Ransomware attacks on small businesses are accelerating, and panic is the worst response. Here is exactly what to do if your files get encrypted and attackers demand payment.
The First 60 Minutes Are Critical
If you discover ransomware on your network, your instinct might be to pay the ransom to get your business back online. Do not. Instead, isolate the infected systems immediately by disconnecting them from the network - unplug network cables and disable WiFi. This stops the ransomware from spreading to other computers and backup systems, which is often the attacker's goal.
Next, preserve evidence. Take a photo of the ransom note with your phone and save any documents that show when you discovered the infection. Then contact your IT provider or a ransomware incident response firm. Do not attempt to decrypt files yourself, and do not pay the ransom without expert guidance.
Who to Call and What to Say
Alert your cyber insurance provider immediately, assuming you have coverage. Provide them with the ransom note, when you discovered it, and which systems are affected. Call the FBI's Internet Crime Complaint Center (IC3) and file a report - this takes 20 minutes and creates an official record that helps law enforcement track the attacker.
Contact your managed IT service provider or an incident response firm that specializes in ransomware. They can investigate which data was encrypted, whether any data was exfiltrated for extortion, and whether paying actually gets you a working decryption key (many attackers do not provide working keys even after payment).
Recovery Without Paying
In many ransomware cases, particularly those from common families, decryption keys become publicly available through research by security firms. Your incident response partner can check whether a free decryption tool exists for your specific strain of ransomware before you consider payment.
If you have solid backups stored offline or in immutable cloud storage, you can restore from there. This is why ransomware preparedness focuses so heavily on backup strategy - it is genuinely your most effective defense against extortion. A business with proper backups can restore in days rather than paying thousands.