It's 6:47 AM on a Tuesday. Your phone rings. Someone in the office can't open the shared drive, and the file names look like garbage. By the time you get there, half the desktops are showing a ransom note.
What you do in the next sixty minutes will shape the next sixty days.
Most of the businesses we help during an active ransomware attack didn't have a plan. That's normal — almost nobody does until they need one. This guide is the plan we wish every leader had read before the call came in.
First 5 minutes — what NOT to do
Before you do anything else, resist these instincts. Each one feels productive in the moment and each one will cost you later.
Don't power off encrypted machines. Modern ransomware sometimes holds decryption keys in volatile memory. Powering off can permanently destroy the only chance at recovery without paying. It also destroys forensic evidence your insurance carrier and breach counsel will need. Disconnect the network cable. Leave the machine on.
Don't delete the ransom note. That note contains the threat actor's identity (often), the variant of ransomware, and the payment instructions. Your incident response team and your insurance carrier will need this. Screenshot it. Don't close it.
Don't restore from backups yet. If your backups are accessible from the same network the attacker just compromised, the attacker may have already touched them. Restoring on top of a compromised network reinfects within hours. Backups come later, after containment.
Don't reach for a decryption tool you found online. The free decryptors that work are listed at No More Ransom. Anything else is bait. Threat actors sometimes seed fake decryptors specifically to find businesses panicking.
Don't email your team about the incident from email accounts that may be compromised. If your Microsoft 365 environment is part of what's been hit, the attacker is reading your mail. Use phones or personal accounts for early coordination.
Minutes 5–30 — contain the spread
Now that you've stopped yourself from making it worse, the goal is containment. Stop the bleeding.
Isolate the network. If you have a managed firewall, this is one call to your IT partner. If you don't, the fastest containment is physical — unplug the internet connection at the building's main switch or router. Wi-Fi is part of this; turn it off. You will be without internet for hours. Accept it.
Identify patient zero, if you can. Which user account first showed signs of compromise? Which workstation? Look at desktops for the earliest timestamps on the encrypted files. The attacker is usually still operating from somewhere in your environment.
Take an inventory. What's encrypted? What's not? Servers, workstations, shared drives, cloud apps. Walk through this with whoever knows your environment best. If you have a managed service provider, they should be assembling this list for you.
Preserve evidence. If you have any kind of IT documentation, find it. If you have logs, don't touch them. If you have surveillance video of the server room or building, preserve it — physical access incidents happen more often than you'd expect.
Minutes 30–60 — the call list
The next thirty minutes are about getting the right people in the room. In order:
1. Your IT partner or internal IT lead. They are the operational quarterback. If your IT person is on vacation or doesn't have ransomware experience, escalate immediately to whoever does. This is not the moment to protect anyone's ego.
2. Your cyber-insurance carrier's incident response hotline. Almost every cyber policy has a 24/7 number. Call it. Carriers expect to be told within hours, not days. They have incident response firms on retainer who can be on the phone with you in 30 minutes. Do not engage outside vendors before talking to your carrier — many policies require pre-approval of incident response firms, and using an unapproved firm can void coverage.
3. Breach counsel. Your carrier will typically connect you to an attorney who specializes in breach response. This person manages attorney-client privilege over the investigation, which matters enormously if litigation or regulatory action follows. If you don't have a carrier, find a breach counsel firm yourself — Mullen Coughlin, BakerHostetler, and McDonald Hopkins are well-known names. Local business attorneys are usually not the right fit for this work.
4. Your senior leadership and (if applicable) board chair. They need to know within the first hour. This is not the moment for a polished update — a brief factual call ("we're managing an active cyber incident, here's what we know, here's who we've called, more updates by noon") is enough. Get it on record that you communicated promptly.
5. Regulators, if you're regulated. Credit unions have the NCUA 72-hour notification rule for "reportable cyber incidents." Banks have similar requirements. Healthcare entities have HIPAA timing. Public companies have SEC requirements. The clock is already running. Your breach counsel will help you scope what's reportable and when, but flag your status now so you don't miss a window.
What NOT to decide in the first hour
Some decisions feel urgent but aren't. Push them out of the first hour.
Whether to pay the ransom. This is a 24–72 hour decision, not an hour-one decision. Paying involves OFAC sanctions screening (paying certain sanctioned threat groups is illegal), wallet logistics, and a determination of whether decryption is even likely to work. Your insurance carrier, breach counsel, and incident responders will guide this. There is no scenario where you have to decide this in hour one.
What to tell customers, members, or the press. Premature disclosure is its own legal risk. You may have notification obligations that haven't matured yet, and saying the wrong thing in the first day can complicate compliance with those obligations. Hold this for your breach counsel.
Whether to blame anyone internally. Most ransomware enters through phishing emails or unpatched systems. The user who clicked the link isn't the attacker. Treat the incident as an institutional failure first; investigate root cause later. People who feel blamed stop cooperating, and you need them.
Whether you'll be open tomorrow. You probably will be, in some reduced form. But that's a noon decision, not an hour-one decision. Stay focused on containment and the call list.
After the first hour
What follows the first hour is a coordinated multi-day response: forensic investigation, scope determination, recovery from backups (or rebuild planning if backups aren't viable), customer or member notification work, regulatory engagement, and eventually a root-cause analysis. None of that is fast. All of it is manageable if the first hour was handled well.
The businesses that recover best from ransomware aren't the ones with the most expensive security. They're the ones whose leadership stayed calm in the first hour, called the right people, and didn't make decisions that closed off options.
A note on preparation
You can't run this playbook the first time during an actual incident. Print this page. Put it in a folder labeled "IF" in your desk drawer. Add the phone numbers — your IT partner, your insurance carrier's incident hotline, your attorney. Tell two other senior people where the folder is.
If you've never had a conversation with your IT partner about ransomware response, have one this week. The cost of that conversation is an hour of time. The cost of not having it is everything that wasn't decided before 6:47 AM on the Tuesday it happened.
If you're in the middle of a ransomware incident right now, stop reading and call DC Plus at (270) 215-2626. We respond to active incidents whether you're an existing client or not.