🪷 Every tool on this site is free. No email. No credit card. No sales call. Ever.
← Back to Blog
Security 7 min read Apr 23, 2026

What to Do in the First 24 Hours of a Ransomware Attack

The decisions made in the first hour determine whether this is a bad week or a business-ending event. Here's exactly what to do — and what not to do.

Ransomware attacks don't announce themselves politely. You open your computer one morning and files have strange extensions. Or you get a text from an employee saying nothing will open. Or you see a ransom note on a screen across the office.

Your response in the next 60 minutes matters more than almost anything else. Here's what to do.

The First 15 Minutes: Contain It

Ransomware spreads. The moment it's deployed on one machine, it starts encrypting files and trying to reach other systems on your network — shared drives, servers, other computers. Every minute you wait is more data encrypted and more systems compromised.

Disconnect everything you can, immediately. This means:

  • Unplug ethernet cables on any machine you suspect is infected
  • Disconnect from WiFi on infected machines (turn off WiFi at the device, not just disconnect from network)
  • If you can, shut down your network switches to isolate segments
  • Do NOT shut down infected computers — you may destroy evidence needed for recovery

The goal is to stop lateral movement — the attacker using one compromised machine as a jumping-off point to infect others. Unplugging a network cable is the single fastest way to limit the blast radius.

Do not restart infected machines. Do not try to run antivirus scans on them. Do not attempt to delete the ransomware files yourself. Every one of these actions can overwrite evidence, trigger additional encryption, or accelerate the attack.

The First Hour: Get the Right People on the Phone

Call your IT provider immediately — not email, not a ticket. Phone call. If they have an emergency line, use it. If you can't reach them in 10 minutes, call a cybersecurity incident response firm. This is not the time to wait for a callback.

Call your cyber insurance carrier. If you have a cyber insurance policy, your carrier has incident response resources — often including a 24/7 hotline that connects you with forensic investigators. Using this line is not just recommended; it's often required for your claim to be valid. Find the number before you need it and put it in your phone now.

Do not call the ransom contact yet. Engaging with attackers before you have professional guidance is almost always a mistake. Ransomware groups are organized and negotiated with regularly by specialized firms. You are not the right person to have that conversation without help.

Notify your leadership. CEO, CFO, legal counsel. This is a business incident, not just an IT incident. Decisions about paying a ransom, notifying customers, and engaging law enforcement need executive and legal input — not just your IT team.

Hours 2–4: Assess and Document

Once your IT provider or incident response team is engaged, they'll begin the assessment process. Your job is to help them move fast:

  • Document what you know: Which machines look infected? When did you first notice? Who noticed it and how? What were they doing immediately before?
  • Identify your backup status: When was your last backup? Where does it live? Is it cloud-based, on-site, or both? Is there any possibility it's connected to your network and also encrypted?
  • Identify affected systems: Make a list of every system that may have been compromised — servers, workstations, cloud services, anything with network access
  • Preserve logs: Don't let anyone "clean up" systems. Forensic evidence in system logs is critical for understanding how attackers got in — and proving your case to insurance

The Ransom Decision

At some point, you'll face the question of whether to pay. There is no universally correct answer, but there are things worth knowing:

Paying does not guarantee recovery. Roughly 20% of businesses that pay never receive working decryption keys. Another significant percentage find that recovered data is still corrupted or incomplete.

Paying funds the next attack. Ransomware groups are businesses. Revenue from successful ransoms funds their operations, their development, and their next targets.

Paying may have legal implications. Paying ransom to a sanctioned entity (which some ransomware groups are) may create legal liability. Your legal counsel needs to be in this conversation.

If you have clean, tested backups — and this is the whole point of having them — paying is rarely the right answer. Recovery from backup is slower and painful, but it's recovery on your terms.

If you don't have clean backups, the calculus changes. This is the moment when every business owner wishes they'd taken backup testing more seriously.

Reporting Requirements

Depending on your industry, you may have legal obligations to report a ransomware incident within specific timeframes:

  • HIPAA: Covered entities must report breaches affecting 500+ individuals to HHS within 60 days. Smaller breaches must be reported annually.
  • PCI DSS: Payment card breaches require immediate notification to your acquiring bank and card brands.
  • State breach notification laws: Most states have their own notification requirements for breaches of personal information, typically within 30–72 hours of discovery.
  • FBI: Reporting to the FBI's Internet Crime Complaint Center (IC3) is strongly encouraged — their data helps them track and disrupt ransomware groups, and cooperation can help your insurance claim.

Your legal counsel needs to advise on your specific obligations. Don't assume you know what's required.

Recovery: The Long Road

If you have clean backups, recovery is painful but achievable. A typical timeline for a small business:

  • Days 1–3: Containment, assessment, forensics. Systems are offline or on isolated networks. Staff is using phones and personal devices for critical communication.
  • Days 3–7: Infrastructure rebuilt from scratch (do not restore onto potentially compromised hardware without professional guidance). Backups begin restoring to clean systems.
  • Days 7–14: Core systems return online. Data validation — making sure restored data is intact and complete. User accounts reset.
  • Weeks 2–4: Secondary systems restore. Normal operations resume. Post-incident review begins.

The businesses that recover fastest are the ones that had tested backup and recovery plans before the incident happened. The businesses that struggle most are the ones who assumed their backups were working without ever verifying a restore.

After Recovery: The Conversation You Need to Have

Once you're through the immediate crisis, a serious debrief with your IT provider is non-negotiable. Key questions:

  • How did attackers get in? What was the initial access vector?
  • How long were they in the environment before deploying ransomware?
  • What would have stopped this, and why wasn't it in place?
  • What changes are we making immediately to prevent recurrence?

If your IT provider can't answer these questions, or becomes defensive when asked, that's important information about whether they're the right partner going forward.

Don't wait for an incident to find out where you stand.

The IT Health Check surfaces your biggest risks in 3 minutes — before they become a crisis.

Take the Free IT Health Check →