The call came in at 7 a.m. on a Tuesday. A solo forensic examiner I know — ten years in business, good reputation, active caseload — woke up to find every file on his work server encrypted. The ransom note named a price in Bitcoin. His client evidence from three active cases was behind the encryption. His backups? Also encrypted. Same network share.

This happens more than people talk about. Small forensic firms hold highly sensitive data — evidence from criminal cases, civil litigation, corporate investigations. That makes them targets. And it puts the examiner in a uniquely uncomfortable position: you’re the incident responder, but you’re also the victim.

Here’s how to handle it correctly, starting from the moment you realize what’s happened.

The First 30 Minutes: Don’t Make It Worse

The instinct when you see ransomware is to start clicking. Don’t.

The most common mistake in the first minutes of a ransomware incident is taking actions that destroy forensic evidence, spread the infection, or both. Here’s what to do instead.

Stop typing. Take your hands off the keyboard. Think for 30 seconds before you do anything.

Photograph everything. Before you touch anything, photograph every screen that’s visible. The ransom note, any error messages, what’s currently running. Your phone camera is fine. This creates a timestamped record of the initial state.

Identify what’s affected. Ransomware typically spreads through network shares and mapped drives before it finishes encrypting. Look at what’s encrypted versus what isn’t. This helps you understand the blast radius before you start pulling network cables.

Isolate, don’t shut down. The wrong move is immediately shutting down affected machines. Here’s why: some ransomware variants destroy shadow copies and backup catalogs during shutdown. Additionally, live memory may contain the encryption key or artifacts of how the ransomware entered your environment. Pull the network cable (or disable WiFi at the router level). Don’t power off.

Notify your cyber insurance carrier. If you have a policy (and you should), call them now. Many policies have a reporting window, and late notice can complicate or void coverage. They’ll often dispatch an incident response firm on your behalf. That’s a resource you’ve already paid for — use it.

Containment Steps

Once you’ve stabilized the immediate situation and documented the initial state, work through containment systematically.

Network isolation. Disconnect affected machines from the network. If you have a managed switch, you can do this via VLAN configuration without physically pulling cables. Document which machines you isolated and when.

Identify patient zero. Where did the ransomware enter? Common entry points for small professional firms: phishing email attachment opened on a workstation, RDP exposed to the internet with weak credentials, a compromised vendor’s remote access tool. Knowing the entry point tells you whether you’ve fully contained it or whether the attacker still has access.

Check authentication logs for unusual login times, unfamiliar IP addresses in remote access logs, and email logs for recent phishing messages. If you have endpoint detection tools, check their logs.

Assess your backups. Go to your backup system now. What’s the most recent clean restore point? Is the backup system on a network share that was also accessible during the attack? Offline or cloud backups (written to at scheduled intervals, then disconnected) survive ransomware — online backup shares mapped as network drives typically don’t.

If your backups are intact, you’ve already substantially reduced your leverage position against the attacker. Restoration is your path forward, not negotiation.

Do not pay the ransom without legal and insurance consultation. I’m not saying never pay — sometimes it’s the only practical option. But pay only after consulting your attorney and insurance carrier, and after verifying you actually can’t restore from backups. Paying doesn’t guarantee decryption, doesn’t guarantee the attacker doesn’t return, and in some cases may involve sanctions risk if the attacker is on a government watchlist.

Evidence Preservation During an Active Incident

Here’s where it gets complicated for forensic examiners specifically.

You are obligated to preserve client evidence. You are simultaneously managing an active incident that makes thorough forensic preservation more difficult. These obligations sometimes conflict.

Your client evidence is the priority. Before you focus on forensically perfect capture of the ransomware itself, assess whether you can restore or preserve client evidence. If your working copies are encrypted but you have a clean backup from before the attack, restoration may be the right first move to meet your professional obligations.

Document your incident response actions as you take them. A chain-of-custody problem you’ve created for yourself or a client can become a litigation issue later. Everything you do during response should be logged with timestamps: what you did, why, what changed as a result.

Preserve the ransomware artifacts. Once client evidence is secured, capture the ransomware itself. This means:

These artifacts are valuable for law enforcement investigation, insurance claims, and your own recovery planning.

Don’t let the forensic tools be your only resource. Your clients may have their own copies of documents you were working on. Before you spend days attempting to recover encrypted case files, check whether the client has working copies. This sounds obvious, but examiners in crisis mode often don’t make the call.

When to Involve Law Enforcement

Small firms often skip law enforcement involvement in ransomware incidents, either because they don’t want the attention or because they don’t think it’ll help. Both are understandable, but worth reconsidering.

FBI Cyber Division. The FBI has significant ransomware investigative resources and, in some cases, has obtained decryption keys for specific ransomware families that they share with victims. File a complaint at ic3.gov. This costs you nothing, creates a federal record (which insurance carriers like), and occasionally produces a decryption key.

If your cases involve law enforcement matters. If you’re holding evidence from criminal investigations — as a private examiner working for defense attorneys or prosecutors — you likely have a reporting obligation when that evidence is compromised. Check your engagement contracts and relevant bar rules (if you work for attorneys) before deciding whether and what to disclose.

Professional licensing boards. Depending on your jurisdiction and certifications, you may have professional reporting obligations when client data is compromised. CCE, CFCE, and similar certification holders should review their governing ethics rules.

CISA notification. The Cybersecurity and Infrastructure Security Agency encourages voluntary reporting of ransomware incidents at cisa.gov/report. This doesn’t create legal obligations but contributes to national threat intelligence.

Insurance Considerations

Cyber insurance for forensic firms is a specialized product. Most small firms either don’t have it, have a generic small-business policy that excludes cyber, or have a cyber policy they haven’t read carefully.

What a good cyber policy covers:

What typically isn’t covered:

Practical steps to take now, before an incident:

  1. Review your current policy. Call your broker and ask specifically about ransomware coverage. Many small business cyber policies have sub-limits that are far lower than the main policy limit.
  1. Get covered if you’re not. Premiums for small professional firms are more manageable than you think, especially if you can demonstrate good security hygiene.
  1. Document your security practices. Insurers want to see patch management, backup procedures, MFA on email and remote access, and endpoint protection. Having documentation of your security practices helps at claim time and sometimes reduces premiums.
  1. Test your backups. Not just “do I have backups” but “have I successfully restored from them in the last 90 days?” Unverified backups are not backups.

Recovery Planning

Once you’ve stabilized the incident, you’re looking at a recovery timeline. For small firms without a dedicated IT team, that timeline is often longer than it should be.

Restore from clean backup first. If you have one, use it. Rebuild on clean hardware or freshly wiped machines. Don’t restore ransomware-affected machines by just removing the malware — you can’t verify the environment is clean, and sophisticated ransomware often leaves backdoors.

Identify the root cause before you go back online. Restoring to a vulnerable environment gets you re-infected. If the entry point was a phishing email, your users need training before the restored environment goes live. If it was exposed RDP, close that port or implement network-level authentication before you reconnect.

Change every credential. All of them. Domain admin, local admin, email, cloud services, client portal. If the attacker had access to your environment, assume they have your passwords — even if they encrypted rather than exfiltrated.

Implement offline backups going forward. The 3-2-1 rule applies: three copies of data, two different media types, one offsite and offline. “Offsite” means not on the same network as your primary systems. “Offline” means not mapped as a network drive that ransomware can reach.

The examiner I mentioned at the beginning eventually recovered most of his client files — he had a partially disconnected NAS that wasn’t fully encrypted. It took two weeks, cost him approximately $15,000 in lost billable time and emergency IT work, and ended one client relationship permanently. He now runs weekly offline backups to encrypted drives stored at a separate location.

That’s not a perfect system. It’s a real one that a solo practitioner can actually maintain.

Frequently Asked Questions

Should a forensic firm ever pay the ransom?

Paying is a last resort, not a first response. Before considering it: exhaust backup restoration options, report to FBI and CISA (who sometimes have decryption keys for known ransomware families), and consult with your cyber insurance carrier (they often have relationships with negotiators and can reduce the amount). If you do pay, do it through your insurance carrier’s approved process, never directly. Be aware that payment doesn’t guarantee decryption — some actors take payment and disappear. And check OFAC’s Specially Designated Nationals list before any payment; ransoms to sanctioned groups can create legal exposure regardless of why you paid.

How do I communicate with affected clients during the incident?

Promptly and honestly, within the limits of your legal advice. If client evidence was affected, they need to know. Most clients would rather hear bad news early and directly than discover later that you concealed it. Your engagement agreement may specify breach notification requirements. If not, follow your professional judgment and err toward disclosure. Consult with an attorney before communicating about anything that might involve litigation.

What security tools does a small forensic firm actually need?

The basics that prevent most attacks: multi-factor authentication on email and remote access (this alone stops the majority of credential-based attacks), endpoint detection and response (EDR) software that’s more capable than basic antivirus, patched systems (turn on automatic updates for OS and applications), and offline backup with regular test restorations. Beyond that, a managed detection and response (MDR) service is worth the cost for firms that can’t monitor their own security environment. You’re probably not monitoring your firewall logs at 3 a.m. on Saturday — an MDR service is.

Does ransomware affect my professional certifications or standing?

A ransomware incident doesn’t automatically trigger certification actions, but the professional response to it might. Certifying bodies like ISFCE (for CFCE) and the International Association of Computer Investigative Specialists have ethics frameworks that include obligations around evidence handling and client confidentiality. If client evidence was compromised and you failed to notify clients in a timely way, or if the compromise resulted from grossly negligent security practices, that could create ethics exposure. Review your certification’s ethics standards with the guidance of an attorney if client evidence was affected.