Essentials
How to Respond to a Ransomware Attack: A 4-Hour Emergency Protocol
The screen is red. Your files are locked. The clock is ticking. Panic is your enemy. Follow this exact protocol to stabilize the situation.
By SecureBusinessHub Editorial, International cybersecurity desk — · 4 min read
The screen is red. Your files are locked. The clock is ticking. Panic is your enemy. Follow this exact protocol to stabilize the situation.
Hour 0-1: Isolation (stop the bleeding)
Your goal is to stop the spread. Ransomware moves laterally.
- Disconnect everything: Pull ethernet cables. Disable Wi-Fi on all infected machines. Do NOT power them down. You'll lose RAM artifacts needed for forensics.
- Isolate backups: Immediately disconnect your backup server or cloud sync to prevent the infection from corrupting your recovery point.
Hour 1-2: Assessment (scope the damage)
Identify what was hit. Was it just encryption, or was data exfiltrated?
Hour 2-3: Legal and insurance
Call your cyber insurance provider immediately. They have incident response teams on retainer. Call your legal counsel to understand reporting requirements under GDPR, CCPA, or SEC rules.
Hour 3-4: Recovery decision
Do you pay? The FBI recommends against it. But if the business won't survive without that data, it's your call to make. Use professional negotiators. Do not contact the attackers directly.
The forensics phase
Once the immediate threat is contained, you need to understand how they got in. Preserve log files, save RAM states before anything gets wiped, and document the malware entry point. Without this step, you're guessing about what to fix. Tools like Magnet AXIOM or the open-source Autopsy can help reconstruct the attack timeline.
Engaging law enforcement
Report to the FBI (IC3) or No More Ransom. This isn't just about catching anyone. Law enforcement sometimes has decryption tools for specific ransomware strains that aren't publicly available. Your information also helps protect other businesses.
For more on long-term resilience, see our guide on Reputation Impact Management.