Suspected ransomware: what to do RIGHT NOW
The first 30 minutes are critical. One wrong move spreads the damage. Read before acting.
Try this first
- 1Pull the network cable (Ethernet out, Wi-Fi off) on the suspect machine. Do not power off, do not reboot; there is temporary information in memory we may need.
- 2Call us or another party you trust before running to the IT vendor demanding "fix it". Preserve evidence.
- 3Check which shared folders the suspect machine had open. Temporarily disconnect those shares on the file server to stop spread.
- 4Pay nothing, click nothing. Do not disable antivirus "to see what happens".
- 5Write down what you see: time of first alert, which device, which user was on it. Critical for the investigation.
When to bring us in
Ransomware is not DIY; call us or a colleague who knows this terrain. Our role: containment, forensics, restore strategy, and any AP/customer communication.
See also
- We have backups but we do not know if they workA backup that cannot be restored is not a backup. Testing matters as much as taking the backup.
- Someone accidentally deleted an important folderUsually fine to recover. The trick: do not save anything new on that drive until you know how.
- Our backup software has been failing for weeks and nobody noticedThis is how you discover you do not have a backup. Open the logs now, before the real disaster.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.