Windows Autopatch: Some admins may have seen Quality and Feature Update reports incorrectly showing "SYSTEM_SCRUBBED" in Windows Autopatch (incident).
View Microsoft 365 Status
Get Started
Need IT support or a security review?
Talk with OpenTech about managed IT, cybersecurity, Microsoft 365, or urgent support.
Request Service Create Ticket
Knowledge Base / Backup & Recovery / Recovery Steps After Suspected Ransomware
Backup & Recovery

Recovery Steps After Suspected Ransomware

Use this guide if files appear encrypted, inaccessible, renamed unexpectedly, or part of a suspected ransomware event.

Treat this as critical
Do not continue normal use of the affected system. Containment comes before recovery.

Immediate actions

  1. Disconnect affected devices from the network if safe to do so.
  2. Do not wipe or rebuild the system.
  3. Do not delete ransom notes or encrypted files.
  4. Create a critical ticket immediately.
  5. Wait for OpenTech guidance before attempting recovery actions.

Why this matters

Recovery may depend on preserving evidence, confirming scope, validating clean restore points, and preventing spread before restoring data.

Create Critical Ticket Incident Response