Every ransomware call starts the same way. Someone on the other end of the line is staring at a ransom note on their screen and their business has stopped. The file shares are encrypted. The ERP system is down. Email may or may not be working. Nobody knows how bad it is yet.
What follows is the exact sequence we run on every ransomware engagement at Sherlock Forensics. This is not a theoretical framework pulled from a textbook. It is the operational playbook we have refined across hundreds of incidents since 2006. The specifics change per engagement. The structure does not.
If you are reading this during an active ransomware attack, stop reading and call 604.229.1994. We will walk you through the rest live.
The Initial Call: What We Need in Five Minutes
When you call us during a ransomware incident we need five pieces of information immediately. Not in an hour. Not after your IT team finishes their internal assessment. Right now on the phone.
- What is encrypted?
- File servers, databases, endpoints, domain controllers, backup systems. We need the rough scope. "Everything" is an acceptable first answer but we will narrow it down fast.
- Is the encryption still spreading?
- Are new systems going down while we are talking? This determines whether containment is our first action or whether the attack has already completed.
- What does the ransom note say?
- Read it to us or send a photo. The note identifies the threat actor group and tells us which variant we are dealing with. That information changes our entire approach.
- Do you have backups and are they offline?
- If backups exist and were not connected to the network during the attack you likely have a recovery path that does not involve paying. If backups were on the same network they are probably encrypted too.
- Do you have cyber insurance?
- If yes we need your carrier and policy number. They need to be notified immediately and they will likely assign a breach coach and approve vendors. If you have not called them yet we will tell you to do that next.
That conversation takes five minutes. From those five answers we know enough to start containment while your team assembles.
Hour 1: Containment
Containment during a ransomware incident is not the same as containment during a data breach. With ransomware the attacker has already detonated. The encryption has either finished or it is still running. Our first objective is to stop any active encryption from spreading to systems that are not yet affected.
Network Segmentation
We instruct your IT team to isolate affected network segments immediately. Disable inter-VLAN routing. Pull uplinks between switches if segmentation does not exist. Shut down VPN tunnels to remote offices. If the encryption is still spreading every minute of network connectivity is another server lost. We have seen organizations lose their backup infrastructure because it took 45 minutes to isolate a flat network. That delay turned a recoverable incident into a pay-or-rebuild scenario.
Preserve the Ransom Note and Encrypted Samples
Do not delete the ransom note. Do not attempt to decrypt files with random tools from the internet. Save a copy of the ransom note and at least two encrypted files from different directories. We need these for variant identification. In some cases free decryptors exist through No More Ransom or through security researchers who have cracked the encryption for that specific variant. But we cannot check if you deleted the evidence.
Isolate but Do Not Power Off
Affected systems should be isolated from the network but left powered on. Memory contains forensic artifacts that disappear on shutdown: encryption keys, running processes, the ransomware binary itself. If we can pull the encryption key from memory before the system is powered off we may be able to decrypt without paying and without backups. That window closes permanently once someone hits the power button.
The Pay-or-Not Decision Framework
This is the hardest conversation in any ransomware engagement. Every client wants a simple answer. There is not one. We use a structured framework to evaluate the decision because emotional reactions in either direction produce bad outcomes.
| Factor | Favors Not Paying | Favors Considering Payment |
|---|---|---|
| Backup viability | Clean offline backups exist with recent data | No backups or backups are also encrypted |
| Operational impact | Business can sustain extended downtime | Each day of downtime threatens business survival |
| Sanctions status | Threat actor is on OFAC sanctions list | Threat actor is not sanctioned |
| Decryptor reliability | Known variant with unreliable decryptor | Known variant with reliable decryptor track record |
| Data exfiltration | No evidence of data theft | Threat actor has exfiltrated sensitive data and threatens publication |
| Insurance coverage | Policy does not cover ransom payments | Policy covers ransom with carrier approval |
We check the threat actor against the OFAC Specially Designated Nationals list before any payment discussion happens. Paying a sanctioned entity is a federal crime regardless of the circumstances. No exceptions. If the group is sanctioned the payment option is off the table and we proceed with recovery-only strategies.
The decision is never ours to make. It belongs to the client in consultation with legal counsel and the insurance carrier. Our role is to give them the facts they need to make it clearly.
Backup Assessment
While the pay-or-not discussion is happening our technical team is assessing every backup system in the environment. This runs in parallel because the findings directly inform the payment decision.
We check on-premise backup servers, cloud backup repositories, offsite tape storage, SaaS application backups and any ad hoc copies that IT staff may have made. For each backup source we determine three things: is it intact, how recent is it and can we restore from it without reintroducing the threat?
The third question is critical. If the attacker had access to the environment for weeks before detonating the ransomware then backups from that period contain the attacker's persistence mechanisms. Restoring from a compromised backup reinfects the environment. We need to identify a clean restore point that predates the attacker's initial access. That requires forensic analysis to determine when the initial compromise occurred.
Forensic Analysis: Entry Vector and Lateral Movement
Forensic analysis during a ransomware engagement serves two purposes. First it identifies how the attacker got in so we can close that door before recovery. Second it establishes the timeline of compromise so we know which backups are safe to restore from.
Initial Access Vector
The most common entry points we see in ransomware cases have remained consistent: exposed Remote Desktop Protocol (RDP) with weak or reused credentials, phishing emails with malicious attachments or links, exploitation of unpatched internet-facing appliances (VPN concentrators and firewalls in particular) and compromised credentials purchased from initial access brokers. We trace the attack chain backward from the ransomware deployment to the first point of entry using log analysis, forensic artifact examination and threat intelligence about the specific group's known tactics.
According to CISA's ransomware guidance the majority of ransomware incidents in 2025 and 2026 involved exploitation of internet-facing services or credential abuse. The attacker is rarely sophisticated. The defense gap they exploited is rarely exotic.
Lateral Movement Mapping
Once inside the attacker typically moves laterally through the environment for days or weeks before deploying ransomware. They escalate privileges, harvest credentials, identify high-value targets and stage their deployment tools. We map this lateral movement through Windows Event Logs, authentication records, PowerShell logging and EDR telemetry if available. The lateral movement timeline tells us exactly which systems were touched and when. That timeline is what determines our safe backup restore point.
We cross-reference attacker activity against the MITRE ATT&CK framework to ensure we have identified all persistence mechanisms. If the attacker installed a secondary backdoor and we miss it during recovery then the environment gets recompromised within days. We have been called in to clean up after other IR firms missed exactly that.
Staged Recovery and Validation
Recovery is not a single event. It is a staged process that prioritizes critical business systems and validates each restored system before connecting it back to the network.
Phase 1: Infrastructure Foundation
Active Directory domain controllers, DNS servers and authentication infrastructure come first. If AD is compromised we rebuild it from scratch. Restoring a compromised domain controller reintroduces every credential the attacker harvested and every backdoor account they created. The KRBTGT account gets reset twice per Microsoft's forest recovery guidance. All service accounts get new credentials. All administrative passwords are changed.
Phase 2: Critical Business Systems
Email, ERP, finance systems, customer-facing applications. The order depends on what keeps the business running. Each system is restored to an isolated recovery network segment first. We validate it against indicators of compromise before allowing it to communicate with production infrastructure. This validation step adds time but prevents reinfection.
Phase 3: General Restoration
Remaining servers, endpoints and file shares. Endpoints are typically reimaged rather than restored since they are replaceable. File shares are restored from the most recent clean backup. Any data created between the last clean backup and the ransomware deployment may be lost unless it exists in a SaaS platform or other unaffected location.
Validation Protocol
Every restored system goes through the same checks before returning to production: full malware scan, review of scheduled tasks and startup items, verification of user accounts against a known-good list, confirmation that the initial access vector has been closed and that EDR or monitoring agents are active. No system goes back on the network without sign-off from our team.
The After-Action Report
Once recovery is complete we produce a formal after-action report that documents the entire incident. This report serves multiple audiences: executive leadership, legal counsel, the insurance carrier and regulatory bodies if notification was required.
- Root Cause Analysis
- How the attacker gained initial access with specific evidence. What vulnerability or configuration weakness was exploited. What remediation has been completed to close that vector.
- Timeline of Compromise
- A forensic timeline from initial access through ransomware deployment with timestamps and evidence sources for each event.
- Data Impact Assessment
- What data the attacker accessed or exfiltrated before deploying ransomware. Whether double extortion occurred and what data was published or threatened. This drives notification obligations.
- Recovery Summary
- Systems restored, data recovered, data lost. Total downtime measured in hours. Ransom paid or not paid and the rationale for that decision.
- Remediation Recommendations
- Specific technical and procedural changes to prevent a recurrence. Prioritized by impact and effort. These are not generic best practices. They are targeted recommendations based on the specific weaknesses this attacker exploited in this environment.
The after-action report is typically delivered within two weeks of full recovery. It is a forensic document suitable for submission to regulators and insurance carriers.
Insurance Coordination
Cyber insurance coordination runs parallel to the entire engagement. Most carriers have specific requirements about which vendors can be used, what approvals are needed before a ransom payment and what documentation must be preserved. We work with major carriers regularly and know their processes.
Your carrier will typically assign a breach coach (an attorney who coordinates the response), approve forensic investigation vendors and approve or deny ransom payment if that path is being considered. We provide the carrier with regular status updates and forensic findings throughout the engagement. At close we submit the after-action report and all supporting documentation for the claim.
The single most common mistake we see with insurance coordination is late notification. If you have a policy call the carrier the same day you discover the attack. Not tomorrow. Not after you have a better picture. Today. Late notification is the most common reason ransomware claims get denied. It is also the most preventable.
What You Should Have in Place Before This Happens
The organizations that recover fastest from ransomware share three characteristics: tested offline backups, an incident response retainer and a team that has practiced the response through tabletop exercises. Everything else helps. Those three things are the difference between a two-week recovery and a two-month rebuild.
If you do not have offline backups that are tested regularly you do not have backups. An untested backup is a hope. Ransomware operators specifically target backup infrastructure because they know it is the one thing that makes payment unnecessary.
Frequently Asked Questions
Should you pay a ransomware demand?
There is no universal answer. The decision depends on whether viable backups exist, the operational cost of downtime, whether the threat actor is on a sanctions list and whether your cyber insurance policy covers ransom payments. Paying does not guarantee decryption. FBI data shows roughly 65% of organizations that pay receive a working decryptor. We use a structured framework that evaluates these factors before any payment decision is made.
How long does ransomware recovery take?
Most ransomware recoveries take between 5 and 21 days from initial call to full operational restoration. Containment typically happens within the first 2 hours. Backup assessment and forensic analysis run in parallel over 24 to 72 hours. Staged recovery of critical systems takes 3 to 7 days. Full environment restoration including validation and hardening usually takes two to three weeks.
Does cyber insurance cover ransomware attacks?
Most cyber insurance policies cover ransomware incidents including forensic investigation costs, business interruption losses and legal fees. Many also cover the ransom payment itself. However coverage depends on your specific policy language and whether you followed the security controls required by your policy. Carriers increasingly require MFA, EDR and offline backups as conditions of coverage. Contact your carrier within the first 24 hours of discovering an attack.