Ransomware Survival Guide: What to Do Before, During, and After an Attack

Ransomware is no longer a headline problem for Fortune 500 companies. It's hitting dental offices, regional law firms, manufacturing plants, and logistics companies every day. The attackers are automated, efficient, and increasingly sophisticated. The businesses that survive with minimal damage are the ones that prepared before the call came in.

This is that guide.

Before: The Controls That Matter

Most ransomware attacks don't exploit cutting-edge zero-days — they exploit basic security gaps. The controls that prevent the majority of ransomware incidents are well-understood and achievable for businesses of any size.

Multi-Factor Authentication (MFA). An enormous percentage of ransomware incidents begin with a stolen credential. MFA breaks that chain. Enforce it everywhere — email, VPNs, remote desktop, cloud services, and especially administrative accounts. No exceptions for executives.

Endpoint Protection. Modern Endpoint Detection and Response (EDR) tools actively monitor behavior on devices, not just signatures of known malware. They can detect ransomware behavior mid-execution and quarantine a device before encryption spreads. Legacy antivirus is not sufficient.

Patch Management. Ransomware operators actively scan for and exploit known vulnerabilities — particularly in remote access tools, VPNs, and public-facing systems. A rigorous patching cadence, especially for internet-exposed systems, closes the doors attackers rely on.

RDP Security. Remote Desktop Protocol (RDP) exposed to the internet is an extremely common ransomware entry point. If RDP must be used, it should be behind a VPN or Zero Trust access layer, never exposed directly, with MFA enforced.

Backup Strategy. Three copies of data, two different media types, one offsite — the classic 3-2-1 rule. Critically: backups must be immutable or air-gapped. Ransomware operators now routinely encrypt or delete accessible backups before triggering the main payload. If your backup can be reached by the same account that runs your servers, it's not safe.

During: The First 24 Hours

The first hours of a ransomware incident are the most consequential. What you do — and don't do — in this window determines how bad the outcome will be.

Isolate immediately. The moment ransomware is detected, disconnect affected systems from the network. Unplug ethernet, disable Wi-Fi, kill network switches if necessary. The goal is to stop lateral spread — ransomware actively propagates across connected systems. Speed matters more than understanding at this stage.

Don't pay yet. The ransom note will create urgency and pressure. Resist it. Payment doesn't guarantee decryption, doesn't guarantee your data won't be published, and in some cases may involve sanctions risk. Before any payment decision is made, you need your incident response team assessing options.

Call your IR team. If you have a relationship with an incident response firm, call them immediately. If you don't, get one on the phone now. The first hours are critical for forensics — logs get overwritten, evidence disappears. An experienced IR team will know exactly what to preserve and how.

Preserve evidence. Don't wipe and rebuild immediately. Forensic images of affected systems, preserved logs, and network traffic captures are essential for understanding what happened, what was exfiltrated, and meeting regulatory notification obligations.

Notify leadership and legal. A ransomware incident is likely a regulatory event — HIPAA, state breach notification laws, and sector-specific regulations may require disclosure. Get legal counsel involved early.

After: Recovery and Root Cause

Recovery isn't just getting systems back online — it's rebuilding securely and understanding what went wrong.

Restore from clean backups. Verify backups are uninfected before restoration. Restoring a compromised backup re-introduces the attacker. This is where good backup hygiene pays off.

Root cause analysis. How did the attacker get in? What did they access before triggering the ransom? This isn't academic — it's how you prevent the same attack next month. Many businesses that pay ransom and restore from backup get hit again through the same vector within weeks.

Regulatory obligations. Depending on your industry and the data involved, you may have breach notification obligations within 72 hours (GDPR), 30 days (HIPAA), or other timelines. Your legal team should be driving this, but your IR firm should have the forensic timeline ready.

The Double-Extortion Reality

Modern ransomware groups don't just encrypt your data — they exfiltrate it first. Before triggering encryption, attackers spend days or weeks inside the network quietly copying sensitive data: client information, financials, employee records, intellectual property.

This means even if you restore perfectly from backup, you still face the threat of your data being published on a leak site unless you pay. This is why backups alone are not a ransomware strategy. You need detection controls that catch the attacker during the pre-encryption dwell time — before they've already stolen everything.

TrustPoint Cyber has led incident response across dozens of ransomware engagements. The firms that fare best are the ones that prepared before the incident — not the ones scrambling to build a response plan at 2am when systems are already down.

If you haven't tested your ransomware readiness, the time to start is now. Contact TrustPoint for a no-pressure assessment.