Ransomware Hit Our Business What to Do Right Now
- April 6, 2026
- Posted by: Gradeon
- Category: Cyber Security
If ransomware has hit your business, the next few hours matter more than anything else. The decisions you make now will determine how quickly you recover, how much data you lose, and what your legal obligations require you to do.
This guide gives you the immediate steps to take, in the correct order, based on NCSC guidance and UK incident response practice.
Do Not Pay the Ransom Read This First
The NCSC, UK law enforcement, and the National Crime Agency all advise against paying ransomware demands. Paying does not guarantee you will get your data back. It funds criminal organisations and marks your business as a willing payer, increasing the likelihood of future attacks.
If your organisation has already been impacted, it is critical to understand the correct response steps. Before making any decision, review this detailed guide on what to do if ransomware hits your business to ensure you are following the right incident response process.
Even businesses that do pay frequently find their data was already exfiltrated before encryption, that decryption tools provided by attackers are unreliable, and that their systems remain compromised after payment.
Do not pay until you have exhausted all other options and taken specialist legal advice.
Immediate Steps First 30 Minutes
Speed matters here. Every minute of inaction allows ransomware to spread further across your network.
1. Disconnect infected devices immediately
Pull the network cable. Turn off Wi-Fi on affected machines. Disconnect from any shared drives or cloud sync services. Do not shut the devices down, forensic evidence is preserved in memory and may be needed later.
2. Isolate your network
If the attack appears widespread, consider disabling your core network switches and disconnecting from the internet at the router or firewall level. This is disruptive but it stops lateral spread to unaffected systems.
3. Do not wipe anything yet
Resist the urge to immediately reinstall systems. Forensic analysis of infected machines may be required, by your insurer, by law enforcement, or by an incident response specialist. Wiping evidence too early can void insurance claims and obstruct investigation.
4. Alert your IT team or security provider
If you have a managed security provider or an incident response retainer, activate it now. If you do not, contact the NCSC’s cyber incident reporting service at report.ncsc.gov.uk and consider engaging a CREST-certified incident response firm immediately.
5. Document everything
Write down what you saw, when you saw it, which machines are affected, and what actions you have taken so far. Time-stamped notes matter significantly in insurance claims, regulatory notifications, and legal proceedings.
Next Steps First 2 to 4 Hours
Once containment is underway, shift to assessment and notification.
Assess the scope
Work with your IT team or incident response provider to understand which systems are affected, whether data has been exfiltrated in addition to encrypted, whether backups are intact and uncompromised, and how the ransomware entered your environment.
Check your backups immediately
Your recovery timeline depends entirely on whether you have clean, recent backups that were stored offline or in a separate environment the ransomware could not reach. If backups are compromised or nonexistent, recovery becomes significantly more complex and expensive.
Scan any backup before connecting it to a clean system. Ransomware frequently infiltrates networks weeks before activating, meaning backups taken during that window may also be infected.
Notify your cyber insurer
If you hold cyber insurance, notify your insurer as early as possible. Most policies require prompt notification and give the insurer the right to direct remediation through their approved incident response partners. Acting before notifying your insurer can jeopardise your claim.
Identify your legal reporting obligations
Under UK GDPR, if personal data has been accessed, exfiltrated, or destroyed as part of the attack, you have 72 hours from becoming aware of the breach to notify the ICO, unless the breach is unlikely to result in a risk to individuals. This clock starts when you first became aware, not when you fully understand the scope.
If you operate under PCI DSS and cardholder data may be involved, your acquiring bank must be notified promptly and a forensic investigation may be required.
Recovery Days 1 to 7
Rebuild from clean backups
Before restoring any backup, verify it is free from malware. Only connect backup media to systems you are confident are clean. The NCSC guidance is clear: restore only when you are very confident both the backup and the device receiving it are uncompromised.
Rebuild compromised systems from scratch
Do not attempt to clean and reuse infected systems in most cases. Reinstall the operating system from a known-good image. Restore data from verified clean backups. Rebuild configurations from documented baselines.
Reset all credentials
Reset passwords for every account, particularly administrator accounts, service accounts, and any cloud services that were accessible from compromised systems. Enable multi-factor authentication everywhere it is not already active.
Patch the entry point
Before reconnecting anything to the internet, identify and remediate the vulnerability that allowed the ransomware to enter. Common entry points include unpatched remote desktop protocol (RDP) exposures, phishing emails, and vulnerable VPN appliances.
Communicate with staff, clients, and stakeholders
Prepare a brief, factual communication for your team explaining what happened, what you are doing, and what they should or should not do. If client data was involved, legal advice on client notification is essential before any communication goes out.
After the Incident Prevent Recurrence
Once systems are restored, the work is not finished.
Conduct a post-incident review to understand how the attack entered, how it spread, and what slowed your response. Every gap you identify is a gap you can close before the next attempt.
This is also the point at which every UK business needs a tested cybersecurity incident response plan in place becomes impossible to argue against. Businesses that had a plan, tested backups, and a retained incident response provider recovered in days. Businesses without these fundamentals in place took weeks, or did not recover at all.
If your business does not currently have a formal incident response plan, the priority after recovery is building one. Understanding the hidden risk UK businesses face without a cyber business continuity strategy is often the lesson organisations take away from a ransomware attack that could have been avoided.
Key UK Contacts During a Ransomware Incident
| Organisation | When to Contact | How |
| NCSC | Report the incident and get guidance | report.ncsc.gov.uk |
| Action Fraud | Report as a cybercrime | actionfraud.police.uk |
| ICO | If personal data was breached (within 72 hours) | ico.org.uk |
| Your cyber insurer | Immediately, before engaging IR firms | Your policy documents |
| CREST-certified IR firm | If you need specialist recovery support | crest-approved.org |
Frequently Asked Questions
Should we pay the ransom if we have no backups?
The NCSC advises against payment in all cases. Payment does not guarantee recovery, funds criminal groups, and makes your business a repeat target. Exhaust all free decryption resources at nomoreransom.org and take legal advice before considering payment.
Do we have to report a ransomware attack to the ICO?
Only if personal data was accessed, lost, or destroyed. If that is the case, you have 72 hours from becoming aware of the breach to notify the ICO under UK GDPR.
How long does ransomware recovery take for a UK SME?
With clean, offline backups and a rehearsed incident response plan, recovery can take 2 to 5 days. Without backups or a plan, recovery commonly takes 3 to 6 weeks and may be incomplete.
Can we recover files without paying the ransom?
Sometimes. The No More Ransom Project at nomoreransom.org provides free decryption tools for certain ransomware variants. A CREST-certified incident response firm can assess whether decryption is possible for your specific variant.
How did ransomware get into our network?
The most common UK entry points are phishing emails that delivered malware or harvested credentials, exposed Remote Desktop Protocol (RDP) connections, unpatched VPN appliances, and compromised third-party access. Forensic analysis of the incident will identify the specific vector.
What should we do differently after recovering from ransomware?
Start with building a cyber incident response plan that meets UK regulations before an attack happens again, ensure backups are offline and tested regularly, enable MFA on all accounts, and patch all internet-facing systems on a regular cycle.
