If you discover a ransomware attack on your computer, immediate and methodical action is required to contain the infection and begin recovery.
Immediate Isolation
- Disconnect the Network: Immediately unplug Ethernet cables and turn off Wi-Fi and Bluetooth to prevent the ransomware from spreading to other devices or cloud storage.
- Unplug External Devices: Disconnect external hard drives, USB sticks, and any connected mobile devices to ensure they are not encrypted next.
- Do Not Power Off: Experts generally recommend keeping the computer on. Turning it off can destroy volatile evidence in the RAM that forensic investigators need to identify the ransomware strain.
Document the Attack
- Take Photos: Use a separate device (like your phone) to take clear pictures of the ransom note and any on-screen messages.
- Note Specifics: Identify the file extension of the encrypted files and any contact information provided by the attackers.
Report the Incident
- Law Enforcement: In the U.S., report the attack to the FBI Internet Crime Complaint Center (IC3) or your local FBI field office.
- CISA: Report to the Cybersecurity and Infrastructure Security Agency (CISA) to help track and prevent future attacks.
- Legal Requirements: As of 2026, reporting may be a legal requirement for certain organizations under the Cyber Incident Reporting for Critical Infrastructure Act, often requiring notification within 24 to 72 hours.
Recovery Without Paying
- Do Not Pay: The FBI and security experts strongly advise against paying. Payment does not guarantee data recovery, funds criminal activity, and may violate sanctions laws if the recipient is a restricted entity.
- Check for Decryptors: Use an uninfected computer to visit the No More Ransom Project to see if a free decryption tool exists for your specific ransomware variant.
- Restore from Backups: The most effective recovery method is to wipe the infected system completely and restore your files from a clean, offline backup.
- Reset Passwords: Once the infection is cleared, reset all passwords for your accounts (email, banking, cloud storage) from a clean device, as your credentials may have been stolen during the attack.