Every Second Counts — Here’s Exactly What to Do
Your computer ransomware attack is already spreading. The next 10 minutes determine whether you lose everything or survive it.
You opened an email. Clicked a link. Downloaded something that looked normal. And now your screen is showing a ransom demand — files locked, countdown timer running, Bitcoin address staring at you.
Panic is the worst thing you can do right now. Panic leads to bad decisions. Bad decisions make ransomware attacks worse.
Computer ransomware is designed to create fear and force rushed action. The attackers want you to pay immediately, without thinking, without checking your options. Most victims who pay never get their files back anyway.
Stop. Breathe. Follow these steps in exact order. This guide tells you what to do, what not to do, and how to limit the damage from the moment you discover a ransomware infection.
Table of Contents
The Scale of Ransomware in 2026
Ransomware is not slowing down.
According to Verizon’s Data Breach Investigations Report (opens in new tab), ransomware was involved in over 23% of all data breaches globally in 2025. The average ransom demand for small businesses hit $1.54 million. The average downtime after a computer ransomware attack — 22 days.
⚠️ ALERT: The FBI’s Internet Crime Complaint Center (opens in new tab) received over 2,800 ransomware complaints in 2024 alone — and estimates that number represents less than 20% of actual incidents. Most victims never report. Most attackers never get caught.
Ransomware-as-a-Service has made attacks accessible to criminals with zero technical skill. They rent attack tools, target victims, and split the ransom with the tool developers. The barrier to launching a computer ransomware attack in 2026 is lower than ever.
The target is not just corporations. Home users, small businesses, medical practices, law firms, schools — everyone is a target. If your files have value, you are a target.
Step 1 — Disconnect From the Network Immediately
This is the most critical action. Do it now, before anything else.
Computer ransomware spreads across networks. The moment it finishes encrypting your files, it looks for shared drives, connected devices, and network shares to infect next. Every second you stay connected gives it more targets.
RANSOMWARE SPREAD PATTERN:
[Infected Computer]
↓
[Scans local network]
↓
[Finds shared drives, NAS, other computers]
↓
[Spreads and encrypts everything reachable]
↓
[Backup drives connected via USB — also encrypted]Do this right now:
- Pull the ethernet cable out of your computer — physical disconnect is faster and more reliable than software
- Turn off WiFi — click the WiFi icon, select disconnect, or use the physical WiFi switch if your laptop has one
- If you’re on a work network — call IT immediately while disconnecting
- Unplug any external hard drives or USB drives connected to the machine
Do not wait. Do not save your work first. Do not finish what you were doing. Disconnect immediately.
🔴 WARNING: Many victims leave their computer connected “just to see what happens” or to Google the ransomware note. This gives the malware more time to spread and encrypt. Every minute connected after infection is damage you could have prevented.
Step 2 — Do NOT Restart or Shut Down Your Computer
This goes against every instinct. When something goes wrong with a computer, you restart it. Not this time.
Here’s why — some computer ransomware strains store their encryption keys in RAM. When you power off, that key disappears. Security researchers and law enforcement sometimes have tools that can extract encryption keys from live memory — but only if the machine stays powered on.
Additionally, some ransomware variants activate their most destructive payload on restart. Rebooting can trigger file deletion, MBR overwriting, or additional encryption passes.
⚠️ ALERT: Ransomware like Petya and its variants overwrote the Master Boot Record on restart, making systems completely unbootable and unrecoverable. Shutting down felt logical. It was catastrophic.
Leave the computer running. Disconnected from the network. Screen on. Do not touch it until you’ve completed the documentation step.
Step 3 — Document the Computer Ransomware Attack
Before you do anything else to the machine, document everything you can see.
This documentation serves three purposes — it helps identify the ransomware strain, it supports your police report and insurance claim, and it provides information for recovery specialists.
What to photograph with your phone:
- The full ransom note screen — every word visible
- Any file extensions changed on your encrypted files (e.g. .locked, .encrypted, .WNCRY)
- Any countdown timers shown
- Bitcoin or cryptocurrency wallet addresses listed
- Any contact email addresses or dark web URLs in the note
- The time and date visible on screen
Write down:
- What you were doing when the infection appeared
- What you opened, downloaded, or clicked in the last 24 hours
- Any unusual system behavior you noticed before the ransom screen appeared
This information takes 5 minutes to collect and is invaluable for every step that follows.
Step 4 — Identify the Ransomware Strain
Not all computer ransomware is the same. Identifying the specific strain determines whether free decryption tools exist — and many do.
The No More Ransom project (a collaboration between Europol, Dutch National Police, and cybersecurity companies) maintains a database of free decryptors for hundreds of ransomware strains. Before paying anything, check here.
How to identify your ransomware:
Use a clean, uninfected device (your phone, a family member’s computer) to visit:
- nomoreransom.org — upload an encrypted file or paste the ransom note to identify the strain and check for free decryptors
- id-ransomware.malwarehunterteam.com — another identification tool that cross-references known strains
RANSOMWARE IDENTIFICATION PROCESS:
[Photograph ransom note] → [Use clean device]
↓
[Visit nomoreransom.org]
↓
[Upload encrypted file sample]
↓
[Strain identified] → [Check for free decryptor]
↓
[Decryptor exists? → Use it]
[No decryptor? → Continue to backup check]Common strains with free decryptors available in 2026 include older variants of Dharma, STOP/Djvu, and GandCrab. Newer strains like LockBit 3.0 and BlackCat/ALPHV currently have no public decryptors.
Step 5 — Check Your Backups
This step determines your recovery path more than anything else.
If you have clean, offline backups that were not connected during the attack — you don’t need to pay. You restore from backup and rebuild. Computer ransomware loses all its power the moment you have a clean copy of your data.
Check in this order:
- Offline external hard drive — was it connected when the attack happened? If not, it may be clean. If it was connected — it’s likely encrypted too.
- Cloud backup — check Backblaze, Carbonite, iDrive, or whatever service you use. Log in from a clean device. Check whether backup versions from before the attack are available.
- Version history — Google Drive, OneDrive, and Dropbox all maintain file version history. If ransomware encrypted your synced files, earlier clean versions may still exist in version history.
- Email attachments — have you emailed important files to yourself? Check sent mail.
- Work server backups — if this is a work machine, contact IT. They may have server-side backups you weren’t aware of.
⚠️ ALERT: If your backup drive was connected via USB during the attack, assume it’s compromised. Do not connect it to any other machine until a clean computer can scan it. Plugging an infected backup drive into another machine spreads the infection immediately.
For businesses that need enterprise-grade backup and network protection, browse our range of Fortinet firewalls — the same infrastructure used by organizations that survive ransomware attacks because their network security stopped lateral spread before it reached backups.
Step 6 — Report the Computer Ransomware Attack
Most victims skip this step. Don’t.
Reporting your computer ransomware attack costs you nothing and helps law enforcement build cases against ransomware groups. It also creates an official record that supports insurance claims.
Where to report in the US:
- FBI Internet Crime Complaint Center (IC3): ic3.gov — file a complaint with full details
- CISA: cisa.gov/report — critical infrastructure incidents or business attacks
- Local FBI field office — for significant financial losses, contact directly
Where to report in UK, Canada, Australia:
- UK: Action Fraud — actionfraud.police.uk
- Canada: Canadian Anti-Fraud Centre — antifraudcentre.ca
- Australia: Australian Cyber Security Centre — cyber.gov.au
If this is a business attack:
- Notify your cyber insurance provider immediately — most policies have strict notification timeframes
- Contact your attorney — data breach notification laws may apply depending on what data was encrypted
- Notify affected parties if customer data was compromised
Step 7 — Decide: Pay, Restore, or Rebuild
You have three paths forward after a computer ransomware attack.
| Option | When to Use | Risk Level | Cost |
|---|---|---|---|
| Pay the ransom | Last resort only, irreplaceable data, no backups | High — no guarantee of decryption | Ransom amount + cleanup |
| Restore from backup | Clean backup exists from before attack | Low | Time + labor |
| Wipe and rebuild | No backups, no decryptor, data not critical | Low | New setup time |
On paying the ransom:
The FBI officially recommends against paying. Here’s why — paying funds criminal organizations, encourages further attacks, and provides no guarantee. Studies show approximately 40% of companies that pay never receive working decryption keys. Another 30% get partial decryption that leaves some files permanently corrupted.
If you have irreplaceable data and no other option, consult a professional ransomware recovery firm before paying. Companies like Coveware negotiate with attackers and verify decryption capability before any payment is made.
On wiping and rebuilding:
If your data is not recoverable and you don’t pay — wipe the drive completely, reinstall the operating system from scratch, and restore what you can from whatever clean sources exist. A compromised system should never be trusted again without a complete wipe.
🔴 WARNING: Simply removing the ransomware executable does not decrypt your files. Your files remain encrypted even after the malware is removed. Removal stops the spread — it does not reverse the encryption. These are two separate problems.
For businesses building ransomware-resilient infrastructure, read: Why Small Businesses Close After a Cyberattack — and then take the prevention steps seriously.
How to Prevent the Next Computer Ransomware Attack
Surviving one attack is not a strategy. Prevention is.
- Maintain offline backups always — The 3-2-1 rule: 3 copies of your data, on 2 different media types, with 1 copy stored offline and off-site. An offline backup is the single most effective ransomware defense.
- Keep everything patched and updated — According to CISA (opens in new tab), unpatched vulnerabilities account for the majority of successful ransomware entry points. Operating system updates, application updates, browser updates — all of them. Automatic where possible.
- Use email filtering and endpoint protection — Email is the number one ransomware delivery method. A good email security solution blocks malicious attachments and links before they reach your inbox.
- Enable MFA on every account — Multi-factor authentication prevents attackers from using stolen credentials to access your systems remotely — a common ransomware entry point.
- Segment your network — If ransomware hits one machine on a properly segmented network, it cannot spread to others. VLANs and proper network architecture limit blast radius dramatically. Read: VLAN Setup for Home Network 2026
- Deploy a next-generation firewall — Consumer routers do not provide adequate protection against modern ransomware delivery methods. A proper enterprise-grade firewall with deep packet inspection and threat intelligence blocks known ransomware command-and-control communications before they execute. Browse our full range of enterprise firewalls for business and home office ransomware protection.
- Train everyone who touches a keyboard — Phishing emails are getting better. AI-generated phishing emails are nearly indistinguishable from legitimate messages. Human awareness training remains the most cost-effective ransomware prevention investment.
Quick Reference Checklist — Computer Ransomware Response
RANSOMWARE RESPONSE CHECKLIST — RIGHT NOW
[ ] Disconnect ethernet cable immediately
[ ] Turn off WiFi immediately
[ ] Unplug all external drives and USB devices
[ ] Do NOT restart or shut down the computer
[ ] Call IT if this is a work machine
[ ] Photograph the ransom note with your phone
[ ] Document all visible details — addresses, timers, emails
[ ] Use a clean device to visit nomoreransom.org
[ ] Identify the ransomware strain
[ ] Check for free decryptors before doing anything else
[ ] Check all backup sources from a clean device
[ ] Report to FBI IC3 (ic3.gov)
[ ] Contact cyber insurance provider if applicable
[ ] Consult ransomware recovery professional if needed
[ ] Decide: restore from backup / pay / rebuild
[ ] After resolution: wipe infected machine completely
[ ] Implement 3-2-1 backup strategy going forward
[ ] Deploy proper firewall and endpoint protectionFrequently Asked Questions
Q: Should I pay the ransomware demand?
A: The FBI recommends against it. Approximately 40% of victims who pay never receive working decryption keys. Exhaust every other option first — check nomoreransom.org for free decryptors, check all your backups, consult a recovery professional. Pay only as a last resort for truly irreplaceable data.
Q: Can ransomware spread to other devices on my network?
A: Yes — immediately and aggressively. Disconnect the infected machine from the network the moment you discover the infection. Ransomware actively scans for shared drives, NAS devices, and other networked computers to encrypt next.
Q: Will my antivirus remove the ransomware?
A: Antivirus can remove the ransomware executable — stopping further encryption. But it cannot decrypt already-encrypted files. Removing the malware and recovering your data are two separate problems that require separate solutions.
Q: How do I know if my backup is clean?
A: If the backup drive was disconnected from your computer when the attack happened, it’s likely clean. If it was connected — assume it’s compromised. Scan it from a freshly rebuilt machine with updated security software before trusting any files on it.
Q: How long does ransomware recovery take?
A: With clean backups — 1 to 3 days for a single machine, longer for business networks. Without backups — weeks to months if rebuilding from scratch. Businesses without proper backup infrastructure have reported recovery times exceeding 3 months after major computer ransomware incidents.
Conclusion
Computer ransomware is terrifying by design. The countdown timer, the locked files, the ransom demand — all of it is engineered to make you panic and pay without thinking.
Don’t panic. Disconnect immediately. Document everything. Check for free decryptors. Check your backups. Report it. Then decide your recovery path with clear information rather than fear.
The best outcome from a ransomware attack is surviving it with your data intact and your security posture dramatically improved. Most organizations that get hit once — and survive — never get hit the same way twice. They fix the gaps. They implement proper backups. They deploy real network security.
Don’t wait for the attack to make those changes. Make them now.
Related Reading
- Why Small Businesses Close After a Cyberattack
- VLAN Setup for Home Network 2026
- Router Settings You Must Change Right Now
- Hidden Dangers of Public WiFi in 2026
- How Hackers Break Into Security Cameras
