Ransomware: What to Do in the First 24 Hours (Response Plan)
When ransomware hits, the first hours are decisive. Here is a clear action plan to limit damage and regain control.
In a ransomware attack, act in this order during the first hours: isolate infected systems without powering them off, preserve evidence, activate your crisis team, notify the relevant authorities, then restore from clean backups. Do not pay the ransom in a rush: it is rarely the right call and guarantees nothing.
Key points
- Isolate fast (disconnect from the network) without powering off machines, to preserve evidence.
- Do not pay in a panic: payment guarantees neither recovery nor the absence of a leak.
- The best response is prepared BEFORE: tested backups and a written incident plan.
Hour 0 to 1: contain without destroying evidence
The first reflex is to stop the spread. Isolate affected machines from the network (unplug, disable Wi-Fi), but do not power them off: RAM holds valuable evidence for analysis.
- Disconnect infected systems from the network (cable, Wi-Fi), without powering them off.
- Cut remote access (VPN, RDP) and disable compromised accounts.
- Preserve logs and do not "clean up" anything before analysis.
- Trigger the crisis team and appoint a single lead.
Hour 1 to 6: assess, notify, communicate
Once the spread is contained, measure the scale and meet your obligations. In Quebec, Law 25 requires reporting "promptly" any incident presenting a risk of serious harm.
- Identify affected systems and data (encrypted, exfiltrated?).
- Notify the relevant authorities and, where applicable, police and your cyber insurer.
- Assess whether personal information is involved (reporting obligation).
- Prepare internal and, if needed, external communication — factual and controlled.
Hour 6 to 24: restore safely
Restoration cannot be improvised: restoring onto a still-compromised environment restarts the attack. First ensure the threat is eradicated, then rebuild from backups verified as clean.
- Confirm eradication before any return to service.
- Restore from tested, disconnected backups (offline / immutable).
- Reset passwords and secrets that may have been exposed.
- Closely monitor restored systems for re-infection.
Should you pay the ransom?
In the vast majority of cases, no. Payment guarantees neither data recovery, nor the absence of a leak, nor protection from another attack — on the contrary, it marks you as a paying target. It can also raise legal questions. The decision must be made calmly, with legal and technical counsel, never in panic.
Real protection happens upstream: tested, disconnected backups turn a disaster into a manageable interruption.
Frequently asked questions
Should I turn off infected computers?
No, do not power them off: isolate them from the network. Powering off a machine wipes the RAM, which holds crucial evidence to understand and respond to the attack. Disconnect from the network, that’s it.
Should I pay the ransom?
Generally, no. Payment guarantees nothing and exposes you to further attacks. The decision must be made calmly with legal and technical advice, and only after exhausting restoration options.
Am I required to report the attack?
If personal information is affected, Quebec’s Law 25 requires promptly reporting any incident presenting a risk of serious harm. Other obligations may apply depending on your sector and cyber insurance.
Do my backups really protect me?
Only if they are tested, recent and disconnected (offline or immutable). Ransomware actively targets connected backups. A backup never test-restored is a false sense of security.
How do I prepare before an attack?
Write an incident response plan, identify your crisis team, set up immutable backups tested regularly, and run a simulation exercise. Preparation turns a crisis into a controlled incident.
Takeaway
With ransomware, speed and method matter more than technique. Isolate, preserve, notify, restore cleanly. Codally helps SMBs and public organizations prepare their response plan and regain control after an incident.
Need support?
Codally can help you integrate these solutions into your business.