RANSOMRESTORE
Back

Ransomware Emergency: 5 Steps to Take Right Now

You just discovered ransomware on your machine. The clock is ticking — and the first 30 minutes determine how much data you can save. Here's exactly what to do, in order, based on what we've seen across 1,000+ ransomware incidents.

5 min read

Step 1: Cut the Connection (Do This First, Before Anything Else)

Unplug the ethernet cable. Toggle Wi-Fi off. Right now, while you're reading this.

Why it's urgent: Ransomware phones home to an attacker's server to complete the encryption handshake. Cut that connection and you may stop it mid-process — and potentially save files that haven't been encrypted yet.

Also unplug:

  • USB drives
  • External hard drives
  • Anything connected via cable

One thing most people get wrong: Don't do a normal shutdown — some ransomware variants delete your shadow copies (Windows' hidden backup system) the moment they detect one. But leaving the machine running means encryption continues destroying your files. The right move: Hibernate. This saves RAM to disk (preserving potential encryption keys for forensic analysis) while stopping the encryption process. If you don't know how to hibernate, pull the power plug immediately. Stopping the active destruction of your hard drive is far more important than preserving theoretical RAM data for forensics.

Step 2: Find the Ransom Note, Save Everything You Can See

Look for a text file on your desktop. Usually named something like HOW_TO_DECRYPT.txt or READ_ME.html. There's also likely a new wallpaper.

Take a photo of your screen with your phone. Screenshot everything. This isn't just record-keeping — the note contains clues that help identify the exact ransomware strain, which determines your recovery options.

Check your encrypted files. What extension do they now end in? .lockbit? .phobos? .zepto? Write it down.

Step 3: Try the Free Tools First

Before you do anything else, check here:

NoMoreRansom.org — This is the legitimate free resource backed by Europol, FBI, and major security companies. It covers 100+ ransomware families.

How to use it:

  1. Go to nomoreransom.org → click "Crypto Sheriff"
  2. Upload one small encrypted file + paste the ransom note text
  3. Hit "Identify"
  4. If there's a match, download the free decryptor

Also check Emsisoft's free decryptors — they maintain tools for 150+ strains independently.

Honest reality check: If your ransomware is recent or a newer variant, free tools probably won't work. That's not failure — it's just information. Move to the next step.

Step 4: Check Your Backups — Carefully

Do you have backups? Good. But don't connect them to the infected machine yet.

First, make sure the backup drive was not connected when the attack happened. Ransomware encrypts connected drives too. We've seen businesses restore from "clean" backups only to find those were encrypted as well.

If backups are clean and offline — great, that's your recovery path.

No backups? Keep reading. It's not over.

Step 5: Decide What You're Actually Dealing With

At this point you know:

  • What the ransomware is (or approximately what family)
  • Whether free tools exist for it
  • Whether your backups are clean

If free tools worked: Clean install Windows from scratch (don't just remove the malware — reinstall), change every password, set up proper backups.

If free tools didn't work, and you don't want to pay the ransom (we'll explain below why you probably shouldn't):

Professional ransomware recovery services — like ours — work differently from what most people expect. We don't just negotiate your ransom. We analyze the specific variant for technical weaknesses, attempt decryption using forensic methods, and only negotiate as a true last resort.

We have successfully resolved over 1,000+ ransomware cases. Our approach combines proprietary decryption tools, forensic data carving, and deep variant analysis to recover data without paying hackers whenever technically possible. Get a free assessment first — you'll know if recovery is possible before paying anything. For the full recovery process after these emergency steps, see our complete ransomware recovery guide.

On Paying the Ransom

We get asked this constantly. Here's the honest answer:

Around 30% of businesses that pay the ransom never get their files back. The attackers take the money and disappear, or send a decryption key that doesn't fully work. You've also just confirmed to a criminal organization that you're a paying target.

Don't pay unless every other option is exhausted.

Your 30-Minute Checklist

RIGHT NOW:
□ Unplug ethernet / turn off Wi-Fi
□ Unplug all external drives
□ Hibernate (don't know how? Pull the power plug — stop encryption NOW)
□ Photograph your screen

NEXT 15 MINUTES:
□ Find and save the ransom note
□ Note the encrypted file extension
□ Try nomoreransom.org → Crypto Sheriff
□ Try Emsisoft decryptors

THEN:
□ Check backup status (were they connected?)
□ If free tools failed → contact professional recovery
□ Don't pay until all options exhausted

Need help right now?

We offer free assessments — you'll know if your files are recoverable before paying anything. Based on 12 years of experience and 1,000+ ransomware recovery cases.

In most cases, we respond within 3 hours.

RANSOMRESTORE

Remote ransomware recovery, digital forensics, and incident response.

Services

  • Emergency Breach Response
  • Ransomware Response & Recovery
  • Penetration Testing

Emergency Contact

Terms of Service|Privacy Policy
© 2026 Lyncore Intelligent Technology Limited (Operating as Ransomrestore). All rights reserved.