It’s 7:43 in the morning. You pour your first cup of coffee, open your laptop, and nothing loads. You try another machine. Same thing. Then your office manager calls—she can’t get into QuickBooks, and there’s a strange message on her screen with a countdown timer and a Bitcoin wallet address (ransomware).
You’ve just been hit with ransomware.
I’ve walked many business owners through this exact morning. And in nearly every case, the outcome wasn’t decided by the malware—it was decided by the first few hours of human decisions made under stress. Panic causes well‑intentioned mistakes that turn a bad incident into a catastrophic one.
This playbook is written for business owners—not IT professionals, not lawyers, and not forensic investigators. It’s for the person who must make decisions with incomplete information, a team looking for direction, and customers who are about to notice something is wrong.
Step 1: Stop. Don’t Reboot. Don’t Click Anything.
When something goes wrong with a computer, the instinct is to restart it. Resist that urge completely. Rebooting can trigger additional encryption, destroy volatile forensic evidence, or accelerate the spread.
What to do immediately:
• Leave infected machines powered on, but do not interact with them further.
• Disconnect infected machines from the network at the cable or router level.
• Do NOT shut down servers, NAS devices, or shared storage—these must be isolated, not powered off.
• Take photos of ransom notes and record the time of discovery.
If you remember nothing else: power preserves evidence; panic destroys it.
Step 2: Isolate the Blast Radius
Ransomware is designed to spread laterally. Your goal is to stop the spread before it reaches everything.
Check immediately:
• Which machines show encrypted files or ransom notes?
• Are shared drives affected? Stop access immediately.
• Are cloud sync tools active? Disconnect them now.
• Are unaffected machines truly clean—or just dormant? Isolate them, too.
If you’re unsure how to do this safely, call professional help. Guessing here causes the most damage.
Step 3: Call the Right People—In the Right Order
Calling the wrong person first is one of the most expensive mistakes businesses make.
1. Cyber insurance carrier (if applicable). Call before cleanup. Premature action can void coverage.
2. IT provider or MSP. Make sure they preserve evidence and do not wipe systems prematurely.
3. Cybersecurity or privacy attorney. Notification timelines can be short and strict.
4. Law enforcement (FBI IC3). They may have intelligence or decryptors available.
Do not notify employees, customers, or the public until advised. Everything said early may be reviewed later.
Step 4: Assess What You Actually Have to Work With
Once the spread is contained, you must understand your position. You don’t need perfect answers yet—but you must ask the right questions.
• Do viable, offline backups exist?
• Was data exfiltrated in addition to encryption?
• Which systems are critical to operations?
• What ransomware strain is involved, and are decryptors available?
Step 5: The Ransom Question—A Realistic Look
There is no universally correct answer—only informed decisions made with legal guidance.
Reasons not to pay include unreliable decryption, repeated targeting, legal risk, and no guarantee of data deletion.
Some businesses consider payment when no backups exist, the data is essential, or life‑safety systems are involved. If payment is considered, never transact directly—use professional negotiators and legal oversight.
Step 6: Recovery—Doing It Right the First Time
Restoring too fast is how businesses get hit twice.
• Identify and close the attack vector first.
• Rebuild from clean images and verified backups.
• Reset all credentials—assume compromise.
• Restore systems by business priority, not convenience.
• Monitor aggressively for at least 30 days.
Step 7: Communicate—Carefully, Honestly, and on Your Schedule
Golden rule: assume everything you say may be read by a regulator, a customer, or a lawyer.
Employees need a simple, factual summary and clear guidance on what not to say.
Customers must be notified in accordance with legal requirements, with accuracy and transparency.
Partners should be informed if systems or data intersect.
Avoid social media or press statements without counsel.
Step 8: Post‑Incident Review—Turning a Crisis Into Correction
Within 30 days, conduct a formal review covering root cause, detection gaps, response delays, backup performance, and insurance effectiveness.
If this review doesn’t result in ownership, budget, and deadlines—it didn’t happen.
Conclusion
Ransomware is no longer rare or reserved for large enterprises. Small and mid‑sized businesses are now the primary targets because attackers know chaos is their advantage.
Preparation changes everything. A clear plan lets you act instead of react—and can be the difference between a week of disruption and an existential threat.
Print this. Save it. Know where it is before you need it at 7:43 a.m.
#Ransomware #RansomwareResponse #Cybersecurity #CyberAttack #IncidentResponse #DataBreach #CyberRisk #SmallBusiness #SMBSecurity #BusinessOwners #BusinessContinuity #RiskManagement #ExecutiveLeadership #DisasterRecovery #CrisisManagement #CyberInsurance #DataProtection #Compliance #BreachResponse #CyberResilience #vCISO #SecurityLeadership
You may find our article on threats and attacks last year interesting, or this ransomware resource from IC3 interesting.