Ransomware Recovery: First 24 Hours

1. Disconnect affected machines from the network Unplug the network cable or disconnect Wi-Fi on any machine showing the ransomware message or behaving abnormally. Do not wait to confirm which machines are affected, if you are unsure, isolate everything on that network segment.

2. Do not power off machines Powering off destroys volatile memory (RAM), which may contain encryption keys and evidence needed for forensics. Leave machines running but disconnected.

3. Do not reboot A reboot may trigger additional payload stages, encrypt the boot sector, or destroy forensic evidence.

4. Do not pay yet Paying should only be considered as an absolute last resort after confirming there is no viable recovery path. Payment does not guarantee data return, funds future attacks, and may violate Canadian sanctions if the threat actor is on a government watch list.

5. Call your MSP and cyber insurer Both need to know immediately. Your insurer may require immediate notice for coverage to apply. Your MSP or incident response provider begins the forensic preservation and recovery process.

Identify the scope Which systems are encrypted? Which are not yet affected? Segment the network to prevent spread. Identify the entry point if possible, typically a phishing email, compromised RDP, or vulnerable VPN.

Preserve evidence Photograph screens showing the ransomware message. Preserve log files. Document who discovered the incident, when, and what they did. This documentation matters for forensics, insurance, and regulatory reporting.

Assess backup status Are your backups intact? Are they on an isolated system that cannot have been reached by the attacker? Test accessibility of your most recent clean backup before assuming it is usable.

Option 1: Restore from backup If you have clean, isolated, tested backups: begin recovery. Prioritise the systems the business needs most. Build recovery time estimates based on your documented RTO.

Option 2: Partial decryption Some ransomware variants have published decryption keys (check nomoreransom.org). These are rarely available for current strains, but always check before spending money on other options.

Option 3: Pay the ransom (last resort only) If no backup is available and business survival depends on data recovery, payment may be considered. Consult your legal counsel and insurer before paying. Verify that the threat actor is not on a Canadian or US OFAC sanctions list, payment to sanctioned entities can result in additional legal consequences.

No, in most cases. Reasons:

The best long-term protection against the ransom decision is immutable backups that give you no reason to consider it.

Possibly yes, depends on what data was affected:

PIPEDA (federal): If personal information was accessed or exfiltrated, report to the Office of the Privacy Commissioner as soon as feasible if there is a real risk of significant harm.

BC PIPA / Alberta PIPA: Similar notification requirements for personal information breaches.

Cyber insurer: Most policies require immediate notice of a ransomware event, regardless of personal data involvement.

Law enforcement: Reporting to the RCMP's National Cybercrime Coordination Unit (NC3) and the Canadian Centre for Cyber Security is strongly recommended, even if you do not expect immediate investigation.

What is the first thing to do in a ransomware attack? Disconnect affected machines from the network immediately. Do not power off. Call your MSP and cyber insurer.

Can ransomware spread to cloud backups? Yes, if cloud backups are accessible from the compromised environment and not protected with immutable retention. Immutable backups (which cannot be deleted or altered for a defined period) are the correct protection.

What is nomoreransom.org? A free public resource maintained by law enforcement and cybersecurity firms that provides decryption tools for some ransomware strains. Always check before paying ransom.

Will cyber insurance cover the recovery? Most policies cover incident response, forensics, legal, regulatory notification, and business interruption. Ransom payment coverage is increasingly limited or excluded.

Can North Star IT help during a ransomware incident? Yes. North Star provides incident response for businesses across Northern BC, Alberta, and Yukon, including containment, forensics, recovery, and regulatory reporting guidance.

If you are experiencing a ransomware incident right now, call 672-983-1174 immediately. For proactive planning, book a free incident response readiness review at northstarit.ca.