What to Do When Ransomware Hits: A Response Playbook for SMBs
The moments immediately following a ransomware attack determine whether your business recovers in days or months — or at all. This is the practical, step-by-step guide for what to do before, during, and after an incident.
February 2026
Before You're Reading This for a Real Reason
If you're reading this while actively dealing with a ransomware incident, skip ahead to "The First Hour." Everything else can wait.
If you're reading this as preparation — good. The decisions you make in the first few minutes of a ransomware attack are the most consequential ones you'll face. Under stress, without a plan, those decisions tend to be wrong. With a plan, even a basic one, your team has something to execute instead of improvise.
Ransomware has evolved significantly. Modern ransomware groups don't just encrypt your files — they first exfiltrate them, then encrypt them. This "double extortion" approach means the threat is both operational (you can't access your data) and reputational (they threaten to publish it). Recovery isn't just restoring from backup anymore; it includes understanding what was taken and notifying the right parties.
For SMBs, the median recovery time from a ransomware attack is 22 days. The median cost — including downtime, recovery, legal fees, and remediation — is over $1 million for incidents that reach full encryption. Most small businesses that experience a major ransomware event never fully recover. This playbook won't guarantee survival. But it improves your odds significantly.
If You're Currently Under Attack: The Three Things Not to Do
- Do not pay the ransom without consulting your cyber insurance carrier and legal counsel — doing so without authorization may void your coverage.
- Do not reboot encrypted machines. Rebooting can destroy volatile memory evidence and trigger additional encryption payloads.
- Do not run the same backups that may have been connected to the infected network without first verifying they are clean.
The First Hour: Contain and Preserve
Speed matters, but so does doing the right things in the right order. The goal in the first hour is containment — stop the spread — while preserving evidence that will be critical for investigation and potential legal proceedings.
Identify and isolate affected systems immediately
Disconnect infected machines from the network — unplug the ethernet cable or disable Wi-Fi at the access point level. Do not wait for IT. Every minute of connectivity is another minute the ransomware can spread laterally to other systems, shared drives, and cloud-connected backups. Physically disconnecting is faster and more reliable than software-based isolation when you're acting under time pressure.
Do not shut down affected machines (yet)
Counterintuitive, but important: leave affected machines powered on initially. Volatile memory (RAM) can contain encryption keys, attacker tools, and evidence that disappears when the machine is shut down. Your incident response team will capture this evidence before powering down. If you have no IR team, document what's visible on screen and photograph it before anything else.
Alert your security provider or incident response team
Call your MSSP or incident response retainer — not an email, a phone call. If you don't have an MSSP, call the CISA 24/7 helpline (888-282-0870) or engage an external IR firm. Time matters. A qualified IR team can help you scope the incident, preserve evidence, and avoid decisions that make recovery harder.
Notify your leadership team and document everything
Ransomware is a business crisis, not just an IT problem. Your CEO, CFO, and general counsel need to be aware immediately. Start a dedicated incident log with timestamps for every action taken, every system found to be affected, and every decision made. This documentation will be critical for insurance claims, regulatory notifications, and post-incident review.
Preserve the ransom note and attacker communications
Do not delete or dismiss ransom notes. They provide information about the ransomware variant (which helps identify decryption possibilities), the attacker's communication channels, and in some cases indicate whether data was exfiltrated. Screenshot or photograph ransom notes on each affected system.
Assess and protect backups
Immediately determine the status of your backups. Are they online and potentially encrypted? Are they offline and clean? Were they connected to the network during the attack? Do not attempt to restore from backups until your IR team confirms they are clean and the attack vector has been identified and closed.
The First Day: Assess and Activate
Once the immediate spread is contained, you enter an assessment phase. You need to understand the scope before you can build a recovery plan. Decisions made here — about communications, legal notifications, and recovery priorities — have downstream consequences that are difficult to reverse.
Determine the ransomware variant
Upload a sample of the encrypted files and ransom note to ID Ransomware (id-ransomware.malwarehunterteam.com) or share them with your IR team. Knowing the variant helps determine whether decryptors exist, how sophisticated the attack is, and what the likely attack vector was. Some variants have known weaknesses that can speed recovery significantly.
Identify the attack vector
How did the ransomware get in? Common entry points include phishing emails, compromised RDP endpoints, unpatched VPN appliances, and compromised third-party access. Identifying the entry point is not just forensic curiosity — you cannot safely restore systems until you've closed the hole the attacker used. Restoring into a still-compromised environment means getting encrypted again.
Determine the scope of encryption and exfiltration
How many systems are affected? What data was on them? Was data exfiltrated before encryption? This scope assessment drives your regulatory notification analysis, your insurance claim, and your recovery prioritization. Your IR team will review logs, network traffic, and attacker tools to build this picture.
Engage your cyber insurance carrier
Call your carrier's incident response hotline — not your agent. Most cyber policies have 24/7 breach response hotlines specifically for this situation. Carriers can often provide access to pre-vetted IR firms, legal counsel, and forensic investigators at policy rates. Do not make major recovery or payment decisions without carrier coordination.
Establish an alternative communications channel
If your email is encrypted or your domain is compromised, you need a way to communicate with employees, leadership, and key customers. Establish a backup communication channel — personal cell phones, a secondary email domain, or a secure messaging platform — before your primary systems are restored.
Assess notification obligations
Work with legal counsel to identify who you are required to notify and by when. This includes regulatory bodies, affected customers, and in some cases law enforcement. Notification timelines are shorter than most people realize — some regulations require notification within 72 hours of discovery. Documenting when you discovered the incident is critical.
The First Week: Recover and Restore
Recovery from ransomware is a structured process, not a race to restore as quickly as possible. Restoring systems before you understand how the attacker got in — and evicting them — means restoring into a compromised environment. You can get encrypted again.
Eradicate attacker presence before restoring anything
Before you restore a single system, confirm that attacker tools, backdoors, and persistence mechanisms have been removed from your environment. Modern ransomware actors often maintain access for weeks or months before detonating the ransomware. If you restore without eviction, they can encrypt you again immediately — or wait for a more opportune moment.
Rebuild from clean backups or clean images, not restoration in place
Where possible, wipe and rebuild affected systems from known-good images or backups rather than attempting to decrypt and restore in place. Decryption tools are often slow and incomplete. Rebuilding from clean backups is faster and provides higher confidence that no malware remnants persist.
Restore in priority order with testing at each stage
Bring systems back in order of business criticality. Test each restored system before connecting it to the broader network. Rushing restoration to get everything back at once increases the risk of bringing a compromised system back online.
Reset all credentials enterprise-wide
Assume all credentials in your environment were compromised — because they likely were. Reset all passwords, revoke and reissue all service account credentials, rotate all API keys, and invalidate all active sessions. This is tedious but non-negotiable.
Notify affected parties and submit regulatory reports
Based on your legal counsel's assessment, send required notifications to regulators and affected individuals. Craft customer communications carefully — with legal review — to be accurate, empathetic, and appropriately specific without disclosing information that could create additional risk.
Conduct a post-incident review before closing the case
Before declaring recovery complete, document what happened, how you responded, what worked, what didn't, and what needs to change. This post-mortem is the foundation of an improved security posture. It's also evidence for your insurance carrier and, in regulated industries, documentation that regulators may request.
Regulatory Notification Requirements
One of the most consequential — and time-sensitive — decisions after a ransomware attack is who you're legally required to notify and when. Getting this wrong adds regulatory liability to your operational problems.
Notify HHS and affected individuals within 60 days of discovering a breach of protected health information. If more than 500 individuals in a state are affected, notify prominent media outlets in that state. Ransomware that encrypts PHI is presumed to be a reportable breach unless you can demonstrate no access to PHI occurred.
Investment advisers and broker-dealers must notify affected customers within 30 days of discovering an incident involving unauthorized access to customer records. Internal incident response and documentation obligations are triggered at time of discovery.
If cardholder data was or may have been compromised, notify your acquiring bank and relevant card brands immediately. Forensic investigation by a PCI Forensic Investigator (PFI) may be required. Failure to report promptly can result in fines and increased transaction fees.
All 50 states have breach notification laws with varying timelines and requirements. Many have been updated in recent years to shorten notification windows. Your legal counsel should assess applicable state laws based on where your affected individuals reside, not just where your business is located.
The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) requires covered entities to report significant cybersecurity incidents within 72 hours and ransom payments within 24 hours. Many industries — healthcare, financial services, energy, water — qualify as critical infrastructure.
Important: State breach notification laws vary significantly. Many require notification within 30-72 hours for incidents involving personal information. Your incident response team or legal counsel should assess notification obligations within the first 24 hours — not after recovery is complete.
The Ransom Payment Question
Every business that experiences ransomware will face the question of whether to pay. This is a decision that requires legal counsel, your cyber insurance carrier, and ideally a qualified incident response team — not just a business judgment made under pressure.
The considerations are complex:
Paying does not guarantee decryption. Ransomware groups have varying levels of professionalism. Some provide working decryptors. Some don't. Some provide decryptors that work slowly and incompletely. You're negotiating with criminals who have no contractual obligation.
Paying may have legal implications. The U.S. Treasury's OFAC maintains a list of sanctioned entities. Paying a ransomware group on the OFAC list — knowingly or not — can expose you to civil penalties. Your incident response team should screen the group against OFAC lists before any payment is considered.
Your cyber insurance policy may have specific provisions around ransom payments. Paying without carrier pre-authorization can affect coverage.
Having working, tested backups is the factor that most reduces the pressure to pay. Organizations with verified, clean backups have negotiating leverage — or no need to negotiate at all.
Recovery Priorities: What Comes Back First
Not everything can be restored at once. Prioritize based on what keeps the business alive and serves customers:
Authentication and identity infrastructure
Active Directory, identity providers, and MFA systems must be clean and operational before anything else comes back. If these are compromised, everything connected to them is compromised.
Core business communication
Email, phone systems, and internal communication tools. Employees and leadership need to coordinate recovery, and customers need to be able to reach you.
Revenue-generating systems
Point-of-sale systems, customer portals, billing, and transaction processing. Every day these are down is direct revenue loss.
Customer-facing data systems
CRM, customer databases, and support systems. Needed to communicate with customers about the incident and resume normal service.
Internal operational systems
ERP, HR, finance, and internal tools. Important but not customer-facing — can come back after core operations are restored.
Endpoint workstations
Individual user machines, starting with leadership and key operational roles. Complete endpoint rebuild is time-consuming — prioritize accordingly.
What to Do Before This Happens to You
The best ransomware response is the one you never have to use. These are the controls that most significantly reduce your risk of a successful attack, and your recovery time if one occurs.
Frequently Asked Questions
Should we involve law enforcement?
Yes, in most cases. The FBI Cyber Division investigates ransomware attacks and can provide intelligence on the attacker group, potential decryption assistance, and help with evidence preservation. Reporting to the FBI does not mean you're required to pay, and it does not create automatic public disclosure. Many businesses hesitate over fear of exposure — but law enforcement involvement typically helps more than it hurts, and in some regulated industries it's required.
How long does ransomware recovery typically take?
For SMBs without an IR plan or clean backups, 2-4 weeks to partial operation and 1-3 months to full recovery is common. For organizations with tested backups, a documented IR plan, and a managed security provider engaged from the start, recovery to partial operation in 48-72 hours and full recovery within 1-2 weeks is achievable. The single biggest factor in recovery speed is backup readiness.
What if our backups were also encrypted?
This is the worst-case scenario and unfortunately common — ransomware specifically targets backup systems. Options include: negotiating with the attacker (with IR and legal counsel), attempting decryption with free tools if the variant is known, recreating data from paper records or secondary sources, or accepting data loss for systems that can be rebuilt. This is why backup architecture — specifically air-gapped or immutable backups that cannot be encrypted by ransomware — is so critical.
How do we know when recovery is complete?
Recovery is complete when: all affected systems have been rebuilt or verified clean, the attack vector has been identified and closed, all credentials have been reset, regulatory notifications have been sent, cyber insurance claim documentation is filed, and a post-incident review has been conducted and documented. Simply having systems back online is not the end of the incident.
Have a Response Plan Before You Need One
We'll help you build a documented, tested incident response plan specific to your environment — and make sure you have the backups, detection, and containment capabilities to execute it. Don't wait until it's an emergency.
Victor Peralta
Co-Founder & CEO
Vigil Cyber provides 24/7 managed security operations for small and mid-sized businesses across the Southeast. Our team combines rigorous operational discipline with enterprise security expertise.
Related Articles
How AI Is Changing the Phishing Landscape
AI-generated phishing attacks are more convincing than ever. Learn how to identify and defend against the next generation of social engineering.
8 min read
Threat IntelligenceAI-Powered Threat Detection: MDR vs XDR
Understanding the difference between MDR and XDR, and how AI-powered detection is reshaping managed security services.
10 min read
Compliance & RiskCompliance as a Continuous Service
One-time audits are not enough. Learn how continuous compliance monitoring keeps your business audit-ready year-round.
7 min read
Stay Ahead of the Threat Landscape
Get monthly cybersecurity insights, threat intelligence, and compliance updates delivered to your inbox. No spam. Unsubscribe anytime.