You Do Not Have to Be an IT Person to Handle This

Ransomware hits dental practices on Tuesdays. It hits during morning huddle. It hits when the dentist is mid-procedure and the office manager is juggling three phone calls. The goal of this guide is to give you a clear, step-by-step response that you can follow before your IT team picks up the phone — because the decisions made in the first thirty minutes often determine how bad the next thirty days will be.

This playbook is written for office managers and practice owners who are not technical. You do not need to understand what ransomware does to follow these steps. You need to recognize it, stop it from spreading, and call the right people in the right order. That is all that is asked of you in the first hour.

Minute 0–5: Recognize What You Are Seeing

Ransomware usually announces itself. You are not looking for something subtle. The signs are hard to miss once you know what they are:

  • Files with unfamiliar extensions — documents that used to end in .doc or .pdf now show strange extensions like .locked, .encrypted, or a random string of letters. They will not open.
  • A ransom note on the desktop — usually a text file or an image file named something like README.txt, HOW_TO_RECOVER.txt, or DECRYPT_MY_FILES. It may open automatically. It will demand payment in Bitcoin and give you a timer or a contact address.
  • Practice management software won't open — Dentrix, Eaglesoft, Open Dental: if the software throws an error about missing database files or corrupted data, ransomware may have reached the server or database.
  • Workstations are locked or showing a full-screen message — some ransomware replaces the desktop entirely with a payment demand screen.
  • Unusually slow computers or network activity — in the early stages, before the ransom note appears, ransomware is silently encrypting files. Computers may become extremely slow.

If you see any of these signs, do not try to fix it yourself. Do not run a scan, do not restart, do not try to open the ransom note on multiple computers. Your one job in the first five minutes is to recognize that something is wrong and stop it from spreading further.

Important: Take photos with your phone. Photograph ransom notes on screen, photograph the affected workstations, photograph any error messages. These photos are evidence for your IT team, your cyber insurance claim, and potentially law enforcement. Do this immediately, before anything changes.

Minute 5–30: Isolate Before You Do Anything Else

Ransomware spreads across your network. Every minute it is connected, it reaches more computers, more servers, more backups. The single most important thing you can do before your IT team arrives — remotely or on-site — is cut the network connection.

How to Isolate the Network

  1. Unplug the network cable from the back of affected computers. It looks like a wide phone jack. Pull it out firmly.
  2. Turn off your Wi-Fi router and network switch if you can locate them. They are usually in a server room, a storage closet, or mounted in a back office. The network switch is the box with many cable ports. Unplug its power cable.
  3. If you cannot find the networking equipment, have every person in the office turn off their computer's Wi-Fi in Windows settings, or simply unplug every network cable they can reach.
  4. Do NOT power off the computers unless your IT provider specifically instructs you to. This is counterintuitive, but forensics can extract evidence from a running machine's memory that is lost when it is powered off. Leave them on, just disconnected from the network.

Once the network is isolated, ransomware running on the infected machines can no longer reach your server, your backup drives on the network, or other workstations. You have contained the damage to whatever was already encrypted. Isolation is the most impactful action a non-technical person can take — and it is completely within your ability to do.

Call Your IT Provider's Emergency Line

Call immediately. Do not send an email — email may be compromised or unreachable. Use the phone number from your printed contact sheet (more on why you need a printed sheet later). While the phone rings, note the time of your call. Note the time you first noticed the problem. These timestamps matter for breach notification requirements.

The takeaway: The two actions of minute 5-30 are unplug and call. Unplug the network. Call your IT emergency line. Everything else waits.

Hour 1: Document and Notify Your Team Leads

While your IT team begins remote or on-site triage, your role shifts to documentation and internal communication. Start a written log — paper or phone notes — of every action taken and every observation made, with timestamps. This log will be referenced by your IT team, your cyber insurer, and potentially HHS.

What to Document

  • Which workstations appear affected (note computer names, locations — "front desk left," "operatory 2," etc.)
  • What you observed on each screen
  • What time the problem was first noticed and by whom
  • What actions were taken and by whom, with times
  • Any unusual events from the past 24–48 hours: unexpected emails opened, pop-ups, slow computers, staff who mentioned something strange

Notify Key Staff

Tell your dentists and hygienists that clinical software is unavailable and operations are on hold or limited to paper. Do not speculate about the cause in front of patients. A simple "We're experiencing a technical issue and are working to resolve it" is accurate and professional. Do not use the word "ransomware" with patients — you do not yet know the full scope, and public disclosure should be deliberate, not accidental.

If you have a paper schedule or can print one from a device not connected to the affected network (a cell phone or a separate tablet), do so now. You will need it if the outage extends through the day.

Hours 2–4: Assess the Scope

Your IT team will lead this phase, but you are their eyes on the ground. They need to understand the full picture:

  • Which workstations are confirmed encrypted? Walk through the office and check each one, reporting back what you see.
  • Is the server affected? This is the most critical question. If the server that hosts your practice management database is encrypted, recovery time is significantly longer. Your IT team will check this remotely or on-site.
  • Is the imaging server affected? Dental imaging (X-rays, cone-beam CT, photos) is often stored on a separate server. Its status determines whether clinical information is recoverable.
  • Are the backups intact? Your IT team will check whether backups were reached by the ransomware. Cloud backups with versioning may be intact even if local backups were encrypted. This is the single most important factor in what comes next.

Call Your Cyber Insurance Provider

Do this now, in hours 2–4, not after you have made decisions about how to respond. Your cyber insurance policy likely requires prompt notification — some policies have 24-hour or 72-hour notification windows. Your insurer can also provide immediate access to a breach response firm and legal counsel, which you will need before deciding whether to pay a ransom. Making the call before you have all the answers is correct — the insurer expects to be brought in early.

Hours 4–8: Choose a Recovery Path

There are three general paths after a ransomware attack: restore from backup, pay the ransom, or a hybrid approach. Your IT team and cyber insurer will guide this decision, but understanding the options helps you participate in it.

Restore from Backup

If you have a recent, clean backup that the ransomware did not reach, restoration is almost always the right path. It avoids payment, it does not fund criminals, and it typically results in faster and more reliable recovery. How long restoration takes depends on the size of your data and the speed of your backup infrastructure — for most dental practices, a full restore from a recent backup takes 4 to 24 hours of active work.

Paying the Ransom

Paying should only be considered when no viable backup exists and a complete rebuild would take weeks. Do not pay without legal and insurance involvement. Some criminal groups are on government sanctions lists, and paying a sanctioned entity can create legal liability. Others take payment and do not provide a working decryption key, or provide a slow and buggy one that leaves data partially corrupted. Payment also signals that your practice is a paying target, which can invite repeat attacks.

If payment is being considered, your cyber insurer typically has negotiators who interact with these groups regularly and may be able to reduce the demanded amount significantly.

Preserve Evidence for Forensics

Before any systems are wiped or restored, your IT team or a forensic firm needs to image the affected drives — make an exact copy of the encrypted state. This evidence is required for insurance claims, is often required for HIPAA breach investigation, and helps determine the full scope of the incident. Starting restoration without capturing forensic images can void your cyber insurance claim. Confirm with your IT provider and insurer that forensic preservation has occurred before any remediation begins.

Hours 8–24: Begin Recovery and Assess Notification Obligations

Recovery Sequence

Your IT team will lead the technical recovery. Your role is to prioritize: what clinical systems do you need first to see patients, and what can wait? For most dental practices, the priority sequence is practice management database, imaging server, then workstations in order of clinical use. Billing can often be addressed after clinical operations resume.

Patient Communication

If the outage has affected your ability to see patients or has caused appointment cancellations, proactive communication is better than letting patients show up to a dark office. A voicemail greeting update, a text blast if you have that capability from a separate device, or a social media post saying appointments are affected and to call before coming in — these are reasonable. Keep the message factual and brief. Do not explain the nature of the attack.

HIPAA Breach Assessment

This is the uncomfortable question: was patient data accessed or exfiltrated by the attacker? Ransomware groups increasingly steal data before encrypting it, to use as additional leverage. Your IT team and a forensic firm need to determine whether there is evidence of data exfiltration. If there is — or if it cannot be ruled out — HIPAA's Breach Notification Rule requires notifying affected patients within 60 days of discovery.

Even if you are not certain whether data was taken, document your investigation and its conclusions. A good-faith investigation with documented findings is the correct posture for regulators. Doing nothing and hoping no one notices is not.

What NOT to Do

These mistakes are common and costly:

  • Do not pay the ransom without involving IT, legal counsel, and your cyber insurer. The decision involves legal, financial, and operational considerations beyond the ransom amount itself.
  • Do not power off or wipe machines before forensics. You will destroy evidence needed for your insurance claim and HIPAA investigation.
  • Do not post on social media about the incident until you have assessed what happened and what, if anything, is required to be disclosed. Social media posts become discoverable records.
  • Do not fire anyone in the first 24 hours. Even if an employee opened the email that started this, that determination requires investigation. Acting in anger on incomplete information creates employment liability and can compromise the forensic investigation.
  • Do not try to decrypt files yourself using tools found on the internet. Some decryption tools are malware themselves. Others can corrupt files that were partially encrypted, making recovery harder.
  • Do not assume the threat is gone once the ransom note disappears. Attackers sometimes leave backdoors on the network and return weeks later. A full investigation and network clean-up is required before declaring recovery complete.
Important: Recovery from a major ransomware incident takes longer than most practices expect. Planning for 48–72 hours of degraded or no clinical operations, with a paper-based fallback, is not pessimistic — it is realistic. Practices that have tabletop drills and printed fallback schedules resume seeing patients significantly faster than those who do not.

Before It Happens: What to Have Ready Right Now

The practices that recover fastest from ransomware are not the ones with the best technology — they are the ones that prepared. The following items take less than a day to set up and dramatically improve your outcome if you ever need them.

Printed Emergency Contact Sheet

Print a single sheet with: your IT provider's emergency line, your cyber insurance carrier's claims number, your practice attorney's number, and the names of the dentist(s) and office manager. Post it in the office manager's work area and in the server room. Your email may be down. Your password manager may be inaccessible. A printed sheet costs nothing and has never failed anyone.

Paper Schedule and Paper Intake Forms

Keep a printed copy of tomorrow's schedule updated each evening. Keep a small supply of paper patient intake forms. If software is unavailable at 8 AM, you can still see patients, take notes on paper, and enter data retroactively when systems come back up. Practices with no paper fallback turn away patients and lose revenue; practices with a two-day paper supply keep operating.

Offline Backup Verification

Know where your backups are and when they were last tested. Ask your IT provider to confirm: What is the most recent backup? Where is it stored? When was the last time a restore was successfully tested? If you cannot get clear answers to those three questions, you have a gap that needs to be addressed before you need it in a crisis.

Cyber Insurance Policy Review

Read your cyber insurance policy — specifically: what is the notification window after a suspected incident, what is the claims process, and what is excluded. Some policies exclude ransomware if certain controls (MFA, EDR) are not in place. Discovering an exclusion during the incident is too late. Review this annually with your insurance broker.

Tabletop Exercise

Once a year, gather your office manager, lead doctor, and one front-desk staff member for a 30-minute tabletop exercise. Present a scenario: "It's Monday morning at 8:15. Two workstations show a ransom note. What do we do?" Walk through the steps. Identify gaps — is the emergency number posted? Does anyone know where the network switch is? Can anyone pull up a paper schedule? Tabletop exercises feel uncomfortable, but the discomfort is the point — you want the first time your team practices this response to be a drill, not the real thing.

The takeaway: Preparation costs a few hours. A ransomware incident without preparation costs weeks and tens of thousands of dollars. The gap between a practice that recovers in a day and one that recovers in three weeks is almost entirely preparation — tested backups, printed contacts, and a team that has walked through the scenario at least once.