Serving Shropshire ยท Herefordshire ยท Welsh Borders ยท Est. 2014Helpdesk open ยท avg 14 min response01584 517 234
Fresh Tech
01584 517 234Book a call โ†’
SecurityDisaster RecoveryRansomware

Ransomware Attack: What Happens Next?

S
Sam ยท Jul 10, 2025 ยท 12 min read
Ransomware Attack: What Happens Next?

Your screen shows a ransom demand. Your files are encrypted. Here's the step-by-step reality of ransomware recovery.

It's 9 AM on a Tuesday. You open your laptop and instead of your desktop, you see a red screen demanding Bitcoin payment to unlock your files. Every document, spreadsheet, and photo is now encrypted with a random extension like '.locked' or '.crypted'. Welcome to a ransomware attack.

This guide explains exactly what happens during recovery - the timeline, the decisions, and the costs involved.

Hour 0-1: Discovery and Containment

What's happening:

  • Users report they can't open files
  • IT discovers ransom notes across network shares
  • Panic sets in

What should happen:

  1. Disconnect affected devices from the network immediately
  2. Do NOT turn them off (forensic evidence may be in memory)
  3. Isolate backup systems if they're network-connected
  4. Alert your IT provider (or us) immediately
  5. Document everything - screenshot ransom notes, note which systems are affected

Critical decision: Do NOT pay the ransom yet. Many attackers lie about decryption, and payment may violate sanctions laws if the attackers are in certain countries.

Hours 1-4: Assessment

What we're doing:

  • Identifying the ransomware variant (determines if decryption is possible)
  • Checking if backups are intact and unencrypted
  • Determining the scope of encryption (one PC? The whole network?)
  • Looking for the entry point (how did they get in?)

Questions we'll ask:

  • When were your last verified backups?
  • Were any users working from unusual locations?
  • Has anyone clicked suspicious links or attachments recently?
  • Do you have cyber insurance?

Hours 4-24: Decision Time

Scenario A: You Have Good Backups

If backups are recent, verified, and stored offline (or immutable cloud storage), recovery is straightforward:

  1. Wipe affected systems completely
  2. Reinstall operating systems from scratch
  3. Restore data from backup
  4. Reset all passwords
  5. Implement additional security controls

Expected timeline: 2-5 business days for full recovery, depending on data volume.

Scenario B: Backups Are Missing or Encrypted

This is the nightmare scenario. Options become limited:

  1. Check for free decryption tools at No More Ransom
  2. Engage a professional negotiator (some reduce demands by 50-80%)
  3. Accept data loss and rebuild from scratch
  4. Pay the ransom (last resort, no guarantees)

Expected timeline: Weeks to months. Some businesses never fully recover.

Days 2-7: Recovery Operations

For good backup scenarios:

*Day 2:* New hardware arriving, systems being rebuilt *Day 3:* Core systems restored (email, primary applications) *Day 4:* User workstations being re-imaged *Day 5:* Data restoration from backup (this takes time for large volumes) *Days 6-7:* Testing, verification, user acceptance

What users experience:

  • Working from personal devices or temporary laptops
  • Limited access to historical data during restoration
  • Frustration and productivity loss
  • Password resets for every system

The Hidden Costs

The ransom is often the smallest cost. Real expenses include:

  • Downtime: Average 21 days of significant disruption
  • IT response: Emergency rates for recovery work
  • Lost revenue: Can't process orders, invoice clients, or access customer data
  • Reputation damage: Clients lose trust
  • Regulatory fines: If personal data was exfiltrated (increasingly common)
  • Increased insurance premiums: Some policies don't renew after a claim

Average total cost for UK SMBs: ยฃ150,000 - ยฃ500,000 (including downtime)

The Prevention Checklist

Every item on this list would have helped:

  • โœ… Offline/immutable backups tested regularly
  • โœ… Email filtering to catch phishing
  • โœ… Endpoint Detection & Response (EDR) not just antivirus
  • โœ… Multi-Factor Authentication on all accounts
  • โœ… Staff training on phishing awareness
  • โœ… Patching within 14 days of critical updates
  • โœ… Network segmentation to limit lateral movement
  • โœ… Cyber insurance with incident response coverage

This is exactly what our Managed IT Support with Cyber Security provides.

Should You Pay the Ransom?

This is a business decision, not an IT decision. Factors to consider:

Arguments against paying:

  • No guarantee of decryption (30% of payments don't result in working keys)
  • Funds criminal organisations
  • May violate sanctions (OFAC/HM Treasury) depending on attacker origin
  • Makes you a target for repeat attacks
  • May not delete stolen data anyway

Arguments for paying (as last resort):

  • Business survival depends on data
  • No viable backup alternative
  • Insurance covers the payment
  • Professional negotiators can verify attacker credibility

Our advice: The best ransomware recovery is one you never need. Invest in prevention and backup infrastructure today.

Next Steps

If you're reading this before an attack:

  1. Test your backups - can you actually restore from them?
  2. Review our Cyber Security services
  3. Consider Cyber Essentials certification

If you're reading this during an attack:

  1. Call us immediately: 01584 517 234
  2. Don't turn off affected computers
  3. Don't pay anything without professional advice
More reading
Related articles
Got an IT question?
Call us. We pick up.

20 minutes. No sales pitch. Just a straight answer to your IT question.

Book a 20-min call โ†’
Alex
Need help with your IT? Chat with me!