If you're in it right now: isolate the affected machines, don't power them off, disconnect your backups, and call a professional before you do anything else. Do not pay or contact the attackers yet. Most small businesses that recover well do so because they had tested backups. Most of the pain comes from not having them.
- First moveIsolate, don't power off
- Should you pay?Usually no
- What saves youTested backups
- Best defensePreparation
Most ransomware guides are written for enterprise IT teams. This one is written for the person who actually feels it most: the owner of a small business who just walked in to find a ransom note on the screen, or who wants to make sure that never happens. No jargon, no scare tactics. Just what to do.
The first hour: what to do right now
If you're reading this in the middle of an attack, breathe, then move in order. The first hour matters, and the instinct most people have (shut everything off) is usually the wrong one.
- Isolate, don't shut down. Disconnect affected computers from the network. Unplug the network cable or turn off Wi-Fi. But leave them powered on. Shutting down can destroy data in memory that helps recovery and investigation.
- Disconnect your backups immediately. Ransomware actively hunts for backups to encrypt them too. If your backup drive or system is reachable, get it offline now.
- Stop using the affected systems. Don't keep working on them, don't open files to "check," don't reboot repeatedly.
- Take a photo of the ransom note with your phone. It identifies the strain, which affects what recovery options exist.
- Call a professional. Your IT provider, or a ransomware recovery specialist. The earlier the right person is involved, the more options stay on the table.
The first instinct is to pull the plug. The right move is to pull the network cable and leave the rest alone.
What not to do
A few actions make a bad situation worse, and they're common because they feel productive in the moment.
Don't pay or contact the attackers before you've assessed your backups. Don't delete the ransom note or the encrypted files. Don't run random "ransomware removal" tools you found in a panic, some are scams that make it worse. Don't assume your cloud sync (like OneDrive or Google Drive) is safe, encrypted files often sync up and overwrite the good copies.
Should you pay the ransom?
This is the question everyone asks, and the honest answer is: usually no, but it depends entirely on your backups.
The FBI and CISA both advise against paying. Here's the reasoning, in plain terms. Paying funds the criminal operation that hit you. It marks your business as one that pays, which invites repeat attacks. And it comes with no guarantee. Plenty of businesses have paid and received a broken decryptor, a partial recovery, or nothing at all.
But the real deciding factor is simpler than the ethics: do you have clean backups the ransomware couldn't reach? If yes, you usually don't need to pay, you restore. If no, you're in a genuinely hard spot, weighing a criminal's promise against losing your data. That fork is the whole reason this guide spends as much time on prevention as recovery. The pay decision is really decided months earlier, by whether you set up backups.
How recovery actually works
Recovery is rarely a single button. For a small business, it generally follows this shape:
- Contain and assess. Confirm what's encrypted, what spread, and whether the attackers still have access. You don't want to restore into a network they're still in.
- Identify the strain. Some older ransomware has free decryption tools through the No More Ransom project. Most modern strains do not, which puts the focus back on backups.
- Eradicate. Remove the ransomware and close the hole it came through (often a phished password or an unpatched system), so you're not re-infected the moment you restore.
- Restore from clean backups. This is the heart of it. Wipe affected systems and restore data from backups that were offline or immutable.
- Verify and watch. Confirm systems are clean, change credentials, and monitor closely for a return.
Dealing with this right now?
Call us. We help Southern Wisconsin businesses respond to and recover from ransomware. The sooner the right person is involved, the better your options.
How long does recovery take?
It depends almost entirely on one thing: your backups.
| Your situation | Realistic recovery |
|---|---|
| Tested, offline backups + a plan | Days |
| Backups exist but never tested | Days to weeks |
| No usable backups | Weeks, with data loss |
| Paid the ransom | Uncertain |
The costs add up fast, and most of them aren't the ransom itself. Downtime, lost productivity, rebuilding systems, notifying customers, and lost trust often dwarf the ransom demand. For small businesses, total recovery costs frequently reach into six figures. That number is exactly why prevention is the cheaper path by a wide margin.
Reporting and the legal side
A ransomware attack often isn't just an IT problem, it's a legal one, and ignoring that can cost you more later.
- Breach notification. If customer or employee personal information was exposed, Wisconsin's data breach notification law (and similar laws elsewhere) may legally require you to notify affected people within a set time.
- Cyber insurance. If you carry a policy, most require you to notify the insurer promptly, often before you take certain recovery steps. Call them early.
- Report it. Reporting to the FBI through IC3.gov is recommended. It can aid investigations and is sometimes expected by insurers.
You don't have to navigate this alone. A recovery professional, and where needed an attorney, can help you understand exactly what your obligations are for your situation.
How to prevent it in the first place
Here's the good news, and the reason we'd rather have this conversation before an attack than after. The controls that prevent the large majority of ransomware are not expensive or complicated.
| Control | Why it matters |
|---|---|
| Tested, offline or immutable backups | Your real safety net |
| Multi-factor authentication | Stops stolen passwords |
| Prompt patching | Closes known holes |
| Endpoint protection | Catches the behavior |
| Staff awareness training | Stops the first click |
Notice the theme: most ransomware starts with a person, a phished password or a fake call that gets someone to hand over access. The technology matters, but the cheapest, highest-impact protection is making sure your team can recognize the trick and your backups can save you if they don't.
The honest truth about ransomware
The single most painful thing we see is not the attack itself. It's the business that thought it had backups and finds out, in the worst possible moment, that they were never running, never tested, or were sitting on the same network the ransomware just encrypted.
A backup you've never tested isn't a backup. It's a hope.
Recovery is survivable, and most businesses with the right preparation come through it. But the outcome is decided long before the ransom note appears, by the boring, invisible work of backups, patching, and a team that knows what a phishing email looks like. If you're reading this and you haven't been hit yet, that's the best position to be in. Use it.
Want to make sure you're actually protected?
We help small businesses across Southern Wisconsin set up real backups, security, and a plan. A short conversation now is far cheaper than recovery later.