If your organisation’s network has been hit by ransomware, the priority is to contain the threat and prevent further damage - not just to individual machines, but to servers, shared drives, backups, and cloud environments.

This guide walks through the critical steps to remove ransomware from a corporate environment safely, while preserving evidence and avoiding mistakes that can complicate recovery.

Step 1: Isolate Infected Systems Immediately

Start by breaking the chain of infection:

• Disconnect infected endpoints from the network (wired and wireless)

• Disable VPNs and remote access systems

• If multiple systems are affected, consider isolating entire network segments

• Do not power off machines unless advised - memory may help identify the ransomware strain

Step 2: Preserve Ransomware Evidence

Before attempting removal or reimaging:

• Preserve one or two infected hosts for potential forensic analysis

• Save copies of ransom notes, file extensions, and encrypted files

• Take screenshots of any pop-ups or Tor-based negotiation portals

• Collect logs and system snapshots for forensic analysis

Step 3: Identify the Entry Point and Infection Scope

To remove ransomware effectively, you need to understand:

• How it entered (e.g. phishing, RDP, vulnerable services)

• Which users, endpoints, servers, and shares were affected

• Whether the ransomware is still active or has completed encryption

• If data was also exfiltrated (double extortion)

A full network scan and forensic review will be necessary, ideally with expert help.

Step 4: Do Not Attempt DIY Decryption Tools Without Verification

Many free tools claim to decrypt files, but using the wrong one - or running unknown software - can cause more harm by:

• Corrupting your encrypted files permanently

• Triggering further malware activity

• Destroying forensic evidence

Always consult a trusted cybersecurity provider before running any ransomware removal tools.

Step 5: Decide on Restoration Strategy

Option A: Recover from Clean, Isolated Backups

• Restore only after confirming the network is clean

• Use backups that are offline, immutable, or air-gapped

• Monitor restored systems carefully

Option B: Rebuild Critical Systems from Scratch

• For systems where backups aren’t trusted or available

• Ensure updated OS, security patches, and endpoint protection are applied

Option C: If Decryption or Recovery Requires Negotiation

In situations where backups are unavailable and a free decryptor doesn’t exist, you may need to engage directly with the threat actor. This should never be done without expert support.

STORM Guidance provides professional ransomware negotiation services, including:

• Verifying the attacker’s credibility and history

• Managing communication securely and discreetly

• Attempting to reduce ransom demands

• Coordinating secure receipt and testing of decryptors

• Ensuring compliance with legal and regulatory obligations

Every step is handled with discretion, security, and your long-term recovery in mind.

Step 6: Re-secure the Network

As part of recovery:

• Reset all user and admin credentials

• Apply multi-factor authentication across systems

• Patch known vulnerabilities and exposed services

• Review firewall rules and access controls

• Implement continuous monitoring and logging

Step 7: Communicate and Report

Depending on the outcome:

• Report the incident to your regulator (e.g. ICO in the UK)

• Notify your cyber insurer

• Inform clients, partners, or suppliers if systems were exposed or disrupted

• Log actions and findings for audit and insurance purposes

Step 8: Review, Learn, and Prepare

Once recovery is underway:

• Conduct a full post-incident review

• Update your incident response plan

• Run training and phishing simulations

• Consider tabletop exercises for leadership and IT teams

How STORM Guidance Can Help

✔ Ransomware containment and secure network restoration

✔ Full forensic investigation and threat identification

✔ Regulatory support and communications guidance

✔ Ransomware negotiation strategy (if needed)

✔ Resilience reviews and recovery planning

Ransomware Can Be Removed — With the Right Steps and Support

Trying to remove ransomware alone, especially across a corporate network, can be risky.

With expert guidance, you can contain the threat, recover data safely, and navigate attacker communication if it becomes necessary.

STORM Guidance is ready to support your business — from technical containment to secure negotiation and full recovery.