If this is happening right now
Disconnect affected machines from the network (unplug cable / kill WiFi) but do NOT power them off. Don't wipe anything, don't pay anything, don't negotiate yet. Call an incident responder — we answer 24/7 at (778) 775-4535 — and start a written timeline of everything you observe and do.
Hour zero: contain without destroying evidence
\n- \n
- Isolate infected machines from the network — pull the cable or disable WiFi. Do not shut them down: memory contains evidence and, for some ransomware families, the encryption keys. \n
- Disable the VPN and remote access at the firewall — attackers frequently maintain access alongside the encryption. \n
- Check whether encryption is still spreading: are new files being renamed right now? If yes, isolating the file server stops the bleeding fastest. \n
- Start a timeline document: what you saw, when, and every action taken. Insurers and investigators will need it. \n
The backup moment of truth
\nEverything now depends on one question: do you have backups the attacker couldn\'t reach? Ransomware crews deliberately hunt and encrypt backups first — connected USB drives, mapped network backup shares, and cloud sync (which faithfully synced your encrypted files over the good ones) all typically die with the primary data.
\nWhat survives: offline copies, immutable cloud backups that can\'t be altered even with admin credentials, and properly isolated backup systems. Verify restores on an isolated machine before trusting anything. This is why our backup service is built around the 3-2-1 rule with immutability and scheduled restore tests — the discipline only matters on this exact day.
\n\nShould you pay? The honest answer
\nPaying is a last resort with terrible economics: roughly a quarter of payers never get working decryption, recovered data is often partially corrupted, and payment marks you as a proven payer for repeat attacks. It may also have legal implications if the crew is sanctioned.
\nBut the decision is situational — it depends on what your backups actually restore, what the data is worth, and what downtime costs per day. Make it with an incident responder and, if you have cyber insurance, your insurer (call them early; most policies require it and many provide response resources).
\n\nRecovery: rebuild, don\'t just restore
\nThe attacker got in somehow — usually a phished credential, an exposed remote desktop, or an unpatched firewall or VPN. Restoring data without closing the door means round two. Real recovery pairs restoration with a hardening pass: rotate every credential, enforce MFA everywhere, patch the entry point, and rebuild (not just scan) compromised machines.
\nThen the report: what happened, what it cost, what changed. In BC, if personal information was accessed, PIPA and PIPEDA breach notification duties may apply — get advice on this early, not after.
\n\nThe prevention shortlist that actually stops these
\n- \n
- MFA on email, VPN, and every admin account — this alone kills most incidents at step one. \n
- Immutable, tested backups with an offline or logically isolated copy. \n
- Patched, supported firewall and VPN (exploited edge devices are a top entry point). \n
- Endpoint detection with someone actually watching the alerts. \n
- A one-page incident plan: who to call, where backups live, who can approve decisions after hours. \n
None of this is exotic. It\'s the baseline in our managed security service — and every item costs less than one day of the incident it prevents.
\n\n