It’s 7:30 AM on a Monday. Your office manager calls — nobody can open files, there’s a ransom note on every screen, and your phone system isn’t working. You’ve been hit with ransomware.
The decisions you make in the next 24 hours will determine whether you recover in days or weeks, whether you face regulatory penalties, and whether your cyber insurance actually pays out. Here’s the playbook.
Hour 0-1: Contain the Damage
Do NOT turn off computers. This is the most common mistake. Powering down can destroy forensic evidence and, in some ransomware variants, makes recovery harder. Instead:
Disconnect affected systems from the network. Unplug Ethernet cables and disable Wi-Fi. The goal is to stop the ransomware from spreading to additional machines, servers, and backups. If you can identify which machines are affected, isolate them. If you’re unsure, disconnect everything.
Do NOT pay the ransom immediately. Paying doesn’t guarantee you’ll get your data back, it may violate OFAC sanctions, and it makes you a target for repeat attacks. This is a decision that should involve your insurance carrier, legal counsel, and incident response team — not a panicked first reaction.
Document everything. Take photos of ransom notes on screens. Note which systems are affected. Record the time you discovered the incident. This documentation will be critical for your insurance claim, law enforcement report, and any regulatory notifications.
Hour 1-4: Activate Your Response Team
Call your IT provider or internal IT team. If you have a managed IT provider like Iron Core, this should be your first call. They can begin forensic triage, assess the scope, and start containment procedures that go beyond unplugging cables.
Call your cyber insurance carrier. Do this early — many policies have specific requirements about when and how incidents must be reported. Your carrier will assign a breach coach (usually an attorney) who will coordinate the response and help preserve attorney-client privilege over the investigation.
Call your attorney. If you handle regulated data (client records, patient information, financial data), you may have legal notification obligations that start ticking from the moment you discover the breach. Your attorney will advise on notification timelines for NJ, NY, PA, and any federal requirements that apply.
Do NOT contact the attacker. Any communication with threat actors should go through your incident response team or breach coach. Untrained communication can make things worse — including revealing how much you’re willing to pay.
Hour 4-12: Assess and Investigate
Determine the scope. Your IT team needs to identify which systems are encrypted, whether backups are intact, whether data was exfiltrated (stolen) before encryption, and how the attackers got in. Modern ransomware groups almost always steal data before encrypting it — this is what creates the double-extortion pressure.
Check your backups. Are they intact? Are they offline or air-gapped? Were they connected to the network and potentially encrypted too? The state of your backups is the single biggest factor in your recovery timeline. If you have clean, recent backups, you can recover without paying. If you don’t, your options narrow significantly.
Preserve evidence. Your incident response team should be capturing forensic images of affected systems, preserving logs, and documenting the attack chain. This evidence is needed for your insurance claim, any law enforcement investigation, and potential regulatory inquiries.
Hour 12-24: Begin Recovery Planning
Prioritize system recovery. You can’t restore everything at once. Work with your team to identify the systems that are most critical to business operations — email, billing, patient scheduling, production systems — and restore those first.
Notify employees. Your staff needs to know what happened, what they should and shouldn’t do (don’t log into anything yet, don’t click suspicious emails), and when they can expect systems back online. Clear communication prevents panic and reduces the risk of employees making the situation worse.
Plan regulatory notifications. Depending on your industry, you may need to notify patients (HIPAA — 60 days), customers, state attorneys general, the SEC, or other regulators. Your breach coach will guide the timing and content of these notifications.
File a report with the FBI’s IC3. This is especially important if you’re considering paying a ransom — OFAC compliance requires checking whether the threat actor is a sanctioned entity.
The Best Time to Prepare Was Yesterday
If you’re reading this before an incident, you’re in the best possible position. The businesses that recover fastest from ransomware are the ones that had an incident response plan, tested backups, endpoint detection, and a relationship with an IT provider who specializes in incident response — before the attack happened.
If you don’t have a documented incident response plan, tested backup recovery procedures, and confidence in your security posture, that’s the gap to close now. Not after the ransom note appears.