If your business gets hit with ransomware, the first 72 hours determine whether you recover cleanly or suffer a catastrophe. Here is the playbook.
Read the PlaybookTalk to Us
The first 72 hours after a ransomware attack determine whether your business recovers or suffers a catastrophe. Most companies do not have a playbook. Here is one.
Ransomware attacks against mid-market businesses continue to rise. The companies that recover cleanly all share one thing: they had a playbook and executed it fast. The companies that suffer catastrophic damage usually panic in the first few hours and make decisions that make recovery harder. This article lays out a straightforward 72 hour playbook you can adapt to your environment.
The moment ransomware is detected, disconnect affected systems from the network. Do not shut them down. Disconnect them. Shutting down destroys volatile memory that may contain decryption keys or forensic evidence. Isolate affected workstations and servers on a separate VLAN or unplugged entirely.
Call your MSP or internal IT lead. Call your cyber insurance carrier. Call your legal counsel. Do not make public statements. Do not contact the attackers. Get the core response team on a conference line and keep it running.
How many systems are affected? What data is encrypted? Are backups intact? Are domain controllers safe? Is email still working? This assessment drives the rest of the recovery. Do not start restoring anything until you understand the full scope.
Isolate the environment from further spread. Preserve forensic evidence in case you need it for insurance claims or legal proceedings. Snapshot affected systems before any recovery work. Document the timeline of events with as much detail as you can capture while the team still remembers it.
Start restoring from clean backups. Domain controllers first, then file servers, then line-of-business applications. Do not restore anything until you have verified the backup is clean. A backup that was itself compromised will just reintroduce the infection. Rebuild suspicious systems from scratch rather than restoring.
Verify every restored system is clean. Change every credential, especially administrative ones. Force MFA re-enrollment on every account. Return users to systems gradually so you can catch any residual issues. Do not rush to full operations until you are confident the environment is stable.
The recovery is only half the job. Root cause analysis, security hardening, insurance claims, regulatory notifications where required, and customer communication all happen in the weeks after. Do the work. Do not pretend it never happened.
Our Cybersecurity Services | Phishing Prevention | Full Managed IT
Questions? Call 952-223-4422 or compare managed IT vs break-fix.
Call a RE2 Tech engineer today and get a specific proposal inside of 72 hours. No pressure, no long pitch.
952-223-4422helpdesk@re2tech.com