Responding to a Ransomware Attack: A Guide for Small Businesses

by | Apr 29, 2025 | Blog, Business, Cybercrime

cyber-security

April 24, 2025

Dealing with a ransomware attack can be disruptive and expensive, especially for a small business. In this guide, Acrisure Cyber Services shares tips on how to respond to a ransomware attack.

When a ransomware attack strikes your business, every minute counts. Small businesses often don’t have the extensive IT departments of larger companies, leaving them potentially exposed to these increasingly clever digital threats. Knowing how to react swiftly can be the crucial difference between a manageable recovery and a crisis that shuts you down.

And here’s the tough truth: thinking this only happens to the big guys is a mistake. Small businesses are actually up to three times more likely to be targeted by cyberattacks.

 

What Does a Ransomware Attack Look Like?

Ransomware essentially kidnaps your business data by encrypting it. You’ll typically see a message demanding payment and you won’t be able to access your own files until you pay the attackers a ransom, usually demanded in cryptocurrency. For smaller operations, this kind of attack can be devastating. It can halt your business operations, expose sensitive confidential information, and ruin the good reputation you’ve worked so hard to build.

“Dealing with a ransomware attack can be incredibly disruptive and expensive. 

 

How Should You Respond to a Ransomware Attack?  

(The following information is meant to offer helpful insights and is provided for general purposes only. It is not to be considered an official incident response plan in the event of a ransomware attack. The facts of each incident may vary so it is important to discuss your particular case with a professional.)

Step One: Act Fast — Isolate and Take Stock

The second you think ransomware might be in play, you need to act—quickly.

  • Unplug and Disconnect: If a device shows signs (ransom note, weirdly locked files), cut its access to the internet and your internal network. Yank the Ethernet cable. Turn off Wi-Fi. The goal is to stop the spread immediately.
  • Don’t Power Off Yet: Unless an expert tells you to shut it down, don’t. The system memory might hold clues that could help during the investigation or cleanup process.
  • See What’s Hit: Which machines are affected? What kind of data—customer info, financials, core operations? Knowing what you’re dealing with will help you decide what to do first.

Step Two: Lock It Down

Now that you’ve isolated the immediate issue, you need to make sure it hasn’t spread further.

  • Check Your Network: If your network is segmented (divided into sections), check that other parts are still clean.
  • Figure Out What You’re Dealing With (Carefully): If you can, try to identify the type of ransomware. There may be a ransomware “note” left on the machines (likely on the Desktop). Sometimes tools exist to reverse it—but that’s rare. Be cautious about running tools unless you really know they’re safe. When in doubt, bring in the professionals.

Step Three: Cleaning Up the Mess

Getting rid of the actual malware is essential. This usually involves a couple of pathways:

  • Security Software to the Rescue: Your antivirus and, ideally, more advanced Endpoint Detection & Response (EDR) tools are your first line here. Run full scans to find and remove the malicious code.
  • The Nuke Option (Often the Safest): Frankly, the most reliable way to be sure the infection is gone is often to completely wipe the affected hard drives and reinstall everything – operating system, software – from scratch, using clean source files.

Step Four: Getting Your Data Back

This is the moment where good habits pay off immensely.

  • Restore Only from Clean, Tested Backups: If your backups were kept offline or separated from your network (air-gapped), you’re in luck. Use those. And if you haven’t been testing your backups regularly, that changes now.
  • Check Before You Reconnect: Once you’ve restored, double and triple-check that the systems are truly clean and fully patched before letting them back onto the network.

Step Five: Call in the Cavalry (and the Feds)

You’re not in this fight alone. Reach out.

  • Tell the FBI: Report the attack through the FBI’s Internet Crime Complaint Center (IC3). It helps them track these criminals and might help others avoid the same fate. You can find it here: https://www.ic3.gov
  • Loop in CISA: You can also report to the Cybersecurity and Infrastructure Security Agency (CISA) and tap into their resources for businesses. Check out their Stop Ransomware site: https://www.cisa.gov/stopransomware
  • Get Expert Help: Seriously consider bringing in cybersecurity professionals. They live and breathe this stuff and can help with everything from digging into how it happened (forensics) to helping you make sure it’s truly gone, allowing you to recover safely. That’s exactly what our team at Acrisure Cyber Services does.
  • Call Your Insurance: If you have a cyber insurance policy, get them on the phone ASAP. They’ll have specific steps you need to follow and resources they can deploy.

 

The Million-Dollar Question: Do You Pay?

The attackers want money, usually crypto. But should you pay? The FBI strongly advises against it. Why?

  • It Might Not Work: Paying is no guarantee you’ll get your files back. Plenty of businesses pay up and get nothing, or only get some data back.
  • It Funds Crime: Paying tells the bad guys their business model works, encouraging more attacks against everyone.
  • It Paints a Target on Your Back: Threat Actors often use “Double Extortion” in which they extort you to unlock your data and not release it to the public. Paying once may signal that you’ll pay again.
  • Sanctions are real: Many of the Cyber Crime Groups are on international sanction lists. Paying may result in a fine or legal action from the government.

Look, it’s a tough call, especially if critical data is gone and backups failed. But you may want to try every other recovery option first.

Step Six: After the Storm – Learn and Rebuild Stronger

Once things have calmed down, don’t just sweep it under the rug. Use this painful experience.

  • Figure Out HowDo a post-mortem. How did they get in? Was it a phishing email? An unpatched system? What went right and wrong in your response?
  • Beef Up Security: Now’s the time to invest in layers of defense.
  • Better Email Security to catch malicious messages.
  • Multi-Factor Authentication (MFA) everywhere possible to make stolen passwords useless.
  • Real Endpoint Detection & Response (EDR), not just basic antivirus.
  • A Solid Patching Routine for all your software and systems.
  • Ongoing Security Training for your team – they’re often the first target. (Our Acrisure “Security Blanket” bundles these kinds of protections together.)
  • Update Your Playbook: Take what you learned and make your incident response plan even better.

Preparation Beats Panic Every Time

Dealing with a ransomware attack can be incredibly disruptive and expensive. The absolute best strategy is doing everything possible to prevent it in the first place – strong defenses, reliable backups you actually test, and a clear plan for what to do if the worst happens.

At Acrisure Cyber Services, we focus on bringing robust cybersecurity and IT support within reach for small and medium-sized businesses like yours. We can help you assess your risks, implement the right protections, and even provide access to cyber insurance solutions.

Don’t wait until it’s too late. Let’s talk. Reach out to [email protected] for a no-obligation chat about where you stand and how we can help you build a more resilient business.

NOTE: The opinions and statements herein are intended and provided for general informational purposes only. Nothing herein is intended to or may be viewed to provide any advice of any kind for any person or entity by Acrisure, LLC or any of its agents, representatives, advisers, affiliates, directors, officers, or employees (collectively, “Acrisure”). The findings, interpretations, and conclusions contained herein do not constitute a recommendation that any person or entity (i) take (or not take) any particular action(s), or (ii) purchase any particular product(s). Before engaging in any of the foregoing, all persons and entities should consider and independently verify or validate whether such is appropriate and/or suitable for their respective circumstances. No person or entity may rely on the information provided herein for the prevention or mitigation of any risks or, to the extent applicable, as a full and complete explanation of coverage under any insurance policy or terms and conditions of any services identified. While the information provided herein has been compiled from sources that are believed to be reliable, Acrisure makes no warranty, guarantee or representation, either expressed or implied, as to the correctness, sufficiency or adequacy thereof, and accepts no responsibility for the accuracy, reliability or completeness thereof. By providing the information herein, Acrisure does not undertake any obligation to provide any updates thereto, provide any additional information or materials, or correct any inaccuracies that may become apparent. To the maximum extent permitted by law, any responsibility or liability for the content and information contained herein is hereby expressly disclaimed.

Source: https://www.acrisure.com/blog/how-to-respond-to-ransomware-attack

 

American Public Entity Programs, LLC are public sector insurance professionals specializing in the underwriting, risk management, and marketing for public entity risks. We are a strategic trading partner of Acrisure and have been designated as a double Acrisure Circle of Excellence wholesale broker. For more information, visit https://americanpublicentity.com/