By the MET Florida (METFL) Cybersecurity Team | Last Updated: May 2026

Every 19 seconds, a business somewhere in the world is hit by a ransomware attack. As of 2025, a ransomware attack occurs somewhere in the world every ~19 seconds — a dramatic acceleration from the sporadic campaigns of just five years ago. If you're reading this with a ransom note on your screen right now, take a breath. In the event of a ransomware attack, there are basic steps any organization can follow to help contain the attack, protect sensitive information, and ensure business continuity by minimizing downtime. Therefore, the very next thing you do — in the right order — can be the difference between a manageable recovery and a catastrophic, business-ending loss.

Verizon's 2025 Data Breach Investigations Report shows ransomware was present in 44% of attacks in the past year, an increase of 37% from the previous year. This means ransomware is no longer an "enterprise problem" — it's everyone's problem. Smaller businesses remain particularly vulnerable, as 88% of all ransomware incidents involve these organizations, many of which are underprepared and lack the necessary cybersecurity measures to mitigate such attacks. If your business has been hit, this guide gives you the emergency ransomware attack help you need — step by step — to stop the bleeding, preserve your data, and get back online.

At MET Florida (METFL), we work with businesses across Florida that face exactly this kind of crisis. In my experience, the businesses that recover fastest aren't necessarily those with the biggest IT budgets — they're the ones that act in the right sequence, calmly and deliberately, in the first hour.

Key Takeaways

• Stop the spread first, not last: The first priority after a ransomware attack is containment, not repair. The goal is to limit further impact while preserving the environment for proper assessment. Isolating infected systems before anything else is the single most impactful action you can take.
  

• Do NOT restart infected machines: When dealing with ransomware, avoid restarting infected devices. Hackers know this might be your first instinct, and some types of ransomware notice restart attempts and cause additional harm, like damaging Windows or deleting encrypted files. Rebooting can also make it harder to investigate ransomware attacks — valuable clues are stored in the computer's memory, which gets wiped during a restart. This is a critical mistake businesses make in a panic.
  

• Recovery costs far exceed the ransom itself: The ransom payment accounts for a small portion — often as little as 15% — of the overall costs associated with a ransomware attack. The average cost of downtime can frequently amount to fifty times more than the ransom demand. Therefore, your goal must be rapid, structured recovery — not just paying to make it go away.
  

• Free decryption tools may exist for your strain: With over 170 partners, the No More Ransom online portal hosts a collection of over 100 free decryption tools covering over 150 ransomware families. Users worldwide can access the tools for free to recover data held hostage by ransomware attacks. Always check before paying.
  

• Law enforcement can actively help: According to Sophos' State of Ransomware 2024 report, 97% of organizations that suffered a ransomware attack contacted and worked with law enforcement agencies. Of those organizations, 61% received advice on how to deal with ransomware, and 60% got help investigating the attack. Additionally, law enforcement agencies helped 58% of organizations that had their data encrypted recover that data. Report early — it pays off.
  

Quick-Start Prioritization Framework

Use this table to identify where to focus your energy immediately based on your current situation:

Start here if you're:

• A small business with no IT team: Immediately call your IT provider or a managed service provider like MET Florida, unplug infected machines from the network, and report to FBI's IC3 — this gives you expert guidance fast.

• A mid-sized business with an internal IT team: Activate your incident response plan, isolate network segments, preserve forensic evidence, and contact your cyber insurer within the hour.

• A business with existing clean backups: Your recovery path is the shortest. Focus entirely on confirmed containment before restoring — do not restore into a still-infected environment.

Step 1: The First 60 Minutes — Contain and Don't Panic

Confirm You're Actually Under Attack

The most obvious signs of a ransomware attack are a sudden inability to open your files, the appearance of unusual file extensions (like .locked or .encrypted), and a pop-up screen or text file — the ransom note — demanding payment to restore access. This is usually when the panic starts, but you must keep your calm, as what you do in the next 60 minutes is critical.

The first step is confirming that ransomware is actually the issue. Warning signs often include unusual file extensions, locked screens, and encrypted directories. Training employees to recognize these signs is critical. The faster the attack is identified, the quicker you can take steps to stop it.

Disconnect — Hard and Fast

Because the most common ransomware variants scan networks for vulnerabilities to propagate laterally, it's critical that affected systems are isolated as quickly as possible. Disconnect ethernet and disable WiFi, Bluetooth, and any other network capabilities for any infected or potentially infected device.

Your first action must be to limit the spread of the ransomware infection. As soon as you identify a problem, disconnect any affected devices from your network connections. Ransomware can spread via LAN, WAN, WiFi, and cellular connections. You must disconnect them all.

After an initial compromise, malicious actors may monitor your organization's activity or communications to understand if their actions have been detected. Isolate systems in a coordinated manner and use out-of-band communication methods such as phone calls to avoid tipping off actors that they have been discovered. Not doing so could cause actors to move laterally to preserve their access or deploy ransomware widely prior to networks being taken offline.

Turn Off Automatic Maintenance Tasks

Immediately disable automatic tasks — e.g., deleting temporary files or rotating logs — on affected systems. These tasks might interfere with files and hamper ransomware investigation and recovery. This is one of the most overlooked steps in the chaos of discovery. Disable any regular and automated maintenance tasks, such as file removals, as many of these activities could interfere with your investigation. For example, temporary file logs may contain essential clues about the origins of an attack. However, if these are deleted automatically by routine maintenance activities, this valuable information will be lost.

Step 2: Assess the Damage Without Making It Worse

Identify the Scope of Infection

Determining how a threat actor gained access to your environment is crucial to identifying vulnerabilities, conducting attack mitigation, and preventing future attacks. An assessment of the current situation is critical to understanding the scope of the incident and for determining the best people to assist and to plan and scope the investigation and remediation tasks. Asking the following initial questions is crucial in helping to determine the source and extent of the situation.

Key questions to answer in this phase:

• Which systems, devices, and files are visibly affected?

• Which systems appear unaffected and can be preserved?

• Has the attacker accessed or exfiltrated data before encrypting?

• When did the attack likely begin? (It may have been weeks ago)

The median time from attacker access to encryption is now just 4–5 days, making early detection the critical variable in determining whether recovery is needed at all. This matters because attackers often planted themselves in your network long before you saw the ransom note — meaning the compromise runs deeper than the visible symptoms suggest. Therefore, don't assume any system that looks "clean" is actually clean.

Preserve Forensic Evidence

Without documented steps, teams often wipe systems before collecting forensic evidence. This is a costly error. In my experience working alongside incident response professionals, the loss of forensic evidence ranks among the top three mistakes businesses make in the first hour.

When dealing with ransomware, avoid restarting infected devices. Instead, put the affected systems into hibernation. This will save all data in memory to a reference file on the device's hard drive, preserving it for future analysis.

Step 3: Notify the Right People Immediately

Alert Your Internal Team and Leadership

Don't try to handle ransomware alone. Notify your internal IT team or managed IT provider right away. They will know how to investigate the infection, stop it from spreading, and begin recovery. It's also important to alert leadership so decision-makers are prepared for potential downtime, financial impacts, and communications with employees or clients.

Keep management and senior leaders informed via regular updates as the situation develops. Relevant stakeholders may include your IT department, managed security service providers, cyber insurance company, and departmental or elected leaders.

Contact Law Enforcement — This Actually Helps

Many businesses hesitate to call law enforcement, fearing embarrassment or regulatory scrutiny. This is a mistake. If you are a victim of ransomware, contact your local FBI field office or file a report at ic3.gov.

Regardless of whether you or your organization have decided to pay the ransom, FBI, CISA, and MS-ISAC urge you to promptly report ransomware incidents to FBI's Internet Crime Complaint Center (IC3), a local FBI Field Office, or CISA via the agency's Incident Reporting System or its 24/7 Operations Center (report@cisa.gov) or by calling 1-844-Say-CISA (1-844-729-2472).

Notify Your Cyber Insurer

Most cyber insurance policies cover ransomware, but the details matter. Some policies exclude ransom payments. Others require you to follow specific incident response procedures or use approved vendors. Check whether your policy covers business interruption, forensic investigation costs, and notification expenses.

Call your insurer before engaging any outside vendor. Most policies require you to use an approved incident response firm, and failing to follow their process can void your claim.

Legal Notification Obligations

In some cases, reporting will be a regulatory requirement, especially if the attack has successfully exfiltrated personally identifiable data. Therefore, it's important you're aware of how quickly you must do this. Companies subject to GDPR, for instance, must notify their relevant data protection authority within 72 hours of becoming aware of a breach or risk further financial penalties.

A ransomware attack is more than an IT issue. It can be a legal and regulatory event. Depending on your industry and data exposure, you may need to consider several factors. Missteps here can create long-term consequences, even after systems are back online.

Step 4: The Ransom Decision — What You Need to Know Before Deciding

The Official Guidance: Don't Pay

The FBI does not support paying a ransom in response to a ransomware attack. Paying a ransom doesn't guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.

FBI investigations identified that after paying the ransom, one victim was contacted by a separate Medusa actor who claimed the negotiator had stolen the ransom amount already paid and requested half of the payment be made again to provide the "true decryptor" — potentially indicating a triple extortion scheme. The criminals are not bound by their word.

The Real Cost Picture

Sophos's State of Ransomware 2025 found the average recovery cost excluding any ransom payment dropped 44% to $1.53 million in 2025. IBM's 2025 Cost of a Data Breach Report puts the average total cost of a ransomware incident at $5.08 million including downtime, legal exposure, remediation, and business interruption. Therefore, if you're considering paying to "save money," know that the costs after the payment are likely to be many times greater regardless.

Check for Free Decryption Tools First

Before any payment is considered, check whether a free decryptor exists for your ransomware strain. Unfortunately, in many cases, once the ransomware has been released into your device there is little you can do unless you have a backup or security software in place. Nevertheless, it is sometimes possible to help infected users regain access to their encrypted files or locked systems, without having to pay.

The No More Ransom Project — a joint initiative by Europol, the Dutch National Police, Kaspersky, and McAfee — hosts a collection of over 100 free decryption tools from multiple security software vendors, covering over 150 ransomware families. Users worldwide can access the tools for free to recover data held hostage by ransomware attacks.

Additionally, some decryption tools are available for certain ransomware strains, which can be found on websites like No More Ransom. Identify the strain first by examining the ransom note file extension or using the Crypto Sheriff tool at the No More Ransom portal.

Step 5: Recovery — How to Get Systems Back Online Safely

Start With Verified, Clean Backups

Immutable backups are your organization's best defense after a ransomware attack because they let you revert to everyday operations. A robust backup protocol, such as the 3-2-1 rule, ensures you restore data without worrying about paying a ransom.

Restoring from a backup is your most reliable and fastest way to recover from a ransomware attack. However, you must confirm that this backup is also free from infection. Many businesses unwittingly reinfect their systems by restoring from compromised backups. Confirm that your backups' source and destination systems are safe before proceeding.

Organizations with intact backups recover within a week 46% of the time; those with compromised backups achieve the same only 26% of the time. This is a nearly 2:1 advantage from having clean, tested backups — therefore, validate backup integrity before any restoration begins.

Rebuild Systems in Priority Order

Reconnect systems and restore data from offline, encrypted backups based on a prioritization of critical services. Take care not to re-infect clean systems during recovery. For example, if a new Virtual Local Area Network (VLAN) has been created for recovery purposes, ensure only clean systems are added.

Reset Credentials and Patch Vulnerabilities

Reset all account passwords, including admin accounts and cloud services. Consider implementing multi-factor authentication (MFA) to add an extra layer of security.

Based on the findings from the investigation, enhance your security protections to prevent similar attacks. This may include patching vulnerabilities, improving email filtering, and enhancing endpoint protection.

Conduct Threat Hunting Before Declaring All Clear

Monitor network traffic and run regular antivirus scans to identify if any infection remains. Isolate any suspicious activities and perform threat-hunting exercises to help you locate the source of the ransomware. Once your systems have been reactivated, CISA recommends initiating threat-hunting routines.

Look specifically for: whether any new Active Directory accounts have been created, whether any accounts have been assigned elevated permissions incorrectly, evidence of anomalous logins or suspicious VPN device connections, unauthorized presence of tools like Rclone or Rsync indicating data exfiltration, and newly created services or unexpected scheduled tasks.

Step 6: Post-Recovery — Hardening Against the Next Attack

Understand How Attackers Got In

Stolen credentials are the primary entry point. Nearly 50% of ransomware attacks in Q3 2025 used stolen VPN credentials, according to Beazley Security. Attackers buy these from initial access brokers who harvest them via infostealer malware. Phishing and unpatched vulnerabilities are also common.

Email is still the most popular initial entry point for an attack, with 90% of data breaches starting with a phishing email. Therefore, immediately after recovery, run mandatory phishing awareness training for all employees — not as a checkbox, but as a genuine education program.

The Five Post-Attack Hardening Priorities

I've found that the businesses that convert a ransomware attack into a genuine security improvement follow this specific sequence:

1. Implement or audit MFA on all accounts — especially email, VPN, and admin portals. This includes requiring multifactor authentication, maintaining offline backups of data, implementing a recovery plan, and keeping all operating systems, software, and firmware up to date.
   

1. Segment your network — so that a future infection cannot move laterally across your entire environment.
   

1. Adopt the 3-2-1 backup rule — three copies, two different media, one offsite. 62% of organizations have adopted immutable backups, which cannot be modified or encrypted even during an active attack. If you're in the other 38%, fix this today.
   

1. Deploy Endpoint Detection and Response (EDR) — EDR tools provide real-time monitoring, behavioral analytics, and automated response to identify early-stage infections. EDR can help detect fileless malware and lateral movement, and in many cases can integrate threat intelligence and conduct remote containment.
   

1. Build and test an incident response plan — companies with tested response plans recover faster. Those without one waste critical hours improvising while ransomware spreads across the network. Test it at least quarterly with tabletop exercises.
   

The True Cost of a Ransomware Attack: What You're Really Facing

Organizations worldwide face an average of 24 days of downtime following a ransomware attack. In 2025, 53% of businesses recovered within 1 week, yet recovery costs, excluding ransom payments, averaged $1.53 million. If 24 days of downtime sounds abstract, consider this: for a business generating $50,000/week in revenue, that's over $170,000 in lost revenue alone — before touching forensics, legal fees, PR, or the cost of notifying affected customers.

The average cost of a data breach for a U.S. company has surged to an all-time high of $10.22 million in 2025. This is part of a global cybercrime wave expected to inflict $10.5 trillion in damages annually. Therefore, every dollar you invest in preparation before an attack should be compared against these recovery costs — not against a hypothetical "it won't happen to us" assumption.

Mastercard's global SMB cybersecurity study reveals that nearly one in five SMBs that suffered a cyberattack filed for bankruptcy or had to close, highlighting the severe financial impact of such incidents. The study further stated that 80% of these organizations had to spend time rebuilding trust with partners and clients.

The bottom line: ransomware is survivable, but only if you respond with speed, sequence, and expert support. The businesses that recover are not lucky — they're prepared.

Common Ransomware Mistakes That Make Things Worse

Mistake 1: Restarting Infected Machines

This is the most common first instinct — and one of the most damaging actions you can take. As ransomware recovery specialist Hassan Faraz warns, "With ransomware, you often don't get a second chance. Treating the attack like a standard IT issue by running scripts, deleting files, or even restarting the machine, can be a catastrophic error. These actions can wipe out the very data fragments or memory keys our DFIR team would use for a successful recovery."

Mistake 2: Paying Without Professional Guidance

Paying is not recommended unless it is a last resort. There's no guarantee of file recovery, and it encourages criminal activity. Focus on backups and professional recovery services first. If you must engage with attackers, always do so through a professional ransomware negotiation firm and legal counsel — never directly and never in haste.

Mistake 3: Restoring From Compromised Backups

The most important resource for recovering from ransomware attacks without making a payment are your backups. Criminals are well aware of this, which is why many modern ransomware attacks make deliberate efforts to target backup files as well, attempting to encrypt or delete them. To avoid this, ensure your backup systems are fully disconnected from the network and locked down until the issue is dealt with. If you do need to turn to backups to restore systems, they should be scanned in-depth so you can be fully confident that both the backup itself and the devices you're uploading them to are free from malware.

Mistake 4: Assuming It's Over After Decryption

Multi-extortion ransomware is an advanced attack that combines encrypting a victim's data with threats of leaking it, harassing stakeholders, launching additional attacks, and demanding further ransoms. This strategy amplifies the pressure on victims to pay to avoid greater damage, such as operational disruption, public exposure, and legal consequences. Even after you decrypt or restore your data, the attackers may still have your data and can weaponize it separately. Always assume data exfiltration occurred.

Frequently Asked Questions

What should I do first when I discover a ransomware attack?

The first priority after a ransomware attack is containment, not repair. Immediately disconnect all affected devices from your network — unplug ethernet cables, disable WiFi and Bluetooth. Then photograph the ransom note, notify your IT team or managed service provider, and call your cyber insurance carrier. Do not restart any infected machine.

Should my business pay the ransom?

The FBI does not support paying a ransom in response to a ransomware attack. Paying a ransom doesn't guarantee you or your organization will get any data back. Before considering payment, check the No More Ransom Project for a free decryptor, assess your backup status, and consult both legal counsel and a professional incident response firm. If you do pay, do so only through a professional negotiator.

How long does ransomware recovery take?

Organizations worldwide face an average of 24 days of downtime following a ransomware attack. In 2025, 53% of businesses recovered within 1 week, yet recovery costs, excluding ransom payments, averaged $1.53 million. Recovery speed depends primarily on whether you have clean, tested backups and a documented incident response plan in place before the attack.

Do I need to report a ransomware attack to anyone?

Yes — and in many cases, you're legally required to. In some cases, reporting will be a regulatory requirement, especially if the attack has successfully exfiltrated personally identifiable data. Companies subject to GDPR, for instance, must notify their relevant data protection authority within 72 hours of becoming aware of a breach or risk further financial penalties. You should also report to the FBI's IC3 and CISA, regardless of industry.

Can ransomware spread to cloud backups and other connected devices?

Yes. If cloud accounts are connected to infected systems without proper security controls, ransomware can propagate. Once the code is loaded on a computer, it will lock access to the computer itself or data and files stored there. More menacing versions can encrypt files and folders on local drives, attached drives, and even networked computers. This is why isolating systems immediately — including disconnecting cloud-synced folders — is so critical.

Are small businesses really at risk, or is this mainly a big-company problem?

Smaller businesses remain particularly vulnerable, as 88% of all ransomware incidents involve these organizations, many of which are underprepared and lack the necessary cybersecurity measures to mitigate such attacks. In 2025, companies with fewer than 200 employees and revenues up to $25 million experienced the most attacks — a trend that mirrors 2024 findings. Small businesses are actively targeted because attackers know they're less prepared.

What is double extortion ransomware, and should I be worried?

Interlock ransomware actors employ a double extortion model in which actors encrypt systems after exfiltrating data, which increases pressure on victims to pay the ransom to both get their data decrypted and prevent it from being leaked. In 2025, Mandiant/Google Cloud found confirmed data theft in 77% of ransomware intrusions, up from 57% in 2024. This means you should assume data was stolen in any modern ransomware attack and prepare for potential notification obligations accordingly.

Get Emergency Ransomware Help Right Now

If you're in the middle of a ransomware incident or want to make sure your business is never caught unprepared, MET Florida (METFL) provides cybersecurity support and managed IT services across Florida. Whether you need immediate incident response guidance, a post-attack security audit, or help building a ransomware-resilient infrastructure with tested backups and an incident response plan, our team is ready to help. Don't wait until the ransom note is on your screen. Contact us today at metflservices.com.

Sources

1. Verizon 2025 Data Breach Investigations Report — Verizon. Ransomware prevalence in 44% of breaches in 2025. https://www.verizon.com/business/resources/reports/dbir/
   

1. #StopRansomware Guide — CISA. Official U.S. government guidance for ransomware response and prevention. #StopRansomware Guide
   

1. I've Been Hit By Ransomware — CISA. Step-by-step containment and recovery guidance. I've Been Hit By Ransomware
   

1. Ransomware — FBI. Official FBI guidance on ransomware and reporting. FBI Ransomware Guidance
   

1. 2025 Ransomware Trends: From Risk to Resilience — Veeam. Annual ransomware trends and recovery research report. https://www.veeam.com/blog/ransomware-trends.html
   

1. IBM Cost of a Data Breach 2025 / How to Recover From a Ransomware Attack — IBM. Average breach costs and recovery guidance. https://www.ibm.com/think/insights/ransomware-response
   

1. State of Ransomware 2025 — Sophos. Survey of 3,400 IT professionals on ransomware experiences. Sophos State of Ransomware 2025
   

1. 6-Phase Ransomware Response Plan — BreachSense. Detailed phase-by-phase incident response guidance. https://www.breachsense.com/blog/ransomware-attack-response-plan/
   

1. Ransomware Statistics 2025 — Fortinet. Comprehensive statistical overview of ransomware in 2025. https://www.fortinet.com/resources/cyberglossary/ransomware-statistics
   

1. Global Ransomware Attacks Rose 32% in 2025 — Industrial Cyber / Comparitech. 2025 global ransomware attack volume data. https://industrialcyber.co/reports/global-ransomware-attacks-rose-32-in-2025-as-manufacturers-emerged-as-top-target/
   

1. The No More Ransom Project — Europol / Dutch National Police / Kaspersky / McAfee. Free ransomware decryption tools for 150+ families. https://www.nomoreransom.org/
   

1. Average Ransomware Recovery Time 2025 — Total Assure. Recovery timeline and cost benchmarks from 2025 data. https://www.totalassure.com/blog/average-ransomware-recovery-time-2025
   

1. Ransomware Recovery Statistics 2026 — CNiC Solutions. Recovery rates, costs, and backup effectiveness. https://cnicsolutions.com/cybersecurity-threat-protection/ransomware-recovery-statistics-2026/
   

1. Ransomware Statistics 2025: Attack Rates and Costs — Mimecast. Global ransomware impact statistics. https://www.mimecast.com/content/ransomware-statistics/
   

1. What 2025 Teaches Us About Ransomware — Hornetsecurity. Ransomware trends and organizational resilience data. https://www.hornetsecurity.com/en/blog/ransomware-trends/
   

1. Microsoft Incident Response Ransomware Approach — Microsoft. Technical best practices for enterprise ransomware response. https://learn.microsoft.com/en-us/security/ransomware/incident-response-playbook-dart-ransomware-approach
   

1. The Cost of Ransomware: Updated 2025 — Acronis. Total cost analysis including downtime, legal, and reputational factors. https://www.acronis.com/en/blog/posts/cost-of-ransomware/
   

1. Top 20 Ransomware Statistics 2025 — SOCRadar. Curated statistics on ransomware frequency, payment trends, and impact. Top 20 Ransomware Statistics to Know (2025)
   

1. Ransomware Should Your Company Pay — TechTarget. Considerations and legal context for ransom payment decisions. https://www.techtarget.com/searchsecurity/tip/Should-companies-pay-ransomware-and-is-it-illegal-to
   

1. #StopRansomware: Medusa Ransomware Advisory — CISA/FBI. Official joint advisory on Medusa ransomware TTPs and response. CISA Advisory AA25-071A: Medusa Ransomware