Ransomware Incident Response — Containment, Decryption and Recovery for SMEs Without Paying
> cd .. / HUB_EDITORIALE
Sicurezza Informatica

Ransomware Incident Response — Containment, Decryption and Recovery for SMEs Without Paying

[2026-07-18] Author: Ing. Calogero Bono
> share
Zenithby Meteora Web The operating system for your business. Social, clients, bookings and invoices in one platform. Gyms, barbers, professionals. Discover Zenith Free demo · no card

You walk into the office and find all your files renamed with a .encrypted extension. A README_DECRYPT.txt demands 10,000 euros in Bitcoin. Your ERP server, CRM, customer data — everything locked. The phone won't stop ringing.

This is not a movie. It happens every day to small and medium businesses that, an hour earlier, thought 'it won't happen to us'. Here at Meteora Web we've seen dozens of these scenarios. You don't always recover everything, but most of the time you can get out without paying — if you know the right steps in the first few minutes.

This guide walks you through a real ransomware incident response: rapid containment, variant identification, decryption attempts, and clean recovery. No textbook theory. Only actions you can execute right now — and that will keep you from becoming another headline.

How do you contain a ransomware incident effectively?

Containment is everything. The first 10 minutes decide whether the damage stays on one server or spreads across the entire network. The most common mistake? Shutting everything down abruptly. Don't do that: many ransomware strains persist in memory, and if you power off, you lose the chance to understand what happened and possibly decrypt the files.

Step 1: Isolate patient zero

Identify the first affected host (often a shared PC or an exposed RDP server). Physically disconnect it from the network: unplug the Ethernet cable, not just Wi-Fi. If it's a virtual machine, disconnect the vNIC from the hypervisor. The goal is to stop lateral propagation.

Sponsored Protocol

# Quickly block traffic to suspicious IPs via iptables
# (run on a gateway or network firewall)
iptables -A FORWARD -d 185.xxx.xxx.xxx -j DROP
iptables -A OUTPUT -d 185.xxx.xxx.xxx -j DROP

Important: Do not delete the encrypted files. Keep them for forensic analysis and for trying decryption tools.

Step 2: Document the crime scene

Before any recovery, record: date/time of detection, ransom note (screenshot), encrypted file extension, any notes left by the malware. Upload the ransom note to ID Ransomware: in seconds it identifies the ransomware family and often tells you if a free decrypter exists.

Step 3: Change all access credentials

The ransomware probably entered through a weak password or compromised account. Immediately change passwords for domain admins, RDP, FTP, hosting panels. Use long passwords (>16 characters) and enable MFA on everything critical.

Critical mistake to avoid: do not pay. Even if the ransom seems low, paying does not guarantee decryption — and it funds the next attack. Also, in many jurisdictions, paying a ransom may be illegal. Always report to law enforcement (e.g., FBI or local cyber police).

Sponsored Protocol

What decryption tools are available and how to use them?

Not all ransomware are unbreakable. Many variants have known cryptographic weaknesses: predictable key generation, flawed implementations, backdoors left by authors. Projects like No More Ransom (coordinated by Europol) and independent databases collect free decryption tools.

Official and community decrypter sources

  • No More Ransom (NMR): Official platform with over 100 decryption tools. Enter the encrypted file extension (e.g., .encrypted, .locked, .crypt) and download the matching tool.
  • Avast, Kaspersky, Emsisoft: Provide decryption tools for common families (Stop/Djvu, GandCrab, REvil, Maze).
  • ID Ransomware (mentioned above): besides identification, it gives direct links to available decrypters.

Operational procedure for running a decrypter

  1. Run the scanner on a forensic copy of the files, not the originals. Use an isolated environment (VM without network access).
  2. Test a sample file. If decryption works, proceed on all files.
  3. Before running, disable antivirus and firewall (they may interfere).
  4. If the decrypter requires a private key (e.g., for RSA), do not attempt to brute-force it — it's mathematically impossible. Focus on restoration from backup.
# Example command for Emsisoft Decrypter for Stop/Djvu
# (after downloading the official executable)
./emsisoft_decryptor_stopdjvu -d /mnt/backup/encrypted -o /mnt/recovered

Note: Decrypters work only on specific variants. If the ransomware is an unknown variant or uses strong asymmetric encryption (AES-256 + RSA-4096), decryption without the key is impossible. In that case, recovery relies solely on backups.

Sponsored Protocol

How to recover data after a ransomware attack without paying?

If decryption is not possible, plan B is restoration from backup. But watch out: modern ransomware also tries to delete shadow copies, network backups, and shared volumes. That's why the 3-2-1 strategy is mandatory: 3 copies, 2 different media, 1 offline (immutable) copy.

Verify backup integrity before restoring

Many victims discover their backups were encrypted along with the original data. Here's how to check quickly:

  • If the backup is on a NAS with write access from the network, it is likely compromised.
  • If it's on tape or on cloud storage with versioning and immutability (e.g., Backblaze B2 with Object Lock, AWS S3 with versioning and MFA delete), it is almost certainly clean.
  • Mount the backup in an isolated environment and verify files are readable.

Safe restoration procedure

  1. Format and reinstall affected systems from scratch. Do not restore onto a potentially infected machine.
  2. Update all software, apply security patches, and disable unnecessary services (especially RDP exposed to the internet).
  3. Restore data from clean backup. If you use rsync:
    rsync -av --delete /mnt/backup-clean/ /var/www/html/
  4. Before going live, run a reconnection test: monitor logs for 24 hours to detect any residual traces.

Advanced alternatives: Shadow Copy and file system journal

If the ransomware did not delete Windows shadow copies (happens with low-level variants), you can try to recover previous versions. Run this command on the compromised PC (before shutting down):

Sponsored Protocol

vssadmin list shadows
# If copies exist, export with:
vssadmin create shadow /for=C:
shadowcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\

But caution: many ransomware execute vssadmin delete shadows /all /quiet. If you see that in the logs, shadow copies are lost.

What incident response plan should you prepare before an attack?

The best defense is a written, tested, and offline-stored plan. We at Meteora Web help SMEs set up a Ransomware Incident Response Plan that costs less than a ransom. Here's what it must include:

  • Containment runbook: who to call, in what order, which physical switches to pull.
  • Contact list: IT provider, law enforcement, cyber insurance.
  • Immutable backups: one weekly offline copy on removable media or immutable cloud storage.
  • Regular drills: simulated attacks (tabletop exercises).
  • Pre-installed tools: a VM with ID Ransomware, decrypters, and forensic tools, always updated.

For prevention, check our related article on phishing simulation tools. And for supply chain security, read our guide on NIS2 Supplier Registry.

Sponsored Protocol

What to do right now

  1. Check your backups immediately. The 3-2-1 rule is the difference between a weekend of work and closing the business.
  2. Identify your exposed services. RDP, FTP, admin panels: if they are on public IPs, lock them down with VPN and MFA.
  3. Download and keep updated the ID Ransomware tool on offline media (e.g., USB stick).
  4. Print the containment runbook and keep it in the server room. Yes, on paper. When the system is encrypted, you can't open PDFs.
  5. Contact an incident response team before you need one. At Meteora Web we offer audits and customized plans. Let's talk.

Ransomware is not a death sentence. It can be contained, decrypted (sometimes), and recovered. But only if you know exactly what to do in the first minutes. We do it every day. If you have doubts, reach out.

> share
Ing. Calogero Bono

> AUTHOR_EXTRACTED

Ing. Calogero Bono

Ingegnere informatico, fondatore di Meteora Web e Zenith OS. System administrator e progettista di piattaforme, app e CMS proprietari, con esperienza in sviluppo full-stack, marketing digitale ed ecosistema Google.
[ Read Full Dossier ]

> METEORA_WEB // DIGITAL AGENCY

We build the digital presence your business deserves.

Websites, social media, online advertising, e-commerce and high-performance hosting, engineered with method by computer engineers in Sciacca, for all of Italy.

> MW_JOURNAL

> READ_ALL()