You’ve Been Hit By Ransomware. Here’s What to Do Right Now.

If You’re Reading This During an Attack, Stop and Breathe

Ransomware hits hard — often without warning. Systems lock up, files get encrypted, and screens fill with demands. It’s loud, messy, and stressful.

If this is happening to you right now, your first priority is simple: contain the damage.

Here’s what you should do immediately — and what you must avoid.

It’s instinctive to shut everything down. But doing so may wipe forensic evidence, interrupt partial encryption processes, or trigger hidden secondary payloads. Unless a device is spreading infection across the network, keep it powered but disconnected from the internet and LAN.

If a system is actively encrypting files, isolate it physically. Unplug it. But avoid turning off file servers or domain controllers unless advised by your response team.

Alert your IT, legal, and senior leadership teams as soon as possible. Make sure communication doesn’t go through potentially compromised channels (e.g. internal email if Exchange is affected). Use personal mobiles or an out-of-band comms platform if needed.

Keep the message simple: “We may be experiencing a ransomware incident. We’re investigating. Please do not make any changes or announce publicly until advised.”

Ransom notes often urge immediate contact, promising decryption in return for fast payment. Resist the temptation. Reaching out can trigger further demands, give away information, or weaken your legal position.

If you have a cyber insurance provider or a legal counsel experienced in breaches, inform them. Heretek can coordinate comms insurers or third party security providers where appropriate — but never engage alone.

Even well-resourced IT teams are rarely equipped to handle ransomware alone. The scope can be bigger than expected. Recovery takes time. And every hour matters.

Heretek offers 24/7 incident response support with rapid triage, containment, and recovery guidance. If you have a retainer with us, contact us via your assigned emergency channel. If not, reach out through our contact form.

We’ll work with your team, insurers, and legal advisors to contain, investigate, and plan a clean recovery.

It’s easy to make things worse by trying to clean up quickly. Don’t wipe systems or delete logs. Don’t rebuild without first taking disk images or file snapshots.

Preserving evidence will help you:

  • Understand how the attack happened

  • Determine what data was accessed or exfiltrated

  • Support any legal, regulatory, or insurance processes

If in doubt, pause — and ask us before you act.

Internally, clarity is essential. Staff will notice disruption. Be honest without spreading fear. Externally, you may have notification requirements under UK GDPR, DPA 2018, or industry-specific regulations.

Our team helps you assess the situation and draft comms that are factually accurate, timely, and defensible.

Planning Ahead Starts Now

If you’re recovering from ransomware, your focus is on the present. But once systems are stable, it’s critical to look ahead. We offer:

  • Post-incident reviews to understand how the breach occurred

  • Remediation guidance to close the gap

  • Tabletop simulations to train teams on future response

  • Retainer packages so help is already on-call next time

You can’t predict the attack. But you can control the response.

Leave A Comment

Heretek - Home Page

Certified, professional ethical hackers with a passion for cyber security—driven to exceed expectations and deliver real results.