1. STOP — do not restart or shut down
Restarting may trigger additional encryption or destroy forensic evidence. Do not turn off affected machines unless instructed by a security professional.
2. Disconnect all affected devices immediately
Unplug Ethernet cables and disable WiFi on ALL computers on the network — not just the one showing the ransom note. Ransomware spreads laterally across networks within minutes.
3. Do not pay the ransom
Payment does not guarantee file recovery. It funds criminal operations and marks you as a paying target. In Canada, paying ransoms may have legal implications in certain sectors.
4. Photograph the ransom note
Take a photo of the screen showing the ransom demand. This helps identify the ransomware variant and available decryption tools. Some ransomware variants have free decryptors.
5. Assess your backups immediately
Check if your backups are intact and not encrypted. If backups are on a network drive that was connected during the attack, they may also be encrypted. Offsite/cloud backups are safest.
6. Contact us for emergency response
Start a voice session immediately. Time is critical — early containment limits damage. We will triage, assess recovery options, and guide you through the full incident response process.
This is always a 'call us now' situation. Ransomware is a critical incident requiring professional response. Every minute of delay potentially means more files encrypted.