Ransomware Attack? A Step-by-Step Guide for Canadian Businesses
A ransomware attack is one of the most stressful things a business can face: systems locked, work halted, and a countdown demanding payment. In that moment, a clear head and a clear plan make an enormous difference. Here’s a step-by-step guide for Canadian businesses.
If you are in the middle of an attack right now, go straight to our emergency incident response page — it has the immediate do’s and don’ts.
Step 1: Isolate affected systems
Disconnect infected devices from the network — unplug network cables, disable Wi-Fi — to stop the ransomware spreading to other machines, servers, and backups. Containment is the first priority.
Step 2: Don’t power everything down
It’s tempting to shut everything off, but powering down or rebooting can destroy forensic evidence held in memory — evidence that helps identify how the attackers got in and what they touched. Isolate systems from the network, but leave them powered on unless advised otherwise.
Step 3: Assess the scope
Work out what’s affected: which systems, which data, and whether your backups are intact. You can’t make good decisions until you understand how far it reached.
Step 4: Don’t rush to pay — or to talk to the attacker
Paying a ransom is never guaranteed to recover your data, can mark you as a repeat target, and may carry legal risk. Don’t open communications with the attacker on your own. This is a decision to make with expert and legal advice, not under panic.
Step 5: Preserve evidence and document everything
Photograph ransom notes, record timestamps, and note what you saw and when. This supports the investigation, any insurance claim, and any required reporting.
Step 6: Meet your Canadian notification obligations
Ransomware often involves a breach of personal information. Under Canada’s PIPEDA, a breach that creates a real risk of significant harm must be reported to the Privacy Commissioner and to affected individuals. You can also report the incident to the Canadian Centre for Cyber Security and to your local police. Our overview of PIPEDA breach reporting explains the obligations in plain language.
Notify your leadership and your cyber-insurance provider early — many policies require prompt notice.
Step 7: Engage incident response
Ransomware recovery is not a do-it-yourself job. An incident response team contains the attack, finds the entry point, eradicates the threat, and helps you rebuild safely — so you don’t restore your systems only to be hit again.
Step 8: Recover from clean backups
Once the environment is confirmed clean, restore from backups you have verified are unaffected. Rushing this step is how businesses reinfect themselves.
Step 9: Review and harden
After recovery, a root-cause review answers the most important question: how did they get in, and what stops it next time? Most ransomware enters through a phishing email, an exposed remote-access service, or a stolen password — all of which are preventable.
The best time to plan is before it happens
Businesses that recover well from ransomware almost always prepared in advance: tested backups, an incident response plan, and a security partner on call. If you’d like help getting ready — or you’re dealing with an incident now — contact our team.