← Back to TeraDef

Hospital Ransomware Help — Free Emergency Response Guide

It's 3am. Your hospital systems are down. Files are encrypted. There's a ransom note on every screen. Patients are waiting. You have no security team. This guide tells you exactly what to do — minute by minute.

PATIENT SAFETY FIRST. If systems controlling life-critical equipment (ventilators, IV pumps, monitoring) are affected, switch to manual operation immediately. Patient care comes before any IT response. Activate your facility's downtime procedures NOW.

Phase 1 — First 30 minutes (Contain the attack)

Immediate actions
1
Disconnect from the network — but do NOT shut down. Unplug ethernet cables from affected machines. Disable Wi-Fi on affected devices. Do NOT power off — shutting down destroys forensic evidence in memory and can corrupt partially encrypted files.
2
Photograph the ransom note. Take a photo with your phone. Note the exact text, any email addresses, bitcoin wallet addresses, and deadlines. This identifies which ransomware variant hit you — which determines if free decryption is possible.
3
Isolate the network segments. If your IT person is available: disconnect the affected VLAN/subnet from the rest of the network. Unplug switches connecting the affected department. The goal is to stop lateral spread.
4
Switch to paper records. Activate downtime procedures. Pull out paper forms for patient intake, medication administration, lab orders. Hospitals operated on paper for decades — you can do this temporarily.
5
Secure your backups. If you have backup systems — disconnect them from the network RIGHT NOW. If backups are cloud-based, change the cloud account password from a clean device. Attackers often target backups first.

Phase 2 — First 2 hours (Report and get help)

Get expert help — free resources
6
Use TeraDef's Cyber First Aid. Go to teradef.com → Cyber First Aid. Describe your situation (hospital, ransomware, what systems are affected). Get AI-powered guidance specific to healthcare ransomware — free, 24/7.
7
Contact your national CERT. They provide free incident response coordination: CISA (US: 1-888-282-0870), NCSC (UK: 020 7451 2920), CERT-In (India: 1800-11-4949), AfricaCERT, or find yours at first.org/members/teams.
8
Check for free decryptors. Go to nomoreransom.org — upload your ransom note or encrypted file sample. Many ransomware variants have been cracked and free decryption tools exist. This could save you immediately.
9
Report to law enforcement. File a formal report. In the US: FBI IC3 (ic3.gov). In EU: Europol. In your country: contact the national cybercrime unit. This creates a legal record and may help with insurance claims.
10
Notify hospital leadership and legal. Brief the CEO/administrator, board, and legal counsel. They need to know immediately for regulatory compliance (HIPAA, GDPR, local data protection laws require breach notification within specific timeframes).

Phase 3 — First 24 hours (Recovery)

Restore operations
11
Assess backup availability. Are your backups intact? When was the last successful backup? Can you restore from them? If yes — begin restoration on clean/rebuilt systems (never restore onto compromised machines).
12
Prioritize critical systems. Restore in this order: (1) life-safety systems, (2) patient records/EMR, (3) lab and imaging, (4) pharmacy, (5) billing and admin. Patient care first, always.
13
Reset ALL credentials. Every password in the hospital — Active Directory, email, EMR logins, VPN, remote access, vendor portals. The attacker likely has your credentials. Reset everything from clean devices.
14
Notify patients if data was compromised. Most jurisdictions require notification within 72 hours. Prepare a clear, honest communication. Offer credit monitoring if financial data was exposed. Your legal team should guide the exact language.

DO NOT PAY THE RANSOM. FBI, CISA, Europol, and every major cybersecurity agency advises against paying. Paying does not guarantee you'll get your data back. It funds the criminal group and marks you as a willing payer — making you a target for future attacks. 80% of organizations that pay are attacked again.

Free cybersecurity resources for hospitals

TeraDef — Free Cyber First Aid

24/7 AI-powered incident response guidance. Free, no account needed.
teradef.com/first-aid

No More Ransom — Free Decryptors

Check if free decryption tools exist for your ransomware variant.
nomoreransom.org

CISA — Free Vulnerability Scanning

US hospitals can get free vulnerability scanning from CISA.
cisa.gov/cyber-hygiene-services

Health-ISAC — Healthcare Threat Intelligence

Free membership tier for small healthcare organizations.
health-isac.org

FIRST — Find Your National CERT

Directory of national Computer Emergency Response Teams worldwide.
first.org/members/teams

Why hospitals are the #1 ransomware target

Healthcare ransomware attacks surged 36% in late 2025. Hospitals are targeted because they cannot afford downtime — patient lives depend on systems being operational. Attackers know hospitals are more likely to pay quickly. Small clinics and rural hospitals are hit hardest because they typically have no dedicated cybersecurity staff, outdated systems, and limited budgets.

TeraDef exists because no hospital should face a ransomware attack alone. Whether you're a 10-bed rural clinic or a 500-bed hospital — the emergency response steps are the same, and this guidance is free, forever.

Under attack right now?

Get personalized, step-by-step guidance for your hospital's specific situation — free, 24/7.

Get Free Emergency Help →