Ransomware IR steps: Isolate affected systems → Assess scope (how many systems?) → Identify variant (ransom note, extension) → Locate clean backups → Notify legal/insurance/law enforcement → Restore from backup → Root cause analysis → Remediate entry point.
Never pay ransom without involving legal counsel. Paying doesn't guarantee decryption. Double extortion: even after paying, stolen data threat remains. Backup viability is the #1 factor in ransomware response success. Test backups regularly — discovering they're corrupted during a ransomware incident is catastrophic.