Ransomware Response Guide for Tacoma Businesses

Step-by-step ransomware response for Tacoma and Seattle businesses. Covers the first 4 hours, Washington state law, and cost estimates.

You just saw the ransom screen. Files are encrypted. The clock's already running.

Here's what to do, and what not to do, because the wrong moves in the first hour can cost you everything.

First: Don't panic and don't pay

Not yet, anyway.

69% of businesses that paid ransom were hit again within a year (Veeam 2025 Ransomware Trends). Payment doesn't guarantee you get your data back either. Before any money changes hands, there are calls to make and steps to take that'll determine whether your business survives this.

Hour 1: Stop the bleeding

Your only job right now is containment. Every infected machine that stays connected is another machine that can be reached.

Pull the ethernet cables on any system showing the ransom screen. Disable Wi-Fi adapters through Network Settings. If you have a server room and know how to isolate VLANs, do it. If you don't, start physically unplugging things.

Don't power the machines off. This feels wrong. But memory holds forensic data that investigators need, and powered-off machines lose it.

Grab your phone and take photos of every ransom screen you can find. Write down the exact time you discovered it. These details matter for insurance claims and they're easy to forget when you're under this kind of stress.

Hour 2: Make the calls

Three calls, in this order.

Your cyber insurance carrier. Not customer service. The claims line. Most policies require notification within 24-72 hours, and missing that window can affect your coverage. The number's on your policy declarations page.

A lawyer. Washington's RCW 19.255.010 requires breach notification if personal data was exposed. You want counsel before you start telling people what happened. The wrong disclosure at the wrong time creates liability.

Your IT provider or MSP. Tell them what's happening but be clear: don't touch anything yet. Premature cleanup destroys the forensic evidence your insurance carrier will need.

Hour 3: Figure out what you're actually dealing with

Once containment's done and the calls are made, you need a real picture of the damage.

Which systems are encrypted? Which aren't? Did your backup systems get hit? That last question matters most. A lot of ransomware variants specifically target backup drives and cloud-synced folders like OneDrive and SharePoint before triggering the visible attack. If your backups were connected when this happened, assume they're compromised until you can prove otherwise.

Don't start restoration yet. Still in the assessment phase.

Hour 4: Make a plan

You need your most recent clean backup and you need to know it actually works. Not assumed to work. Verified, on an isolated system.

Start incident documentation now if you haven't already. This becomes your timeline for insurance, for law enforcement, and for the root cause analysis that comes later. Timestamps, screenshots, logs, everything.

What not to do

Don't wipe the machines. Forensics needs them. Your insurance carrier needs them. Law enforcement may need them. Wiping buys you nothing right now.

Don't hide it. I get it. It's embarrassing and it's scary. But Washington law requires notification if personal information was compromised, and trying to cover it up turns a technical incident into a legal one. The penalty is up to $500 per violation.

Don't assume your backups are fine. Test restoration on an isolated system before you stake your business on it.

Washington state law

Under RCW 19.255.010, if the attack exposed unencrypted personal information, you're required to notify affected individuals "in the most expedient time possible." That includes Social Security numbers, driver's license numbers, financial account numbers, and health information.

If 500 or more Washington residents were affected, you also have to notify the Attorney General's office. This is exactly why you want a lawyer involved early.

What recovery actually costs

No sugarcoating.

Recovery Component	Typical Range
Forensic investigation	$10,000-50,000
System restoration	$5,000-25,000
Business interruption (per day)	$8,500 average
Legal and notification costs	$5,000-20,000
Regulatory fines (if applicable)	Variable

Average total recovery lands around $1.53 million according to Sophos State of Ransomware 2025. Cyber insurance typically covers 60-80% of that, but only if you met the policy requirements. Which is why the insurance call happens in hour 2, not hour 4.

Questions we hear from local businesses

Should I just pay the ransom?

Usually no. Veeam's research shows 69% of businesses that paid were hit again within a year, and payment doesn't guarantee you get your data back. That said, your insurance carrier and legal counsel should be part of that decision before you do anything with money.

How long does recovery take?

Depends almost entirely on your backups. With clean, tested backups, some recoveries take 3-5 days. Without them, you're looking at weeks, and costs stack up fast when you're offline.

Does cyber insurance actually cover ransomware?

Most policies do, including ransom payment, forensics, and business interruption. But coverage depends on following the notification requirements. That's why the claims call comes first.

Can ransomware hit cloud storage too?

Yes. Some variants specifically target OneDrive and SharePoint sync folders before triggering the visible attack. Suspend cloud sync immediately during containment.

Are Tacoma businesses required to report ransomware attacks?

If personal information was exposed, yes. Washington's RCW 19.255.010 requires notification. If 500 or more Washington residents were affected, you also have to notify the AG's office.

How Rain City Can Help

If you're in the middle of an incident right now, call (206) 408-3252. We can walk you through containment, help coordinate with your insurance carrier, and connect you with forensic partners if needed. We work with Pierce County and King County businesses and know the local legal landscape.

If you want to get ahead of this before it happens, we'll review your backup procedures, test your recovery process, and identify the gaps that attackers actually exploit. Most of the businesses that survive ransomware had a plan before they needed one.

Schedule a Security Assessment

Sources:

Veeam 2025 Ransomware Trends Report
Sophos State of Ransomware 2025
FBI IC3 Annual Report
Washington RCW 19.255.010 (Data Breach Notification Law)