You sit down at the kitchen table in Riverside, wake up the home PC, and instead of your desktop you see a black screen with red text demanding $1,800 in Bitcoin and a 72-hour countdown timer. Maybe a logo for LockBit, Phobos, or Akira. Your photos, tax returns, and that small-business spreadsheet you’ve been keeping for three years all show up with weird new extensions and won’t open.
The next thirty minutes determine whether this is a recoverable incident or a permanent loss of every file on the machine. Here is the exact sequence we walk Wichita customers through over the phone before we even leave the shop.
1. Disconnect from the network — but do not power off
The very first move is cutting the network connection, not pulling the plug. Ransomware spreads to other devices on the same network — file shares, NAS drives, plugged-in backup drives, other family PCs — and every minute the infected machine stays connected to Wi-Fi or Ethernet is another minute it’s looking for things to encrypt.
- Unplug the Ethernet cable from the back of the PC if it’s wired
- Turn off Wi-Fi at the hardware level if you can — most laptops have a function key (often F2 or F12) or a physical switch
- If neither is reachable fast, unplug the home router or switch off Wi-Fi from your phone’s router app
Leave the computer powered on. Some ransomware families keep their encryption key in RAM during the attack, and a powered-on machine preserves that memory state for forensic recovery. Powering off can also corrupt partially-encrypted files in ways that make them unrecoverable even if a decryptor exists later.
2. Photograph the ransom screen and document everything
Before you touch anything else, pick up your phone and take clear photos of:
- The full ransom screen, including the variant name or logo, the wallet address, the ransom amount, and the countdown timer
- Any text the screen displays about how to pay or contact the operators
- A few file folders showing the new file extensions (often
.lockbit,.phobos,.akira,.encrypt,.locked, or random strings) - The date and time visible on the system clock
Then write down, on paper or in a phone note: what you were doing right before this appeared, what email attachments you opened in the last 24 hours, what websites you visited, and whether anyone else uses this computer. This timeline is what the FBI and your insurance carrier will ask for first.
3. Report it to the right places — in this order
Ransomware is a federal crime. Wichita PD and Sedgwick County deputies will take a report for your records, but they don’t investigate the perpetrators — that’s the FBI’s job. Here is the right reporting sequence:
- FBI IC3 (ic3.gov) — file an Internet Crime Complaint Center report. It’s free, takes 15-20 minutes, and creates the federal record your insurance and any future legal action will reference. Have your photos and timeline ready.
- FBI Wichita Resident Agency — for active threats, ongoing extortion, or small-business incidents, call the field office. They route Kansas cyber incidents through the Kansas City field office.
- Wichita Police non-emergency line (316-268-4111) — for the local paper trail, especially if the incident is connected to identity theft or a stolen device.
- Your insurance carrier — call before you start cleanup. If you have a cyber rider, they may have a preferred incident-response process.
Don’t email the criminals. Don’t visit the link in the ransom note. Don’t pay.
4. Assess the state of your backups
This is the question that decides everything: where is your data right now?
Walk through this checklist on a different device — your phone, a tablet, another household computer:
- External backup drive that’s currently unplugged from the infected machine? You’re in great shape. Don’t plug it in yet.
- External drive that was plugged in during the attack? Assume it’s encrypted too. Don’t plug it into a clean machine until we can image it safely.
- OneDrive, iCloud, Google Drive, or Dropbox? Open the web interface from a clean device and check the file version history. Most cloud services keep 30 days of versions, which lets you restore unencrypted copies.
- Backblaze, Carbonite, or other versioned cloud backup? This is the gold-standard scenario. They keep historical versions specifically to protect against ransomware.
- No backup at all? Honest answer: you may lose the data. Skip to step 5 and we’ll see what’s recoverable.
If you have a clean backup, the decision is easy: don’t try to recover anything from the infected drive. Wipe and restore.
5. Decide: recovery attempt vs. wipe-and-restore
For a home PC, there are really three paths from here:
Path A — Wipe and restore from backup (best outcome). If you have a recent unaffected backup, the cleanest move is a complete drive wipe, fresh Windows install, and restore. This guarantees the malware is gone and gets you back on a known-good system. We don’t try to “clean” a ransomwared OS — too many places for the malware to hide, and re-infection rates are high.
Path B — Try free decryptors (no backup, common variant). The No More Ransom project (nomoreransom.org) maintains free decryptors for over 200 ransomware families. We identify the exact variant from your file extensions and ransom note, then run the matching decryptor in a sandboxed environment. About 1 in 4 home cases we see has a working free decryptor. The other 3 do not.
Path C — Forensic data extraction (no backup, no decryptor). When neither A nor B is possible, we still attempt to recover anything salvageable: shadow copies the malware missed, unencrypted files in temp directories, browser-cached documents, deleted-but-not-overwritten files. Recovery is partial at best, but for sentimental data — photos, kids’ school files — it’s often worth the attempt before wiping.
What we will not do is pay the ransom on your behalf or recommend payment. Beyond the ethics, the practical math doesn’t work out.
When to call a Wichita computer pro
Bring it in or call us instead of fighting it alone if any of these apply:
- The infected machine has the only copy of business records, tax returns, or irreplaceable family photos
- You see ransomware on a small-business PC or any machine that’s connected to a work network
- Other devices in the house are showing symptoms (slow file access, weird extensions, files won’t open)
- The ransom note threatens to leak data publicly (this is the “double extortion” tactic — common with LockBit and Akira)
- You’re not sure whether your backup drive was connected during the attack
- The infected machine handles online banking, taxes, or healthcare logins (we’ll help you rotate credentials and check for follow-on fraud)
- You’ve already powered the machine off and aren’t sure what to do next
How Wichita Computer Pro handles ransomware response
When you call, you reach a real Wichita technician — not a national help desk. We dispatch from inside Wichita and typically reach Riverside, College Hill, Eastborough, Crown Heights, Park City, Derby, Bel Aire, Andover, Maize, and Goddard within a few hours for in-home pickup, or you can drop the machine at the shop directly.
Our standard incident response is: containment and triage on arrival, variant identification, evidence preservation for any insurance or law enforcement follow-up, decryptor attempt where a free one exists, full drive imaging before any destructive recovery, and clean-restore on either the original drive or a fresh SSD. We document the entire process with timestamped notes you can hand to the FBI or your insurer.
For households with multiple devices, we also check every other PC, laptop, and NAS on the network for indicators of compromise before we sign off — the worst outcome is cleaning one machine while a second infected one re-encrypts everything next week.
What it usually costs
Rough ranges for what we charge on home and small-business ransomware response in the Wichita metro:
- Initial assessment and containment (in-shop): $175-$250
- In-home emergency containment visit: $250-$400
- Full clean-and-restore from existing backup: $400-$750 depending on data volume
- Clean-and-restore with no backup, decryptor available: $600-$1,000
- Forensic data recovery attempt, no decryptor: $750-$1,200 (no guarantee on what’s recoverable)
- Multi-device household sweep and hardening: $150-$300 add-on
These are technician costs. New hardware (replacement SSD, fresh Windows license if needed) is separate and quoted on the spot.
Prevention checklist before the next attempt
Most of the home-PC ransomware cases we see could have been blocked in 30 minutes the day before:
- Turn on automatic Windows Update and don’t postpone restarts more than a few days
- Replace any reused passwords with unique ones from a password manager (Bitwarden and 1Password both have free or low-cost tiers)
- Enable multi-factor authentication on Microsoft, Google, Apple, and any banking accounts
- Set up versioned cloud backup (Backblaze runs $9/month and protects against ransomware by design)
- Add a second backup drive that you only plug in once a week, then unplug and store away from the PC
- Disable Remote Desktop Protocol unless you actually use it, and never expose RDP to the open internet without a VPN
- Train every household user — kids included — to never click “update Chrome” prompts that appear on websites; updates only happen inside the browser itself
- If you run a home business, talk to your insurance agent about a cyber rider — $25-$75 per year is cheap insurance against a $5,000 loss
If you’d like a pre-incident hardening visit — we walk through your PCs, check backup configurations, audit accounts, and flag anything vulnerable — give us a call at (316) 600-9707. It’s the cheapest visit on our schedule and it pays for itself the first time something hits.
Frequently asked questions
Should I shut the computer down to stop the ransomware?
No — pulling the plug is one of the worst things you can do in the first ten minutes. Some ransomware variants like LockBit and Akira hold the encryption key in RAM during the attack, and a clean memory dump from a powered-on machine can sometimes be used by recovery tools or law enforcement to decrypt files. Disconnect the network instead — pull the Ethernet cable and turn off Wi-Fi from a hardware switch if possible. The computer stays on; the network connection is what you cut.
Is it ever okay to pay the ransom?
For a home user in Wichita, almost never. The FBI's official guidance is do not pay, and there are three big reasons: payment funds the next attack, you may be violating OFAC sanctions if the group is on the sanctions list, and around 30% of paying victims either never receive a key or receive one that doesn't work. The only realistic exception is a small business with no backups facing existential data loss, and even then it should only happen with an incident-response firm and legal counsel involved. For a home PC, the math always favors wiping and restoring.
How did ransomware get on my computer in the first place?
The four most common entry vectors we see in Wichita home PCs are: phishing emails with malicious attachments or links (often disguised as invoices, shipping notices, or DocuSign requests); fake browser update prompts (especially the 'your Chrome is out of date' overlay that appears on compromised websites); exposed Remote Desktop Protocol on machines with weak passwords; and pirated software or 'cracked' game downloads. If you have RDP enabled on a home machine and it's reachable from the internet without a VPN, you should assume it will eventually be hit.
Can I just run an antivirus scan to remove ransomware?
Antivirus can sometimes remove the ransomware executable, but it cannot decrypt files that have already been encrypted. By the time you see the ransom screen, the damage to your files is already done — running a scan won't bring them back. The realistic path is: contain the infection, document for police and insurance, identify the variant, check the No More Ransom project for a free decryptor, and if none exists, wipe and restore from backup. Antivirus is part of the cleanup, not the solution.
Should I report this to the police, the FBI, or both?
Both, in this order: file an FBI IC3 report at ic3.gov first (it's free, takes about 15 minutes, and creates the federal record your insurance will ask for), then call the FBI Wichita Resident Agency or Wichita Police non-emergency line if there's evidence of ongoing access or a small business is involved. The FBI tracks ransomware groups across cases, and your single report can contribute to a takedown — that's how the LockBit infrastructure was disrupted in 2024. Sedgwick County local law enforcement won't investigate the criminals directly but will document the incident for your records.
Will my homeowners insurance cover ransomware damage?
Standard Kansas homeowners policies almost never cover ransomware on personal computers — cyber damage is usually excluded unless you've added a specific endorsement. Some carriers (Allstate, State Farm, USAA) sell low-cost cyber riders for $25-$75 per year that cover home incident response, data recovery, and identity restoration up to a cap. For small businesses operating from home, a separate cyber liability policy is the right product. Document everything regardless — even an excluded claim builds a paper trail you may need for tax loss deductions.
How long does it take to fully clean and restore a ransomwared PC?
For a home PC with a recent backup and no business data, the clean-and-restore process typically takes 6-12 hours of bench time, spread across 1-2 days. That includes secure data extraction from the encrypted drive (where possible), drive wipe, fresh OS install, application reinstall, restore from backup, and final hardening. Without a backup, the timeline depends entirely on whether a free decryptor exists for the specific variant. Add 1-3 days if we're trying decryptors against No More Ransom or recovering data from shadow copies that the malware missed.
How do I make sure this never happens again?
Six habits stop almost all ransomware in our experience: keep Windows and your browser updated automatically, use a password manager so every login is unique and long, enable multi-factor authentication on email and any cloud accounts, run a reputable AV with behavior-based protection (Microsoft Defender is fine if it's actually on), back up to a drive that isn't always plugged in (or to a versioned cloud service like Backblaze), and be skeptical of any browser pop-up or email asking you to install or update something. The single biggest factor is the disconnected backup — if your backup drive is plugged into the PC when it gets infected, the ransomware encrypts that too.
More guides
-
Coffee or Water on Your Laptop: The First-Hour Rescue Plan
What a Wichita computer repair shop actually does in the first 60 minutes after a laptop liquid spill — when DIY rice tricks help, when they hurt, and when board-level repair makes sense.
Read guide -
Why Your PC Is Slow: A Wichita Tech's Diagnostic Checklist Before You Pay for Service
A working diagnostic checklist for a slow Windows PC — startup app audit, drive health checks, malware screening, RAM ceiling assessment, and the few specific things you can fix yourself before paying a Wichita computer shop.
Read guide
Looking for guides from another local pro? Browse the full network at mycityservice.pro/guides