// Guides
Ransomware: first aid for small businesses
Ransomware encrypts your data and demands a ransom. What matters is immediate isolation of affected systems — without destroying evidence — and a structured approach instead of payment.
Updated: 2026-06-19
Immediate steps
- 1Immediately disconnect affected devices from the network (pull the LAN cable, turn off Wi-Fi) to stop the spread.
- 2If possible, do not power devices off — volatile traces can matter for analysis.
- 3Check backups — use only offline/disconnected backups and do not connect them to the infected network.
- 4Document the incident: ransom note, file extensions, timestamps, affected systems.
- 5Involve the police; if personal data leaked, check the GDPR notification duty (72 hours).
- 6Restore from a clean backup only after the cause is clear, and reset all credentials.
What not to do
- Do not pay the ransom — no guarantee of decryption, and it funds the offenders.
- Do not rebuild prematurely before the entry point and scope are clear.
- Do not connect backups to the possibly infected network.
When professional help makes sense
We help assess the situation in a structured way, preserve evidence, understand the entry point and plan a clean restart — without guarantee promises.
Get in touchCommon questions
- Should I pay if there are no backups?
- Authorities advise against it: payment does not guarantee decryption and marks you as a repeat target. Check recovery and decryption options first.
- Do I have to report the incident?
- If personal data is affected, there is usually a duty to notify the data protection authority within 72 hours.
- How do I prevent the next incident?
- Offline backups, updates, two-factor authentication, least-privilege and awareness are the most effective basics.