Ransomware attacks against North Carolina businesses are not slowing down. They are accelerating. Small and mid-sized companies have become the primary target because attackers know these organizations often lack the dedicated security staff and robust backup systems that make larger enterprises more resilient. When ransomware hits, every minute of indecision costs money. Having a clear, tested recovery plan is the difference between a manageable disruption and a business-ending catastrophe. This guide walks you through exactly what to do before, during, and after a ransomware attack.
Step 1: Isolate Immediately
The moment ransomware is detected or suspected, the first priority is containment. Disconnect affected machines from the network immediately by pulling Ethernet cables and disabling Wi-Fi. Do not power off the machines, as forensic evidence in memory could be critical later. If you cannot determine which machines are affected, disconnect entire network segments rather than risking lateral spread. Disable any VPN connections and remote access points to prevent the ransomware from reaching cloud resources or branch offices. Speed matters enormously here. Most modern ransomware strains are designed to spread across the network within minutes, encrypting file shares, backup repositories, and connected systems as they go. The faster you isolate, the less data you lose.
Step 2: Assess the Scope and Identify the Strain
Once containment is in place, determine the extent of the damage. Identify which systems are encrypted, which data is affected, and whether the ransomware has reached your backups. Document the ransom note, including the ransom amount, the cryptocurrency wallet address, the deadline, and any communication channels the attackers provide. Take screenshots of everything. Identifying the specific ransomware strain is critical because some older variants have known decryption keys available through resources like the No More Ransom project. Your IT provider or a forensic specialist can analyze the encrypted files, ransom note, and file extensions to identify the strain and determine whether a free decryption tool exists.
Step 3: Activate Your Incident Response Team
A ransomware event is not just an IT problem. It is a business crisis that requires coordinated response across multiple functions. Your incident response team should include IT leadership, executive management, legal counsel, communications or PR, and your cyber insurance carrier. Notify your insurance company immediately, because many policies require prompt notification and may provide access to breach coaches, forensic investigators, and legal experts at no additional cost. If you are in a regulated industry such as healthcare or finance, your legal team needs to evaluate notification obligations to regulators and affected individuals. Do not communicate about the incident over potentially compromised channels. Use personal cell phones, a separate email service, or a dedicated incident response communication platform.
Step 4: Evaluate Your Backup Situation
Your recovery options depend almost entirely on the state of your backups. If you have clean, recent, tested backups that were not connected to the compromised network, you can likely restore your systems without paying the ransom. Verify that your backup data is intact and not encrypted before beginning restoration. If your backups are compromised, incomplete, or so outdated that restoring them would result in significant data loss, you face a harder decision. This is why PCG emphasizes the 3-2-1 backup strategy with air-gapped or immutable backup copies. Businesses that maintain isolated backups recover from ransomware in days. Businesses without them face weeks of downtime and potentially permanent data loss.
Step 5: Restore Systems Methodically
Do not rush the restoration process. Before restoring anything, ensure the ransomware has been completely eradicated from your environment. Rebuild compromised systems from clean images rather than attempting to clean infected machines, because ransomware often installs persistent backdoors that survive basic cleanup attempts. Prioritize restoration based on business criticality: bring up essential systems like email, core business applications, and customer-facing services first. Restore data from verified clean backups and validate the integrity of each restored system before connecting it back to the production network. Throughout this process, monitor intensively for any signs of reinfection or lingering attacker presence.
Should You Pay the Ransom?
This is the question every ransomware victim faces, and there is no universally right answer. The FBI and most cybersecurity experts advise against paying because payment funds criminal operations, there is no guarantee you will receive a working decryption key, and paying marks your organization as a willing target for future attacks. However, businesses facing permanent loss of irreplaceable data and no viable backup may view payment as the least bad option. If you are considering payment, involve your legal counsel and cyber insurance carrier in the decision. Some insurance policies cover ransom payments, and your carrier's incident response team may have experience negotiating with specific ransomware groups. Whatever you decide, report the attack to the FBI's Internet Crime Complaint Center and your local FBI field office.
Post-Recovery: Hardening Your Defenses
After the immediate crisis is resolved, conduct a thorough post-incident review. How did the attacker get in? What controls failed? Where could detection have been faster? Use the answers to build a remediation roadmap that addresses the root cause and closes the gaps that allowed the attack to succeed. Common improvements include implementing endpoint detection and response, upgrading to immutable backups, deploying network segmentation, tightening email security, enhancing employee training, and engaging 24/7 SOC monitoring. The goal is to ensure that if an attacker tries again, they face a fundamentally different, much harder target.
Building Your Plan Before You Need It
The worst time to create a ransomware recovery plan is during an active attack. The best time is right now. PCG helps North Carolina businesses develop, document, and test incident response plans that cover ransomware and other cyber threats. Our approach includes establishing backup strategies that guarantee recoverability, deploying monitoring that detects ransomware in its earliest stages, and running tabletop exercises that train your team to respond under pressure. If you do not have a plan in place today, schedule a conversation with our team to start building one.