Ransomware doesn't whisper. At some point in the infection chain, it announces itself — a desktop wallpaper replaced with a ransom demand, a folder full of files with unfamiliar extensions, a note called READ_ME_NOW.txt in every directory. By that moment, the encryption is already complete. But what you do in the next 15 minutes still matters enormously.

This is the response flow that limits damage, preserves options, and avoids the mistakes that turn a bad situation into a catastrophic one.

Recognizing the Early Signals

Before the dramatic reveal, ransomware usually leaves traces. The problem is that they look like ordinary performance issues:

• Disk I/O spikes with no obvious cause — the ransomware is reading and rewriting every file
• CPU usage climbing from background processes with generic-sounding names
• Antivirus detection of a "suspicious" but unblocked process
• Files that suddenly won't open, with extensions changed to something unrecognized
• Shadow copies being deleted (you'll see VSS-related events in the Windows event log)

A machine that was fine an hour ago and is now slow, showing strange file behavior, and generating unusual disk activity is a ransomware candidate until proven otherwise.

Immediate Actions — Sequence Matters

1. Disconnect from the network. Now.

Not in five minutes. Not after you check one more thing. Now. Pull the cable, disable Wi-Fi, or physically move the machine off the network. If the ransomware has network-aware capabilities, every connected share it can reach is a potential encryption target.

Most ransomware encrypts local files first, then mapped network drives. Disconnecting the network stops the spread to shared storage, which is almost always more critical than the individual workstation.

2. Don't reboot

Same reasoning as general malware response, but with an additional twist: some ransomware variants are designed to finish encryption during the next boot cycle. If the initial encryption was interrupted when you disconnected the network, rebooting might trigger the completion of the job.

3. Identify the scope

How many machines are affected? Check network shares for encrypted files. Review recent authentication logs for lateral movement. Talk to other users in the same network segment. The goal is understanding whether this is a single endpoint event or an active network-wide encryption campaign still in progress.

The answer changes everything about your response posture.

Myths vs. Reality

Myth: Paying the ransom recovers your data reliably. Reality: Roughly 40% of organizations that pay a ransom don't fully recover their data. The decryption tool may be broken, incomplete, or tied to a dead C2 server. Payment also makes you a repeat target — attackers track who pays.

Myth: A good antivirus would have caught this. Reality: Most modern ransomware uses legitimate system tools and signed binaries to avoid signature-based detection. Behavioral detection helps, but no tool catches everything. The backup strategy matters more than the antivirus brand.

Myth: You can just restore from backup. Reality: Only if your backups are recent, complete, and — critically — isolated from the infected environment. Ransomware increasingly targets backup systems specifically. An online backup that was accessible to the compromised machine may also be encrypted.

The Real Recovery Options

Listed in order of preference:

1. Isolated, recent backup restore — the gold standard. Full wipe, clean OS, restore from backup taken before the infection window.
2. Free decryption tools — organizations like No More Ransom (nomoreransom.org) publish free decryptors for known ransomware families. Check before assuming you're out of options.
3. Volume Shadow Copy restoration — if VSS was not deleted before you disconnected, previous file versions may be recoverable on individual files.
4. Negotiated payment as last resort — if data is irreplaceable and no other option exists. Engage a specialist firm. Never contact attackers directly or pay without professional guidance.

After Containment: Understanding What Happened

Once the immediate threat is stopped, the investigation begins. How did the ransomware get in? Phishing email, exposed RDP port, vulnerable software, compromised credentials? Without answering this, you're cleaning up without closing the door.

Document everything. Preserve logs. Notify the appropriate stakeholders — legal, management, potentially regulatory bodies depending on the data involved. A ransomware incident that touches personal data may trigger breach notification requirements.

The technical response is only half the work. The organizational response — communication, documentation, and remediation of the underlying vulnerability — is what prevents the next one.