syncs only periodically (not continuously mirroring the encrypted files)? A recent Time Machine snapshot on Mac? If you have an unaffected backup, your recovery path is dramatically simpler — but you'll want a clean machine before restoring to it.

Call a technician before making any further decisions

At this point, a technician needs to assess the situation before you do anything else: attempt to decrypt files, pay the ransom, reinstall Windows, restore from backup, or run cleanup tools. Each of those actions can affect the others — sometimes permanently. A proper diagnostic tells you which options are actually on the table given your specific situation.

Ransomware in Kingwood or Northeast Houston? Call first.

KingsPark IT handles ransomware triage, containment, recovery assessment, and cleanup for homes and small businesses. Calling is faster than the form for urgent situations.

Call 832-224-1001 Ransomware removal page

Mistakes that make ransomware recovery harder

Most recovery failures come from well-intentioned actions taken before a proper assessment. Here are the ones to avoid:

Paying the ransom without exploring other options first

Ransom payment doesn't guarantee file recovery. Studies consistently show that a significant percentage of businesses that pay either don't receive a working decryption key or find that the attacker demands more after receiving payment. It also marks you as a paying target. Exhaust other options — backup restoration, free decryption tools, professional recovery — before even considering payment.

Running antivirus while files are still encrypted

Running a full antivirus scan immediately can delete files the ransomware is still working on — including partially encrypted files that might be recoverable. It can also remove traces that a technician needs to identify the ransomware strain and assess recovery options. Don't run cleanup tools until you have a full picture.

Restoring from a backup that's also infected

If your backup drive was connected during the attack, or if it was a cloud backup that continuously synced the encrypted files over your clean copies, restoring from it will just re-introduce the encrypted (or infected) files. A technician will verify the backup is clean and that the machine is clear of malware before restoring.

Reinstalling Windows immediately

A fresh OS install removes the malware — but it also removes any data that wasn't backed up, and it removes forensic traces that could help identify the ransomware type. Don't reinstall until you've confirmed what data can be recovered and from where.

If this is a business: document the timeline of what you noticed and when — the first sign something was wrong, when you disconnected the machine, what other devices were on the network. This documentation matters if you need to notify customers, file an insurance claim, or report to authorities.

What recovery actually looks like

Recovery from ransomware follows one of a few paths, roughly in order of how clean the outcome is:

Restore from a clean, unaffected backup. The fastest and most complete path. Requires wiping and rebuilding the machine first to ensure the malware is gone.
Use a free decryption tool. For some ransomware strains, researchers have cracked the encryption and published free tools at nomoreransom.org. This only works for specific variants.
Professional data recovery on encrypted files. In some cases, forensic tools can recover shadow copies, older file versions, or unencrypted fragments. Results depend on the ransomware variant and how quickly the machine was isolated.
Accept the loss and rebuild. If there's no backup, no applicable decryption tool, and no recoverable data — the pragmatic path is a clean rebuild with a proper backup strategy going forward. A painful lesson, but a recoverable business situation.

The right path for your situation depends on the specific ransomware strain, your backup status, and how quickly the machine was contained. That assessment is what a technician needs to do before any recovery work begins. More about data recovery options →

After recovery: what to fix so it doesn't happen again

Ransomware almost always gets in one of three ways: a phishing email with a malicious attachment or link, an exposed Remote Desktop Protocol (RDP) port, or an outdated piece of software with an unpatched vulnerability. After recovery, the most important steps are:

Implement the 3-2-1 backup rule: 3 copies of your data, on 2 different media types, with 1 kept offsite or disconnected. At minimum, a local drive that you physically unplug after backups and a cloud backup that keeps version history.
Close exposed RDP. If remote access is needed, use a VPN rather than exposing RDP directly to the internet.
Keep Windows and all software updated. Most ransomware exploits vulnerabilities that have already been patched — the patch just hasn't been applied yet.
Use a business-grade email filter. Microsoft 365 includes Defender for Business which catches most phishing attempts before they reach the inbox.

Common questions

Should I pay the ransomware ransom?

Generally no. Payment doesn't guarantee file recovery, funds criminal operations, and marks you as a paying target for future attacks. In many cases the decryption key provided doesn't even work. Explore backup restoration and professional recovery before making that decision.

Can ransomware spread through a network?

Yes — many strains are designed to spread laterally across shared drives, mapped network folders, and connected computers. This is why isolating the infected device immediately is the most important first step.

Can files be recovered after ransomware without paying?

Sometimes. Recovery depends on whether you have an unaffected backup, whether the strain has a known free decryption tool, and whether files can be recovered through forensic methods. A technician can assess what's actually possible before you make any decisions.

Is ransomware the same as a virus?

Ransomware is a type of malware, but it behaves differently than a traditional virus. Instead of deleting or corrupting files quietly, it encrypts them and demands payment to restore access. It typically arrives via phishing emails, malicious downloads, or exposed remote desktop connections.

How do I know if my computer has ransomware?

Common signs: files have been renamed with an unfamiliar extension, a ransom note has appeared on screen or as a text file, programs won't open, or your desktop wallpaper has changed to a demand message. If you see any of these, isolate the device from your network immediately.