Incident response · ~5 min read

What to do in the first hour after a ransomware hit

By Gary Amick · That Computer Guy 26 · Seymour, Indiana

If this is happening right now: Stop reading after the next paragraph. Pull network cables / turn off Wi-Fi on every affected machine. Don’t reboot. Don’t pay anything yet. Don’t plug a clean machine into the same network. Then call 812-414-9097.

The first hour decides how bad ransomware gets. Most small businesses make the situation worse in the first ten minutes by rebooting, reconnecting, or paying without a plan. Here’s the playbook in order.

The first 10 minutes — contain

Disconnect every affected machine from the network. Pull the ethernet cable or turn off Wi-Fi. Don’t shut the machine down — running RAM may contain the encryption key in some strains.
Disconnect external drives, USB sticks, and any “always-mounted” backup target. If your backup drive is plugged in right now, ransomware may already be encrypting it.
Block the affected machines at the firewall if you have one. Belt and suspenders.
Tell employees to STOP using shared drives and shared folders. Same network = same exposure.

The next 20 minutes — isolate & document

Photograph the ransom note. Phone camera. Capture the wallpaper, any text file, any popup. The strain name in the note tells you whether a decryption key is publicly available.
Make a list of what’s encrypted. File-server shares, individual workstations, ERP, point-of-sale, accounting. Note timestamps if visible.
Check your backups WITHOUT plugging them into the affected network. Use a clean machine on a separate network or a phone hotspot. Verify recent backups exist and are NOT encrypted.
Note the time the attack started. Last known good file timestamp. This tells you which backup to restore from.

The remaining 30 minutes — decide and call

Decide: restore vs. negotiate. If your backups are clean and recent, restore is almost always the right answer (cheaper, faster, no ethical issues, no funding criminals). If backups are also encrypted or out of date, you have a harder call.
Call your IT person. Or call us at 812-414-9097. Get someone with incident-response experience involved before doing anything else.
Call your cyber-insurance carrier if you have one. Many policies require immediate notification or coverage may be denied.
Report to the FBI’s IC3 at ic3.gov. Free, takes 10 minutes. Helps law enforcement track campaigns and sometimes recovers funds.
Notify the Indiana Attorney General if customer or employee data may have been exposed (Indiana has a breach-notification statute).

What NOT to do

Don’t reboot. Some strains can be stopped in mid-encryption if RAM is preserved. Rebooting destroys forensic evidence and removes that option.

Don’t pay yet. The decision to pay or not should come after you know (a) whether your backups are clean, (b) which strain hit you, (c) whether a free decryptor exists, and (d) what your insurance carrier says. Most small businesses that pay still don’t fully recover — the decryption tool is buggy or partial.

Don’t plug new clean machines into the same network. Whatever got in is still in. Stand up a clean network segment first.

Don’t restore from backup onto a still-compromised machine. The malware will encrypt the restored data again within minutes. Restore onto a freshly-imaged machine.

What helps

The free public decryptor lookup. No More Ransom (nomoreransom.org) has free decryption tools for many older strains. Search by strain name from the ransom note. If a free tool exists, you don’t pay anything.

What to expect over the next week

Day 1-2: contain, document, decide. Restore-or-pay decision.
Day 2-4: rebuild infected machines from clean images. Restore data from backup. Test before bringing back online.
Day 4-7: root-cause analysis. How did they get in? Phished credentials? Unpatched RDP? Compromised remote-access tool? Fix that hole or you’ll be back here in 8 weeks.
Within 30 days: deploy MFA on every account, deploy EDR (Defender for Business or similar), enforce 3-2-1 backups with off-network copy, and run the monthly restore test from the backup-verify guide.

The truth about prevention

Almost every ransomware case I’ve seen in southern Indiana came in through one of three doors: phished credentials with no MFA, exposed Remote Desktop Protocol on the open internet, or a compromised remote-access tool (TeamViewer, AnyDesk, ConnectWise) used without 2FA. Closing those three doors costs almost nothing and prevents the vast majority of incidents. The right time to do it is before you’re reading this guide for real.

Need someone now?

24/7 emergency response for ransomware, data recovery, and incident triage in Jackson, Bartholomew, Jennings, Washington, and Scott counties. $95/hr emergency rate. Containment + assessment usually takes 2-4 hours.

☎ 812-414-9097 See Business IT services →