Ransomware Attack: What Happens Next?

Your screen shows a ransom demand. Your files are encrypted. Here's the step-by-step reality of ransomware recovery.

It's 9 AM on a Tuesday. You open your laptop and instead of your desktop, you see a red screen demanding Bitcoin payment to unlock your files. Every document, spreadsheet, and photo is now encrypted with a random extension like '.locked' or '.crypted'. Welcome to a ransomware attack.

This guide explains exactly what happens during recovery - the timeline, the decisions, and the costs involved.

Hour 0-1: Discovery and Containment

What's happening:

• Users report they can't open files
• IT discovers ransom notes across network shares
• Panic sets in

What should happen:

1. Disconnect affected devices from the network immediately
2. Do NOT turn them off (forensic evidence may be in memory)
3. Isolate backup systems if they're network-connected
4. Alert your IT provider (or us) immediately
5. Document everything - screenshot ransom notes, note which systems are affected

Critical decision: Do NOT pay the ransom yet. Many attackers lie about decryption, and payment may violate sanctions laws if the attackers are in certain countries.

Hours 1-4: Assessment

What we're doing:

• Identifying the ransomware variant (determines if decryption is possible)
• Checking if backups are intact and unencrypted
• Determining the scope of encryption (one PC? The whole network?)
• Looking for the entry point (how did they get in?)

Questions we'll ask:

• When were your last verified backups?
• Were any users working from unusual locations?
• Has anyone clicked suspicious links or attachments recently?
• Do you have cyber insurance?

Hours 4-24: Decision Time

Scenario A: You Have Good Backups

If backups are recent, verified, and stored offline (or immutable cloud storage), recovery is straightforward:

1. Wipe affected systems completely
2. Reinstall operating systems from scratch
3. Restore data from backup
4. Reset all passwords
5. Implement additional security controls

Expected timeline: 2-5 business days for full recovery, depending on data volume.

Scenario B: Backups Are Missing or Encrypted

This is the nightmare scenario. Options become limited:

1. Check for free decryption tools at No More Ransom
2. Engage a professional negotiator (some reduce demands by 50-80%)
3. Accept data loss and rebuild from scratch
4. Pay the ransom (last resort, no guarantees)

Expected timeline: Weeks to months. Some businesses never fully recover.

Days 2-7: Recovery Operations

For good backup scenarios:

Day 2: New hardware arriving, systems being rebuilt Day 3: Core systems restored (email, primary applications) Day 4: User workstations being re-imaged Day 5: Data restoration from backup (this takes time for large volumes) Days 6-7: Testing, verification, user acceptance

What users experience:

• Working from personal devices or temporary laptops
• Limited access to historical data during restoration
• Frustration and productivity loss
• Password resets for every system

The Hidden Costs

The ransom is often the smallest cost. Real expenses include:

• Downtime: Average 21 days of significant disruption
• IT response: Emergency rates for recovery work
• Lost revenue: Can't process orders, invoice clients, or access customer data
• Reputation damage: Clients lose trust
• Regulatory fines: If personal data was exfiltrated (increasingly common)
• Increased insurance premiums: Some policies don't renew after a claim

Average total cost for UK SMBs: £150,000 - £500,000 (including downtime)

The Prevention Checklist

Every item on this list would have helped:

• ✅ Offline/immutable backups tested regularly
• ✅ Email filtering to catch phishing
• ✅ Endpoint Detection & Response (EDR) not just antivirus
• ✅ Multi-Factor Authentication on all accounts
• ✅ Staff training on phishing awareness
• ✅ Patching within 14 days of critical updates
• ✅ Network segmentation to limit lateral movement
• ✅ Cyber insurance with incident response coverage

This is exactly what our Managed IT Support with Cyber Security provides.

Should You Pay the Ransom?

This is a business decision, not an IT decision. Factors to consider:

Arguments against paying:

• No guarantee of decryption (30% of payments don't result in working keys)
• Funds criminal organisations
• May violate sanctions (OFAC/HM Treasury) depending on attacker origin
• Makes you a target for repeat attacks
• May not delete stolen data anyway

Arguments for paying (as last resort):

• Business survival depends on data
• No viable backup alternative
• Insurance covers the payment
• Professional negotiators can verify attacker credibility

Our advice: The best ransomware recovery is one you never need. Invest in prevention and backup infrastructure today.

Next Steps

If you're reading this before an attack:

1. Test your backups - can you actually restore from them?
2. Review our Cyber Security services
3. Consider Cyber Essentials certification

If you're reading this during an attack:

1. Call us immediately: 01584 517 234
2. Don't turn off affected computers
3. Don't pay anything without professional advice