URGENT: Our company was just hit by ransomware – what do we do?

Observer · 0 XP

January 14, 2026

We discovered this morning that our file servers are encrypted. The ransom note says LockBit and demands 50 BTC. We have about 200 employees and our backups are on the same network. I’m the only IT person. Please help – what are our immediate steps?

Best Answer

Sarah Chen

Expert · 4,800 XP

January 21, 2026

STOP. Do not turn off any machines yet. Here are your immediate steps:

Isolate: Disconnect affected systems from the network immediately. Pull ethernet cables, disable WiFi. Do NOT power off – you may lose volatile memory evidence.
Document: Take photos of ransom notes. Record timestamps of when encryption was discovered.
Report: Contact FBI IC3 (ic3.gov) and your local FBI field office. File a report with CISA.
Engage IR firm: You need professional help. Contact CrowdStrike, Mandiant, or Secureworks for emergency IR.
Do NOT pay yet: There may be a decryptor available. Check nomoreransom.org.
Communicate: Notify your legal team and insurance provider immediately.

I’ve been through this twice. DM me if you need direct help.

Maya Patel

Expert · 2,800 XP

February 24, 2026

One critical thing: check your cyber insurance policy BEFORE engaging any vendors. Many policies require you to use their approved IR firms and forensic providers. Using unapproved vendors could void your coverage.

Alex Rivera

Expert · 3,200 XP

March 1, 2026

Adding to Sarah’s excellent response – check if your LockBit variant has a known decryptor. In February 2024, law enforcement seized LockBit infrastructure and released decryption keys for some variants. Check the No More Ransom project.

Also, regarding your backups being on the same network – this is unfortunately common. For future reference, always maintain offline or air-gapped backups following the 3-2-1 rule: 3 copies, 2 different media types, 1 offsite.