Secure 0118 359 2220 Get Started

Press ESC to close or Enter to search

Popular Pages
Managed IT Cyber Security Case Studies Pricing Contact
Home
About Us
Services
Managed IT Services Cyber Security & Compliance Microsoft 365 Cloud & Hosting Backup & Disaster Recovery Connectivity & Telephony Incident Response & 24/7 IT Support Reading
Pricing
Tools
Domain Health Check About You Password Generator
Resources
Case Studies Threat Intelligence Blog & Insights Guides FAQs Customer Portal Remote Support
Contact
Get Started
Live Security Feed
Your IPDetecting...
NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025 NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025
View Dashboard
Defence

What Should I Do If My Business Is Hit by Ransomware?

Quick Answer

Isolate affected systems immediately. Don't pay. Check your backups. Get expert help. Report to Action Fraud and ICO if personal data is involved.

Quick answer: Isolate affected systems immediately. Don't pay. Check your backups. Get expert help. Report to Action Fraud and ICO if personal data is involved.

Right Now: First 30 Minutes

1. Isolate affected systems

Disconnect infected machines from the network. Unplug ethernet cables. Disable WiFi. Stop the spread.

Don't turn them off yet—forensics may need them running.

2. Don't pay the ransom

Paying doesn't guarantee recovery. It funds criminals. It marks you as someone who pays. Many organisations pay and still don't get their data back.

3. Assess what's affected

Which systems are encrypted? Which are still clean? Is your backup system affected?

4. Check your backups

Are they intact? Are they offline/immutable (so ransomware couldn't reach them)? When was the last successful backup?

This determines your recovery options.

Next: First Few Hours

5. Get expert help

If you don't have incident response capability in-house, get it now. This isn't the time to figure it out yourself.

Your cyber insurance (if you have it) likely includes incident response. Call them.

6. Preserve evidence

Don't wipe systems yet. Forensic evidence helps understand what happened, how they got in, and whether data was stolen (increasingly common before encryption).

7. Report it

  • Action Fraud: 0300 123 2040 or actionfraud.police.uk
  • ICO: If personal data is affected, you have 72 hours to report
  • NCSC: For significant incidents, report to ncsc.gov.uk

8. Communicate carefully

Tell staff what's happening and what to do. Be careful about external communication—don't tip off attackers that you're onto them if they're still in your network.

Recovery

If you have good backups: Rebuild systems from clean images, restore data from backups, change all credentials, fix how they got in.

If you don't have backups: Your options are limited. Some ransomware has known decryptors (check nomoreransom.org). Otherwise, you're facing significant data loss.

What Not to Do

  • Don't pay without expert advice (and probably don't pay at all)
  • Don't try to negotiate yourself
  • Don't restore systems before understanding how attackers got in
  • Don't assume it's over when files are decrypted—attackers often maintain access

Learn from It

Once recovered, understand what happened:

  • How did they get in? (Usually phishing, exposed RDP, or unpatched systems)
  • Why didn't defences catch it?
  • Why weren't backups better protected?
Then fix those gaps.

---

Under attack right now? Call us: 0118 359 2220. We provide incident response for ransomware and other cyber attacks.

---

Related Questions