If your business files are suddenly inaccessible, renamed, or encrypted — and you’re seeing strange messages asking for payment — there’s a strong chance you’re dealing with a ransomware attack.

This guide will help you confirm what’s happening and walk you through what to do next to contain the damage, protect your data, and begin recovery.

At STORM Guidance, we support organisations through ransomware incidents of all kinds — from fast containment to secure restoration.

How to Tell If It’s Ransomware

Here are common signs that point to a ransomware attack:

• 🔐 Encrypted Files

  Files no longer open, or have a new extension (e.g. .locked, .encrypted, .blacksuit, etc.)

  
  

• 🧾 Ransom Notes

  You may see a file named READ_ME.txt, DECRYPT_INSTRUCTIONS, or similar in every folder. This often includes contact details and payment instructions.

  
  

• ⚠️ Inaccessible Systems or Drives

  Network drives, shared folders, or entire machines may become unavailable or return error messages when accessed.

  
  

• 💻 System Slowdown or Crashes

  Some ransomware strains overload memory and CPU while encrypting, causing instability or forced reboots.

  
  

If you see any of the above, especially in combination, treat the situation as a confirmed ransomware incident and proceed with caution.

What to Do Next

✅ 1. Isolate Affected Systems Immediately

Disconnect infected devices from the network — both wired and wireless. If you're unsure which systems are affected, isolate everything you can as a precaution.

✅ 2. Don’t Interact with the Ransomware

• Do not pay the ransom without advice — payment does not guarantee recovery

• Don’t delete or modify the ransom note or encrypted files

• Avoid running unknown tools or attempting self-recovery unless you have expert support

✅ 3. Notify Internal Stakeholders

Inform your IT team, leadership, legal/compliance, and anyone responsible for operations, customer communication, or insurance.

✅ 4. Engage a Ransomware Response Specialist

A professional response team will guide you through containment, investigation, and recovery — and if needed, manage communication with the attackers directly.

STORM Guidance provides threat actor engagement and negotiation services, which include:

• Verifying the credibility of the attacker

• Handling all communications anonymously and securely

• Negotiating ransom terms (if necessary)

• Coordinating safe decryption and recovery

Attempting to negotiate or pay a ransom without expert support can result in financial loss, legal risk, or further damage.

✅ 5. Begin Investigation and Containment

You’ll need to:

• Confirm the strain/type of ransomware (e.g. LockBit, Cl0p, BlackSuit)

• Check if any data was exfiltrated

• Identify the attack vector (phishing, RDP, unpatched vulnerability)

• Stop lateral movement across your network

✅ 6. Notify Authorities (If Required)

If personal or customer data was exposed:

• Notify the ICO (UK) or relevant regulator

• Inform cyber insurers

• Coordinate any necessary disclosure with affected clients or stakeholders

✅ 7. Plan for Secure Restoration

Do not begin restoring from backups until you're sure the threat is contained.

• Use clean, offline backups only

• Rebuild affected systems in a clean environment

• Strengthen access controls, MFA, and patching during recovery

How STORM Guidance Can Help

✔ Ransomware containment and forensic investigation

✔ Data recovery and secure rebuild planning

✔ Legal, regulatory, and comms coordination

✔ Guidance on ransom payment decisions (if applicable)

✔ Resilience reviews to reduce future risk

Locked Files Can Be Recovered — But The Right Response Is Critical

Not every ransomware case ends in permanent damage or payment.

With fast action and expert support, many businesses recover fully — and come out more resilient.

STORM Guidance is here to help you take back control — from containing the attack to securely rebuilding your systems.

If attacker communication is ongoing, we can handle negotiations on your behalf, helping your business recover with clarity, speed, and confidence.