Ransomware encrypts or steals data and demands payment. Recovery success depends more on preparation than on heroics during the crisis.
Before an incident
- Isolated/immutable backups with tested restores
- EDR coverage and offline admin practices
- Documented contacts: IT partner, insurance, legal, leadership
- Clear decision rights (who can authorize major actions)
During an incident (high level)
- Contain — isolate affected systems carefully
- Preserve evidence — do not wipe everything immediately if investigation or insurance may need artifacts
- Identify scope — what is encrypted, what is exfiltrated, what still works
- Restore from known-good backups when safe
- Communicate factually to staff, customers, and regulators as advised by counsel
Paying ransom is a legal, financial, and operational decision—not a technical default. Involve counsel and insurance. Paying does not guarantee recovery or prevent data leaks.
Want this applied to your environment?
Book a free 15-minute review. For a structured baseline, ImpetraInsights™ delivers multi-framework scoring and an executive-ready report.