Ransomware Attack? A Step-by-Step Guide for Canadian Businesses
Part of our guide: Ransomware & incident response
A ransomware attack is one of the most stressful things a business can face: systems locked, work halted, and a countdown demanding payment. In that moment, a clear head and a clear plan make an enormous difference. The businesses that come through it well are rarely the ones with the most technology — they’re the ones that knew the steps in advance and didn’t make things worse in the first chaotic hour.
This is a step-by-step guide for Canadian businesses: what’s actually happening during an attack, what to do in order, the costly mistakes to avoid, and the Canadian reporting obligations you can’t skip.
If you are in the middle of an attack right now, go straight to our emergency incident response page — it has the immediate do’s and don’ts.
What a ransomware attack actually is
Ransomware is malicious software that encrypts your files and demands payment for the key to unlock them. But the lock screen is the end of the attack, not the beginning. By the time you see a ransom note, the attackers have usually been inside your network for days or weeks.
A typical attack runs in stages:
- Entry. Most ransomware gets in through one of three doors: a phishing email, an exposed remote-access service (like RDP or a VPN with a weak or stolen password), or an unpatched vulnerability. Our guide on how attackers break into small businesses covers these in detail.
- Foothold and spread. The attacker quietly moves through your network, steals credentials, and works toward admin access.
- Data theft. Before encrypting anything, modern ransomware crews copy your sensitive data out. This is “double extortion” — even if you restore from backups, they threaten to leak or sell what they took unless you pay.
- Encryption. Finally, they trigger the encryption — often overnight or over a weekend, when no one’s watching — and drop the ransom note.
Understanding this matters, because it shapes your response: this is a break-in with a human on the other end, not just a virus to clean off one machine.
What it can look like
A staff member arrives Monday morning to find files renamed with a strange extension and a text file on the desktop demanding payment in cryptocurrency within 72 hours. Shared drives won’t open. The accounting system is down. Over the next hour, more people report the same thing. What actually happened: weeks earlier, someone clicked a phishing link and entered their password on a fake login page; the attacker used it to get in, spread to the server over the weekend, copied client data, and encrypted everything Sunday night. The Monday-morning panic is the visible tip of an attack that was already long underway.
Step 1: Isolate affected systems
Disconnect infected devices from the network — unplug network cables, disable Wi-Fi — to stop the ransomware spreading to other machines, servers, and backups. Containment is the first priority. If you can’t tell how far it’s spread, isolating the broader network segment is better than letting it keep moving while you investigate.
Step 2: Don’t power everything down
It’s tempting to shut everything off, but powering down or rebooting can destroy forensic evidence held in memory — evidence that helps identify how the attackers got in and what they touched. Isolate systems from the network, but leave them powered on unless advised otherwise by your incident response team.
Step 3: Assess the scope
Work out what’s affected: which systems, which data, and whether your backups are intact. Pay special attention to two questions: were backups reached? (attackers target them deliberately) and was data stolen before encryption? You can’t make good decisions — about recovery, about notification, about whether a ransom is even relevant — until you understand how far the attack reached.
Step 4: Don’t rush to pay — or to talk to the attacker
Paying a ransom is never guaranteed to recover your data, can mark you as a repeat target, and may carry legal risk. In Canada, paying can also expose you to sanctions risk if the group behind the attack is subject to sanctions — another reason this is never a decision to make alone. Don’t open communications with the attacker on your own. This is a decision to make with expert and legal advice, not under panic. Even where payment is ultimately considered, it’s handled by specialists, not by a stressed employee on the night of the attack.
Step 5: Preserve evidence and document everything
Photograph ransom notes, record timestamps, and note what you saw and when. Keep a written timeline as the response unfolds — who did what, and at what time. This supports the investigation, any insurance claim, and any required reporting, and it’s exactly the kind of documentation insurers look for. (For why claims get denied, see why cyber-insurance claims are denied.)
Step 6: Notify your insurer and leadership early
Notify your leadership and your cyber-insurance provider before you start recovery — many policies require prompt notice and the use of their approved incident response vendors, and acting first can jeopardize coverage. Your insurer often brings a response team, legal counsel, and negotiators as part of the policy.
Step 7: Meet your Canadian notification obligations
Ransomware that touches personal information is a privacy breach. Under Canada’s PIPEDA, a breach that creates a real risk of significant harm must be reported to the Office of the Privacy Commissioner and to affected individuals, and you must keep records of it. Our overview of PIPEDA breach reporting explains the obligations in plain language. Provincially regulated organizations may have additional duties — Quebec’s Law 25, for example, has its own breach-notification rules.
You can also report the incident to the Canadian Centre for Cyber Security, to the Canadian Anti-Fraud Centre, and to your local police or the RCMP. Reporting feeds national threat intelligence and is increasingly expected as part of responsible incident handling.
Step 8: Engage incident response
Ransomware recovery is not a do-it-yourself job. An incident response team contains the attack, finds the entry point, eradicates the threat, and helps you rebuild safely — so you don’t restore your systems only to be hit again. If you don’t already have one, an incident response retainer gets a team on call before you need them, which is far better than searching for help mid-crisis.
Step 9: Recover from clean backups
Once the environment is confirmed clean, restore from backups you have verified are unaffected. This is where preparation pays off: backups that are tested, recent, and kept offline or otherwise out of the attacker’s reach. Rushing this step — or restoring before the threat is fully eradicated — is how businesses reinfect themselves and end up paying twice in lost time.
Step 10: Review and harden
After recovery, a root-cause review answers the most important question: how did they get in, and what stops it next time? Most ransomware enters through a phishing email, an exposed remote-access service, or a stolen password — all of which are preventable. Close the specific gap that was used, then strengthen the layers around it so the next attempt fails earlier.
Preventing the next one
The cheapest ransomware attack is the one that never lands. The controls that matter most:
- Multi-factor authentication on email, VPN, and remote access — it shuts down the stolen-password route that so many attacks use.
- Tested, offline backups. Backups you’ve actually restored from in a drill, kept where ransomware can’t reach them.
- Prompt patching of internet-facing systems and known vulnerabilities.
- Email filtering and security awareness training, because phishing is still the most common entry point. Our note on what to do after a phishing click covers the early-warning side.
- Detection and response that watches around the clock. The gap between break-in and encryption is your window to catch it — MDR beats traditional antivirus precisely because it spots the human activity in that window.
- An incident response plan that your team has actually rehearsed. Our incident response plan outline and ransomware tabletop exercise are good starting points.
The best time to plan is before it happens
Businesses that recover well from ransomware almost always prepared in advance: tested backups, an incident response plan, and a security partner on call. Everything in this guide is easier — and far cheaper — when the decisions are made calmly ahead of time instead of against a ransom countdown. If you’d like help getting ready — or you’re dealing with an incident now — contact our team.