The ransomware first-hour playbook.
What you do in the first 60 minutes of a ransomware event determines whether it's a bad week or a bad year. Here's the playbook.
The first hour of a ransomware incident is the most important hour. Good decisions here make the rest of the response survivable. Bad decisions — well-meaning ones like rebooting servers or deleting ransom notes — often destroy the evidence and the leverage you need to recover.
What actually matters in the first 60 minutes
Your job is not to fix anything in the first hour. Your job is to contain the damage, preserve what's still clean, and get the right people on the phone. Rushing to 'fix' without thinking is how businesses turn a recoverable event into an unrecoverable one.
Two responses, two outcomes
“A small manufacturer's IT lead discovered encrypted files Saturday morning and started rebooting servers 'to clear it up.'”
Red flag: Wiped several logs the forensics team needed. Insurer argued over coverage for weeks. Downtime extended by 10 days.
“A law firm noticed suspicious file activity at 11 PM on a Friday. The partner called the MSP's emergency line before doing anything else.”
Red flag: Systems were isolated within 30 minutes. Encryption was stopped mid-process. Full recovery in three days with complete records intact.
The playbook
- Do not power off affected machines — pull them from the network instead (unplug Ethernet, disable Wi-Fi).
- Do not delete the ransom note or any files. They are evidence.
- Call your MSP's emergency line and your cyber insurance carrier. In that order.
- Loop in your breach counsel. Regulators have deadlines you won't want to miss.
- Stop using the affected environment. Switch to personal devices for email and phones for calls until cleared.
- Document everything — what time did you notice, what did you do, what do you see.
Things you might be tempted to do — don't
- Don't reboot or reimage systems until forensics has a clean image.
- Don't pay the ransom without talking to counsel and your insurer first.
- Don't try to 'negotiate' yourself — use a professional negotiator if paying is even on the table.
- Don't post about it online or tell staff to delete suspicious emails — preserve everything.
Print this and pin it.
We print this playbook for our clients on a wallet card. Reply and we'll send you one.
- 1Write down your MSP's emergency number and your insurer's number in every executive's phone.
- 2Print the playbook and pin it where your IT lead and office manager can grab it.
- 3Make sure every employee knows who to call if they see a ransom note — before they reboot anything.
- 4Practice the playbook in a tabletop drill this quarter.
- 5Keep a clean 'burner' laptop or phone available for post-breach communication.
Want help securing your business?
Schedule a quick security review with our team. 15 minutes, no sales pressure — walk away knowing exactly where your gaps are.
Schedule a quick security reviewKeep reading
Ransomware starts small.
Ransomware doesn't arrive with sirens. It arrives as one boring email, one click, one moment of trust — and then spreads quietly for days before the lock.
ReadTip #10 · RansomwareWhat happens when you get breached.
A realistic walkthrough of the first 30 days after a breach — the calls, the costs, the clients, and what you wish you'd done sooner.
Read