Same Day IT

Guide · ransomware first response

Your files are encrypted and there is a ransom note: the first hour

Here's the short version: disconnect the affected machine from the network and wifi, don't pay anything, and don't delete anything. Take a breath. What you do in the first hour shapes how much you get back. This guide walks you through it, calmly, one step at a time.

Last updated 4 July 2026 · by Alien IT Solutions

Rule one: isolate the affected machine now

Whatever the note says and however loud the countdown timer looks, the first move is the same: cut the infected computer off from everything else. Unplug the network cable and switch off its wifi. Ransomware spreads, and every minute it stays connected is another minute it can reach shared drives, other PCs and the server.

One important nuance: disconnect, but don't rush to shut the machine down if you are unsure. Pulling it off the network stops the spread. Powering it off can sometimes wipe things in memory that help a specialist identify the strain and recover data. If in doubt, isolate the machine and leave it running until someone who knows ransomware can look at it.

Why the first hour matters so much

Ransomware is not a single event. It is a process that keeps running until you stop it. It scrambles files, then it hunts for more: mapped drives, network shares, backup folders, other machines on the same network. The longer it has, the more it takes.

So the first hour is not about fixing anything. It is about containment and preserving your options. Stop the spread, protect anything it has not reached yet, and keep every scrap of evidence intact so the people who can help you actually can.

The businesses that come through this well are almost never the ones that reacted fastest with a fix. They are the ones that stayed calm, isolated the problem, and had a clean backup sitting somewhere the attacker could not touch. That is the whole game, and most of it is decided before anyone types a single command.

The first-hour checklist

Five things, in order. None of them cost money, and every one protects an option you still have.

Disconnect from the network and wifi

Unplug the cable and turn off wifi on the affected machine. If several machines are hit, or you cannot tell how far it has gone, it is reasonable to pull the internet for the whole site while you work out the scope. Isolation first, everything else second.

Don't rush to power it off

Disconnecting stops the spread without the risk. Shutting down can destroy details that help recovery, so unless a specialist tells you to, leave the isolated machine running. Never wipe or reimage it in a panic in the first hour.

Don't pay and don't delete anything

Do not pay the ransom in the heat of the moment, and do not delete the encrypted files or the ransom note. Both are needed to identify the strain, and sometimes a free decryption tool already exists for it. Leave everything exactly where it is.

Find out what it touched

Check shared drives, other computers, the server and any cloud folder that syncs automatically. Write down what is encrypted and what still looks fine. This map decides where recovery starts.

Where recovery actually lives: your backups

This is the part that matters more than anything on the ransom note. If you have a clean backup out of reach, you have a way out.

! An offline or immutable backup

The best case. A copy that was disconnected, on a separate account, or immutable in the cloud when the attack hit. The attacker could not touch it, so it is clean. This is what turns a ransom demand into a wipe-and-restore job instead of a negotiation.

! A backup that was plugged in

Be careful here. A backup drive left permanently connected, or an always-on network share, may have been encrypted along with everything else. It might still hold older clean versions, but do not plug a backup drive into the infected machine to check it. Check it from a clean device.

! No backup you can reach

Harder, but not hopeless. Do not delete anything and do not pay on impulse. A specialist can identify the strain, check for a known decryption tool, and look for shadow copies or other remnants. The worst move now is a rushed one that closes a door you did not know was open.

Why you don't rush to pay

The note is designed to panic you. A countdown, a threat, a promise that paying makes it all go away. In the first hour, the answer to paying is simply: not yet, and not without advice.

Paying does not guarantee your files come back. You are trusting criminals to hold up their end, and plenty do not, or hand over a decryption tool that only half works. Paying also marks your business as one that pays, which invites the next attempt. And in many cases it is not even the quickest route, because a clean backup restores faster than any decryption.

This is not to say the decision is simple. It can be genuinely hard, and it carries legal and practical weight. That is exactly why it is not a first-hour decision made alone under pressure. Work out what you can restore, get expert advice, and let the choice be a considered one rather than a reflex to a timer.

How it got in, and stopping the spread

Ransomware usually arrives one of a few ways: a dodgy email attachment someone opened, a password that was stolen or guessed, or a weakness in remote access left exposed to the internet. From there it tries to move sideways, reaching for every machine and share it can find. That is why isolating the affected computer is the very first thing you do.

Once it is off the network, the job is to understand the blast radius. Which drives are encrypted? Did it reach the server? Are other staff seeing the same note? Is a cloud sync folder quietly copying the encrypted files up to the cloud right now? Answering these calmly, one at a time, tells you what is safe and what still needs isolating.

Resist the urge to log into everything to check. Every machine you touch with the wrong account, every share you open, is a chance to spread the problem or trip something else. Slow, deliberate checks from a device you know is clean beat a frantic sweep of the whole office.

When to bring in expert help

The honest answer is early. Ransomware is not a virus scan you run and move on from. It is an active compromise, and how you handle the first day changes the outcome for weeks. If files are encrypted and there is a ransom note, that is the moment to get someone who does this for a living on the line, before decisions get made that cannot be undone.

What good help does first is unglamorous: confirm the spread is contained, identify the strain, check whether a free decryption tool exists, and find or verify a clean backup. Only then does anyone talk about rebuilding. If someone's first instinct is to wipe the machine or negotiate a payment before any of that, slow down and get a second view.

The real lesson: a clean backup makes this survivable

Every ransomware nightmare has the same shape underneath: important data, one path to it, and no clean copy out of the attacker's reach. A backup that is offline or immutable and actually tested rewrites the ending. Files encrypted? Isolate, wipe, restore, and get on with the week. The ransom note becomes noise. Attackers count on you having nowhere to turn, and a tested backup is exactly the thing that takes their leverage away. If today ends well, spend the relief on getting that safety net in place, offline or immutable, tested with a real restore, before the next attempt finds a business with nothing to fall back on.

Questions people ask

Should I turn off the infected computer?

Disconnect it from the network and wifi straight away, but do not rush to shut it down if you are unsure. Pulling the network cable and switching off wifi stops the spread. Powering off can sometimes destroy things that help recovery, so if you are not certain, isolate the machine and leave it running until someone who knows ransomware can look at it.

Should I pay the ransom?

Not in the first hour, and not as a first move. Paying does not guarantee you get your files back, it marks you as someone who pays, and it may not be the fastest path anyway. Work out what you can restore from backups first. Get expert advice before any decision about payment, because it is a serious one with legal and practical weight.

Can I just delete the infected files to clean it up?

No. Do not delete anything in the first hour. The encrypted files, the ransom note and the leftover tools are evidence that helps identify which ransomware you have, and sometimes a free decryption tool exists for that exact strain. Deleting things can also destroy your only path back. Leave everything in place and let a specialist look first.

How do I know if my backups are safe?

A backup is only safe from ransomware if it was offline or otherwise out of reach when the attack hit. Anything left permanently connected, a mapped drive or an always-on network share, can be encrypted along with everything else. Check whether you have a copy that was disconnected, on a separate account, or immutable in the cloud. Do not plug a backup drive into the infected machine to check it.

How did the ransomware get in and is it still spreading?

It usually arrives through a dodgy email attachment, a stolen password, or a weakness in remote access, then tries to move sideways to every machine and share it can reach. That is why isolating the affected computer first matters so much. Once it is off the network, work out what else it touched: shared drives, other PCs, the server, and cloud folders that sync automatically.

How do I stop this happening again?

Backups that are offline or immutable and tested with a real restore, so an attacker cannot encrypt your safety net. Add multi-factor authentication on email and remote access, keep systems patched, and lock down remote desktop. The businesses that shrug off ransomware are the ones that can wipe and restore, because a clean backup turns a disaster into a bad afternoon.

Hit by ransomware right now?

Disconnect the affected machine from the network and wifi, don't pay, don't delete anything, then tell us what happened through the contact form. We'll help you contain it, work out the scope, and find your way back. For the wider playbook, see our IT emergency guide.