Skip to main content
Cyber Security Hub

Ransomware playbook

This playbook has technical guidance for responding to a ransomware incident. It is not a standalone resource: use it alongside your incident management plan to make sure it works for your school.

Eradication and recovery

Before taking any recovery action, make sure you have recorded and documents details of the incident for evidence.

Start decontamination and recovery before reconnecting devices to your network.

Encrypted files

Files that have been encrypted by most ransomware can only be decrypted by the attacker or expert intervention.

There are online resources that provide collections of decryption tools, including:

Non-critical infrastructure infections

If critical infrastructure has not been infected, follow these recovery actions:

  1. Reset credentials and passwords: Reset any account credentials or passwords (especially for administrator or system accounts) that may have been impacted. You may choose to reset all accounts to be safe.
  2. Restart and wipe: Safely restart and wipe the infected devices to reinstall the operating system.
  3. Reconnect to the network: Make sure a device is free from malware before you restore it from a backup or connect it to your network. Use software anti-virus and triage all devices. This includes cloud-based devices and systems: run additional scans to make sure these have not been infected. Consider using a phased backup approach where you back up devices and systems in waves, rather than all at once. This can limit the spread of an infection if any remains. Connect devices to a clean network to download, install and update the operating system and any additional software.
  4. Scan devices: Once all security operating system and software updates are installed, run local anti-virus scans on all devices. When you have a clean scan, you can reconnect the device to your network.
  5. Stay vigilant: Continue to monitor network traffic and run anti-virus scans frequently to identify any remaining malicious presence.

For additional information on how to recover an infected device please follow NCSC Guidance.

"Backdoor” attacks

Depending on the incident, attackers may have hidden additional access to infected systems, known as a “backdoor”. Make sure all parts of your system have been inspected and triaged, including:

  • backup volumes
  • administrator storage
  • unlikely sources of network activity

You can verify this through system anti-malware scans and system checks that include:

  • a thorough vulnerability scan on all devices attached to your settings network
  • checking that all software and hardware is licenced and receives up-to-date functionality and security updates or patches

For more technical guidance , please see a publication released by CISA and NCSC.


Page last reviewed
15 May 2026