One morning your desktop starts showing strange file names, nothing opens properly, and a message appears demanding payment in cryptocurrency. If you are wondering what to do after ransomware attack, the first few minutes matter more than most people realise. The wrong move can spread the problem further, wipe out clean backups, or make recovery harder than it needs to be.

Ransomware is designed to create panic. That is part of how it works. Whether it hits a home PC full of family photos or a small business machine holding invoices, client files and email archives, the pressure feels immediate. The good news is that there is a practical way to respond, and staying calm gives you the best chance of limiting the damage.

What to Do After Ransomware Attack: First Steps

The first job is to isolate the affected computer straight away. Disconnect it from Wi-Fi, unplug any network cable, and remove connected storage such as USB drives or external hard drives. If the machine is on a shared home or office network, this can stop the ransomware from reaching other Windows PCs, mapped drives or shared folders.

Next, do not start clicking around to test what still works. It is tempting to open files, restart the PC a few times, or plug in backup drives to check copies. That can make things worse. Some ransomware variants continue encrypting in the background, and others look for newly attached storage.

If more than one computer is acting strangely, treat it as a network issue rather than a single machine problem. Disconnect other affected systems as well. In a small business, this may include reception PCs, laptops used from home, and any shared NAS or server-style storage. In a home setup, it might be the main family desktop and a second laptop that shares folders over the network.

Then take note of what you can see without interacting too much. Photograph the ransom note on screen, note any file extensions that have changed, and write down roughly when the problem was first noticed. That information can help a technician work out the likely strain and assess what recovery options exist.

Should You Pay the Ransom?

Most people ask this straight away, and the honest answer is that paying is risky. There is no guarantee you will get your files back. Even if a payment leads to a decryption tool, it may not fully restore everything, and it may leave malware or backdoors behind. For a small business under pressure, especially if critical records are locked, the choice can feel less clear cut. But paying should never be treated as the quick fix.

There is also a broader problem. Payment can encourage further attacks, and systems that have been compromised may still be unsafe afterwards. If the machine is going back into daily use, the focus needs to be on proper cleanup, not just file access.

For home users and smaller workplaces, it is usually better to assess backup options, recovery possibilities and the condition of the system before making any decision. A rushed payment often comes from panic rather than evidence.

Check Your Backups Carefully

Backups can be the difference between a serious disruption and a full-scale disaster, but they need to be checked properly. Do not connect your normal backup drive to the infected computer to see what is on it. If that drive has not already been affected, plugging it in could put it at risk.

Instead, verify backups from a clean device if possible. Look for copies stored offline, in versioned cloud backups, or on external drives that were not permanently connected. A good backup is not just present – it is recent enough to matter and clean enough to restore from safely.

This is where real-world trade-offs come in. Some people have a backup, but it is six months old. A business might have cloud sync, but synced folders may already contain encrypted versions of files. That does not mean recovery is impossible, but it does mean expectations need to be realistic. Sometimes the goal is full restoration. Sometimes it is saving the most important documents and rebuilding the rest.

Don’t Trust the Computer Yet

A ransomware screen is only part of the picture. The bigger issue is that the computer has already been compromised. The infection may have arrived through a fake email attachment, a malicious download, a weak remote access setup, or another piece of malware that opened the door first. Even if the visible ransom note disappears, that does not mean the system is safe.

For that reason, using the machine for online banking, email, payroll or customer records before it has been properly assessed is a bad idea. Passwords used on that device should be treated as exposed, especially for email accounts, Microsoft accounts, cloud storage, remote desktop access and business logins.

Change passwords from a different, clean device. Start with email, because email access can be used to reset everything else. Then move to banking, business software, cloud platforms and any saved logins you know were used on the infected computer.

Reporting the Attack

Reporting may feel like a waste of time when all you want is your files back, but it can still be worthwhile. Small businesses may have privacy or reporting obligations depending on the type of information stored. If customer data, staff records or financial documents may have been accessed, not just encrypted, you may need further advice about what comes next.

Even for home users, keeping a record of the incident matters. Save photos of messages, file names and affected folders. If money has been demanded, retain the details but do not engage more than necessary. If there is any suspicion of fraud, identity theft or wider compromise, this record becomes useful later.

Recovery Usually Means Rebuild, Not Just Remove

When people think about virus removal, they often picture cleaning the infection and carrying on. With ransomware, the safer path is often more thorough. That may mean wiping the drive, reinstalling Windows, updating everything properly, and restoring clean files from backup. It is more work, but it leaves less doubt about what remains on the machine.

There are cases where targeted cleanup and file recovery tools can help, especially if the ransomware failed partway through or a known decryptor exists. But that depends entirely on the strain involved. Some are recoverable in limited ways. Many are not. Anyone promising guaranteed decryption without first identifying the infection should be treated cautiously.

A proper recovery plan usually includes checking whether the hard drive itself is healthy, confirming backups are safe to use, reinstalling Windows if needed, restoring data in stages, and making sure security updates and protection tools are current before the PC goes back online.

What Small Businesses Should Do Differently

For a small business, the response needs to go beyond the affected computer. If one workstation is hit, look at shared folders, email accounts, remote access tools and any staff devices that connect to the same environment. What seems like one infected PC can actually be a broader security problem.

This is also the time to pause automatic habits. Do not let staff keep using shared drives until you know what has happened. Do not assume your cloud storage is fine because it still opens. And do not forget printers, routers and network storage, especially in small offices where equipment has been set up over time and nobody has reviewed it recently.

If you need the business operating again quickly, practical triage matters. Work out which systems are essential for trading today, which files are absolutely critical, and which machines can stay offline until they are checked properly. That approach reduces downtime without taking unnecessary risks.

How to Reduce the Chance of It Happening Again

After the immediate crisis, prevention becomes the next job. Ransomware often succeeds because of a few common gaps rather than one dramatic failure. Old software, weak passwords, poor backups, staff clicking fake attachments, and remote access left exposed are regular culprits.

For home users, the basics go a long way: keep Windows updated, use reputable security protection, be careful with unexpected attachments, and maintain backups that are not always connected to the PC. For small businesses, the standard needs to be a bit stronger. Multi-factor authentication, controlled user permissions, proper backup testing and sensible remote access settings all help.

This is where local, hands-on support can make a real difference. A lot of ransomware recovery is not about fancy theory. It is about checking each affected machine, working out what can be saved, rebuilding safely, and making sure the same weak point is not left open for next time.

When to Get Help

If the computer contains anything important and most do, it is worth getting professional advice early. The biggest mistakes usually happen in the first hour: reconnecting devices, plugging in backups, paying too fast, or continuing to use a compromised system as if it is only a minor glitch.

For people around southern Adelaide, that often means getting a local technician involved quickly so the damage can be contained before it spreads across more devices or shared storage. Southern Computer Services SA regularly helps with infected Windows PCs, data recovery situations and rebuilds after serious malware issues, and the earlier that process starts, the better the options usually are.

A ransomware attack feels personal because it interrupts real life. School files, business accounts, family photos, job records – they are not just data on a screen. The best response is steady, practical and methodical: isolate first, protect what is still clean, and rebuild carefully rather than hoping the problem sorts itself out.