The screen is red. Your files are locked. The clock is ticking. Panic is your enemy. Follow this exact protocol to stabilize the situation.
Hour 0-1: Isolation (Stop the Bleeding)
Your goal is to stop the spread. Ransomware moves laterally.
- Disconnect Everything: Pull ethernet cables. Disable Wi-Fi on all infected machines. Do NOT power them down (you might lose RAM artifacts for forensics).
- Isolate Backups: Immediately disconnect your backup server or cloud sync to prevent the infection from corrupting your recovery point.
Hour 1-2: Assessment (Scope the Damage)
Identify what was taken. Was it just encryption, or was data exfiltrated?
Hour 2-3: Legal & Insurance
Call your Cyber Insurance provider immediately. They have incident response teams on retainer. Call your legal counsel to understand reporting requirements (GDPR/CCPA/SEC).
Hour 3-4: Recovery Decision
Do you pay? The FBI says no. But if your business will die without that data, it's a business decision. Rely on professional negotiators—never communicate with the hackers yourself.
The Forensics Phase: Learning from the Breach
Once the immediate threat is neutralized, you must understand how they got in. This is the Forensics Phase. Saving log files, preserving RAM states, and analyzing the malware entry point are vital steps for any cybersecurity SME. Without this step, you are simply inviting the hackers back for a second round. Use tools like Magnet AXIOM or open-source alternatives like Autopsy to reconstruct the attack timeline.
Engaging Law Enforcement
Reporting the crime to organizations like the FBI (IC3) or No More Ransom is not just about catching the criminals; it's about sharing intelligence. Often, law enforcement has decryption tools for specific ransomware strains that are not publicly available. As a responsible cybersecurity SME, your data contribution helps protect the entire business ecosystem.
For more on long-term resilience, see our guide on Reputation Impact Management.
