The screen goes dark. A message appears demanding payment in cryptocurrency. Your files — client records, financial data, internal documents — are encrypted. Your business just ground to a halt.
What you do in the next 72 hours will determine whether this becomes a recoverable incident or a business-ending catastrophe. Most organizations that handle ransomware poorly don’t fail because the attack was sophisticated. They fail because they panicked, made avoidable mistakes, and lost critical evidence in the process.
Here’s the playbook.
Hour 0–2: Stop the bleeding
Your first instinct might be to shut everything down. That’s partially right — but how you do it matters.
Isolate affected systems immediately. Disconnect infected machines from the network by unplugging Ethernet cables and disabling Wi-Fi. Do not power them off yet. A running system contains volatile forensic data — active network connections, running processes, and memory contents — that disappears the moment you hit the power button.
Identify the scope. Walk through your environment and determine which systems are affected, which are still operational, and which might be compromised but not yet encrypted. Ransomware often moves laterally across a network, and the machine that displayed the ransom note may not be where the attack started.
Disconnect backups from the network. If your backup systems are still accessible, isolate them immediately. Modern ransomware specifically targets backup infrastructure to eliminate your recovery options. If your backups are cloud-based, change the access credentials from a known-clean device.
Do not pay the ransom. Not yet, not without professional guidance. Payment doesn’t guarantee decryption, may violate OFAC sanctions regulations, and funds criminal operations. This is a decision that should involve your legal counsel, insurance carrier, and incident response team — not a panicked choice made at 2 AM.
Hour 2–8: Assemble your response team
You shouldn’t handle this alone. A ransomware incident involves legal, technical, financial, and regulatory dimensions that require coordinated expertise.
Call your cyber insurance carrier. If you have a cyber insurance policy, this call should happen within the first few hours. Most policies have strict notification windows — some as short as 24 hours. Your carrier will typically assign a breach coach (an attorney who coordinates the response) and an approved incident response firm. Using unapproved vendors can jeopardize your coverage.
Engage an incident response firm. Whether through your insurance carrier or independently, you need forensic experts who can determine how the attacker got in, what data was accessed or exfiltrated, and whether the attacker still has access to your network. This isn’t something your general IT provider is equipped to handle.
Notify your attorney. A ransomware incident creates legal obligations that vary by state, industry, and the type of data involved. Attorney-client privilege also protects certain communications during the investigation from future discovery. Your attorney should be looped in before you start sending emails about what happened.
Brief your leadership team. Keep the circle small initially. Executives need to know the situation, the response plan, and their role in decision-making. Premature company-wide announcements or public statements can create legal exposure and complicate the investigation.
Hour 8–24: Investigate and document
Once your response team is assembled, the focus shifts to understanding exactly what happened.
Preserve evidence. Your incident response firm will create forensic images of affected systems — complete bit-for-bit copies that preserve evidence in a legally defensible manner. This evidence may be critical for insurance claims, law enforcement investigations, and regulatory inquiries.
Determine the attack vector. How did the attacker get in? Common entry points include phishing emails, compromised remote access credentials, unpatched vulnerabilities in internet-facing systems, and exploited VPN appliances. Understanding the entry point is essential for ensuring the attacker can’t simply walk back in after you recover.
Assess data exfiltration. Modern ransomware operations almost always involve data theft before encryption — the “double extortion” model. The attacker threatens to publish your stolen data if you don’t pay. Your incident response team will analyze network logs, endpoint telemetry, and other artifacts to determine what data left your network.
File a report with law enforcement. Contact the FBI’s Internet Crime Complaint Center (IC3) or your local FBI field office. Law enforcement may have decryption keys from previous investigations into the same ransomware group. They won’t take over your systems or slow down your recovery, but their intelligence can be genuinely helpful.
Hour 24–48: Plan your recovery
With the investigation underway, you can start planning how to get your business operational again.
Evaluate your backup integrity. Are your backups clean? Were they compromised before the attack? How current are they? The gap between your last clean backup and the moment of encryption represents data you may not be able to recover. This is where organizations that tested their backups regularly have a massive advantage over those that assumed backups were working.
Prioritize system restoration. Not everything needs to come back online at once. Identify the systems critical to business operations — email, client-facing services, financial systems — and focus there first. Build a prioritized restoration plan with your IT team and incident responders.
Rebuild, don’t just restore. Simply restoring encrypted systems from backup without understanding the root cause is a recipe for re-infection. Compromised systems should be rebuilt from clean images with the attack vector remediated before they’re reconnected to the network.
Implement emergency security controls. Before any system goes back online, ensure MFA is enforced on all accounts, compromised credentials are reset, the attack vector is closed, and monitoring is in place to detect any continued attacker activity.
Hour 48–72: Communicate and comply
With recovery underway, attention turns to your notification obligations and stakeholder communications.
Determine your notification requirements. Depending on your industry and the data involved, you may be required to notify affected individuals, state attorneys general, federal regulators (like HHS for HIPAA-covered entities), and other oversight bodies. Notification timelines vary — some states require notification within 30 days, others within 60, and HIPAA allows 60 days from discovery. Your breach coach will map out exactly who needs to be notified and when.
Prepare stakeholder communications. Clients, partners, vendors, and employees all need appropriate communication. Each audience needs different information at different levels of detail. Your attorney and breach coach should review all external communications before they go out.
Document everything. Every action taken, every decision made, every system affected, every timeline milestone. This documentation serves multiple purposes: insurance claims, regulatory compliance, law enforcement cooperation, and your own internal after-action review. If it’s not documented, it didn’t happen.
After the crisis: Build forward
Once the immediate incident is resolved, resist the urge to simply go back to normal. The attack exposed gaps in your security program. Closing those gaps is not optional — it’s how you prevent the next incident.
Conduct a formal after-action review. What worked? What didn’t? Where did the response plan break down? What would you do differently? This review should produce concrete action items with owners and deadlines.
Invest in the fundamentals. The controls that prevent most ransomware attacks are well-understood: endpoint detection and response, email security, MFA everywhere, network segmentation, tested backups, security awareness training, and 24/7 monitoring. If you didn’t have these before the attack, implementing them is the most important thing you can do now.
Consider managed security. Most small businesses don’t have the staff to run a security operations center. A managed security provider gives you continuous monitoring, rapid response, and expert guidance — the same capabilities that large enterprises have, scaled for your business.
The first 72 hours after a ransomware attack are chaotic, stressful, and consequential. Having a plan before the incident happens — knowing who to call, what to preserve, and what decisions to defer — is the difference between a controlled response and a costly scramble.
Don’t wait for an incident to build your response plan. Book a discovery call to discuss incident readiness and understand your current exposure.