Cybersecurity Playbooks

Structured action plans for both incident response and proactive defense. These playbooks provide clear guidance for handling cybersecurity situations.

Ransomware

What to do when your files are being held hostage

Phishing

What to do when you get the email, text, or call

Social Engineering

Recognizing the human side of every scam

Malware Infection

What to do when your computer is acting strange

Data Breach

What to do when a company you trust has lost your data

Ransomware

What to do when your files are being held hostage

Ransomware is a nasty type of malware that locks your files and demands payment to unlock them. For individuals it often arrives disguised as an email attachment or a fake software update. For small organizations (a charity, a church office, a small clinic, a school) it's the single most common way a day goes from normal to catastrophic. Here's how to recognize it, what to do in the first hour, and how to recover.

Did you know?

According to recent research from Sophos, fewer than one in three organizations that paid a ransom got all their data back. Most got partial data or nothing at all. Payment is not a recovery plan.

What It Looks Like

You sit down at your computer and something is wrong. Any of these are possible signs:

A big red screen demanding payment, usually in Bitcoin, with a countdown timer.
Your files have new, strange extensions (.locked, .encrypted, .crypt, random letters).
Documents that open as gibberish.
A text file on your desktop called something like README.txt or HOW_TO_DECRYPT.txt with instructions.
Your computer feels slow or runs a fan loudly for no clear reason (this can mean the encryption is still happening).

If you see this, act fast. Every minute the malware runs, more files get encrypted.

The First 10 Minutes

Do these in order. Stay calm. Most ransomware damage happens because people freeze or do the wrong thing quickly.

Disconnect from the internet. Unplug the network cable. Turn off wifi. This is the single most important step. It stops the malware from spreading to cloud drives, network shares, and any connected devices.
Don't shut the computer down. Some ransomware stores the only copy of the encryption keys in memory, which is lost when you power off. Leaving it on gives recovery experts a chance.
Don't pay anything. Don't even open the ransom note. Paying funds the next attack, and most victims who pay don't get all their data back anyway.
Take a photo of the ransom screen with your phone. Include any email addresses, wallet addresses, or reference numbers. You'll need this for the police report.
Disconnect external drives (USB drives, backup drives) that were plugged in. Leave them out.
If it's a work or organization computer, call IT. If you're a one-person shop and you are IT, call a cybersecurity professional. Don't try to clean it yourself.

What Not to Do

Don't pay the ransom. See above.
Don't restart or reinstall Windows yet. This can destroy evidence and the chance to recover files.
Don't use the infected computer to email anyone. Use a different device.
Don't plug backup drives back in until you know the machine is clean. Ransomware will gladly encrypt your backups too.

Recovery Path

Once you're disconnected and have help lined up:

Identify the ransomware family. The website ID Ransomware lets you upload a ransom note or an encrypted file and tells you what variant infected you. For some variants, a free decryption tool exists at No More Ransom. Project run by the Dutch police and Europol, safe to use.
Restore from backup. If you have a clean backup from before the infection, this is your fastest way home. Wipe the infected machine completely (full format, reinstall the operating system) and restore to the clean image.
Contact a professional. For organizations, your cyber insurance (if you have it) usually includes incident response. If not, search for a reputable incident-response firm. A rough Canadian starting point is the CCCS (Canadian Centre for Cyber Security) who can point you at resources.
Expect the recovery to take days. Not hours. Accept that upfront and avoid rushing.

Report It

Reporting is what gets these groups caught.

Canada: Report to the Canadian Anti-Fraud Centre at 1-888-495-8501 and the Canadian Centre for Cyber Security. Your local police, if money was paid.
United States: Report to the FBI's IC3 and CISA.
Your cyber insurer if you have a policy. Report it before taking any other action if you can, because policies often have specific required steps.

How to Prevent the Next One

Ransomware usually gets in through one of three doors. Close them.

Don't open attachments or click links from senders you don't recognize. This is how 80% of infections start. See our phishing playbook for the full checklist.
Keep your operating system and apps up to date. Turn on automatic updates. The rest is old patches attackers exploit.
Back up your files to an offline location. An external drive you unplug after each backup. Or a cloud service with version history (Backblaze, OneDrive, iCloud, Google Drive). Ransomware that encrypts live files often can't reach older versions if the backup service stores them separately.
Run as a normal user, not admin, for daily work. Malware can only do what the logged-in user can do. If your account can't install software, the malware usually can't either.

Going Deeper

Part of a small organization worried about this? Our free course Cybersecurity Fundamentals covers the basics of keeping a small team safe.
Got a suspicious message right now and want a second opinion? Ask Dave.

These playbooks are designed to provide guidance in common cybersecurity scenarios. For specific situations not covered here, please reach out to us directly.

Request a Custom Playbook

Need guidance for a specific cybersecurity scenario? Contact us to discuss creating a customized playbook for your unique situation.

Loading…