Malware#ransomware#incident-response
My laptop is showing a ransom note. What do I do in the first 10 minutes?
By Vikram Iyer·May 14, 2026 6 min 15,035
Short answer
Disconnect from the network, do not pay, photograph the note, and isolate the device while you call your IR contact.
The full answer
Pull the Ethernet cable and disable Wi-Fi. Do not shut the machine down — volatile memory contains forensic evidence and sometimes the encryption key.
Take photos of the ransom note with your phone. Note any wallet addresses, contact emails, and the ransomware family name if shown. This determines whether a free decryptor exists on No More Ransom.
If you're at work, call your IR team or MSP immediately. At home, identify backups before doing anything else. Restoring from a clean offline backup is the only reliably safe recovery path.
Was this helpful?
Upvotes help us prioritise what to answer next.