Quiz Entry - updated: 2026.06.24
If you suspect ransomware is actively running, what should you do — and should you pay?
Hard-shut-down the machine immediately, clean it from a live system, restore from backup — and do not pay.
Immediate response:
- Switch the computer off "hard" at once (to halt ongoing encryption)
- Boot a live system (a clean rescue OS), then scan, clean, and re-secure the data from there
- Report it — to the national cyber authority (e.g. NCSC) and your local police
Why not pay:
- it funds and strengthens criminal infrastructure
- there's no guarantee you'll receive a working key
- it marks you as a payer — the next attack follows, with a higher demand
The real takeaway: the most important action happens before the incident — having a tested, offline backup. Everything during the incident is damage control.
Tip: Don't overwrite older backups during a panic restore — an earlier clean backup may be the only uninfected copy you have.