How to recognise that this may not be an ordinary fault

A ransomware incident does not always begin with a dramatic ransom note. Employees may first notice that documents no longer open, filenames have unfamiliar extensions, shared folders are unavailable or the same problem appears on several computers.

  • Files suddenly fail to open or appear renamed.
  • A message requests payment or provides recovery instructions.
  • Shared folders change rapidly or become inaccessible.
  • Security software is disabled without explanation.
  • Several users report the same problem at nearly the same time.

One damaged document is not proof of ransomware, but several signs together justify treating the situation as a security incident until it is assessed.

Reviewing a security incident on a business computer
The first goal is to contain the incident, then review accounts, devices, the network and available backup copies.

First 10 minutes: isolate the affected device

Disconnect the affected computer from the network. Remove the Ethernet cable and turn off Wi-Fi. If a server or shared storage system is actively changing files, isolate it with help from the person responsible for the network.

  • Do not connect USB drives or backup disks to the affected computer.
  • Do not continue opening files to see which ones work.
  • Do not delete the ransom message or suspicious files.
  • Do not restart every device in the office without a plan.
Priority: stop the spread before attempting repair. A clean backup is valuable only while it remains separated from the incident.

By minute 30: establish scope and preserve facts

Record which employee first noticed the issue, the device name, approximate time, visible message and folders that appear affected. Photographs of the screen and a short written timeline can help later analysis.

Ask whether the user recently opened an attachment, followed an unusual link, installed software or entered a password on an unfamiliar page. The purpose is not to assign blame. It is to identify the likely path and determine which accounts may need protection.

Check whether the issue is limited to one workstation or also affects file servers, NAS storage, cloud folders and other users.

By minute 60: protect accounts and plan recovery

If there is a reasonable chance that credentials were stolen, change passwords from a known-clean device. Prioritise administrators, email accounts, finance users, remote access and cloud services. Revoke suspicious sessions where possible.

Before restoring data, confirm that the recovery source is clean and that the cause has been contained. Restoring immediately onto an infected environment can encrypt the same data again.

  1. Identify clean backup copies and their dates.
  2. Decide which business systems must return first.
  3. Keep affected equipment available for analysis.
  4. Document every major action and time.

What a business can prepare before an incident

  • An offline or otherwise isolated backup copy.
  • Regular restore tests, not only successful backup notifications.
  • An up-to-date list of devices, users and administrators.
  • MFA for email, cloud services and remote access.
  • A contact person authorised to make urgent decisions.
  • A short incident checklist available outside the affected network.

These measures also support normal managed IT maintenance because they improve documentation and reduce recovery time.

Conclusion

The first hour of a ransomware incident is about containment, facts and safe decisions. Isolate affected devices, protect important accounts, preserve evidence and confirm clean backups before recovery. A prepared business does not need to invent this process while systems are already unavailable.