How to respond to a ransomware attack: step by step

Published by Morgan Blake on

Ransomware response is not a single decision about paying. It is a sequence of technical and business actions that must happen fast, under uncertainty, and with evidence intact. If your organization manages deal rooms or sensitive due diligence content, a ransomware event can freeze operations at exactly the wrong time.

This guide explains ransomware response step by step: how to contain spread, preserve evidence, coordinate communications, assess extortion risk, and restore safely. You will also find checklists you can reuse and specific actions to protect VDR workflows.

Ransomware response: the first 60 minutes

Your first hour should focus on containment and evidence, not cleanup. The goal is to stop spread and prevent attackers from destroying logs or backups.

  1. Declare an incident: activate the incident response team and assign an incident commander.
  2. Isolate affected systems: remove from network (do not power off unless required for safety).
  3. Preserve evidence: capture volatile data where possible, protect logs, and document timelines.
  4. Disable risky access: temporarily disable compromised accounts, rotate credentials for privileged roles.
  5. Assess blast radius: identify impacted endpoints, servers, backups, and cloud identities.

Why speed matters

Breach costs remain high, and ransomware frequently includes data theft. The IBM Cost of a Data Breach Report 2024 reports a global average breach cost of $4.88 million, illustrating why rapid containment and controlled restoration are crucial.

Containment (what to do before you rebuild)

  • Stop lateral movement: segment networks, block SMB where possible, restrict east-west traffic.
  • Reset privileged credentials: domain admins, backup admins, and cloud global admins first.
  • Check remote access: VPN accounts, RDP exposure, and third-party access portals.
  • Protect backups: isolate backup infrastructure and verify integrity.

If your remote access model is broad, consider moving toward zero trust networking to reduce future lateral movement paths.

Extortion and data theft assessment

Modern ransomware often includes exfiltration. Your response should include:

  • Reviewing egress logs, DNS logs, proxy logs, and cloud storage activity
  • Searching for bulk archive creation (zip, 7z) and unusual upload tools
  • Determining whether sensitive repositories such as a VDR were accessed

If you manage a virtual data room, immediately review VDR audit logs, revoke stale external access, and tighten download permissions. A VDR with strong auditing can provide faster answers than generic file shares. See secure virtual data rooms for baseline controls.

Communication and coordination

Ransomware response fails when messages are inconsistent. Establish a single source of truth and coordinate across legal, IT, security, HR, and executive leadership.

Consider preparing communications for:

  • Employees (what to do, what not to do, how to report signs of compromise)
  • Customers and partners (service impact and next steps)
  • Regulators (where applicable)
  • Cyber insurance and external counsel

Eradication and recovery (restore without reinfection)

  1. Identify patient zero: phishing, exposed remote access, vulnerable service, or stolen credentials.
  2. Patch and harden: close the initial entry vector before bringing systems back.
  3. Rebuild critical systems: prioritize identity services, EDR, and monitoring.
  4. Restore from known-good backups: validate integrity and scan before reconnecting.
  5. Monitor aggressively: watch for persistence mechanisms and repeated sign-in attempts.

Post-incident improvements that reduce repeat risk

  • Enforce MFA everywhere and remove legacy authentication
  • Reduce privileges and implement just-in-time admin access
  • Segment networks and isolate backup systems
  • Run phishing-resistant authentication for high-risk roles
  • Rehearse incident response with tabletop exercises

FAQ

Should we pay the ransom?

This is a legal and business decision that depends on multiple factors, including data theft, operational impact, legal constraints, and advice from counsel and insurers. From a technical standpoint, focus first on containment, evidence, and safe restoration.

What should we do if we are in active due diligence?

Freeze external access to sensitive repositories, review VDR logs for unusual behavior, and coordinate communications carefully. Tighten permissions to view-only and approve downloads only when necessary.

How do we know when it is safe to reopen access?

When the entry vector is closed, privileged accounts are secured, monitoring is stable, and restored systems are validated. Reopen in phases and review access daily at first.

Categories: ComplianceCybersecurity

Related Posts

Cybersecurity

Best business VPNs for remote teams in 2026

Remote work is not the problem. Uncontrolled remote access is. If your team handles sensitive diligence documents, client data, or internal systems, choosing a business VPN is a security decision with operational consequences. This post Read more

Cybersecurity

Top cybersecurity threats businesses face in 2026

Security planning gets harder when threats evolve faster than budgets. If you are responsible for protecting sensitive documents, customer data, or due diligence workflows, knowing the cybersecurity threats that matter in 2026 helps you spend Read more

Cybersecurity

Zero trust networking: a practical implementation guide

Most breaches do not start with Hollywood-style hacking. They start with one account that should not have had access. If you are trying to secure remote diligence, third-party advisors, or hybrid offices, zero trust networking Read more