CyberGuide - Information Security and Cyber Risk Management

Initial Dos and Don’ts for Ransomware Victims

By Arete


The initial actions of a victim organization in the hours after a ransomware event can have a lasting impact on the overall recovery. Arete has responded to over 500 ransomware events and over 50 different variants in the last year. Based on our experience, observation, and initial conversations with the victim organizations we have identified the top five action items that can determine the difference between a relatively smooth versus a disastrous and costly recovery. Arete has compiled the following five Do’s and Don’ts to follow as a standard best practice when faced with the challenges of recovering from ransomware.


  • Remove infected systems from the network/ take them offline
  • Follow the instructions in the ransom note related to powering off systems
  • Preserve all data, including systems – as well as Firewall, VPN, and Proxy logs for the forensic analysis that will need to take place
  • Deploy advanced endpoint protection to all systems
  • Plan on up to 2 weeks to be fully operational again based on org size


  • Shut down, power cycle, or reboot any infected systems
  • Contact the threat actor yourself or try to negotiate – leave this to the forensic vendor
  • Wipe or re-image any systems as these are needed for the forensic investigation
  • Rely on your anti-virus that failed to stop the ransomware
  • Assume that once a decryptor is purchased its all down hill from there