Ransomware Response for SMBs: The First 60 Minutes

You're working normally. Then an alert pops up — or worse, you wake up to find every file on your server locked, a ransom note on every desktop, and a countdown ticking. Ransomware has arrived.

For most small and medium businesses, this is their worst-case scenario made real. But here's what most SMBs don't know: the decisions you make in the first 60 minutes determine whether this becomes a $10,000 problem or a $250,000 disaster. A well-executed first hour response can cut recovery time from weeks to days and dramatically reduce your leverage given to attackers.

This guide walks you through exactly what to do in the critical first hour of a ransomware incident.

First: Stop and Think Before You Act

Do not:

• Don't pay the ransom (yet — more on this below)
• Don't restart your computer or server
• Don't try to "quick fix" by turning off the machine and turning it back on
• Don't connect backup drives to the infected network

Your goal in the first 60 minutes is containment and intelligence gathering, not recovery.

The First 5 Minutes: Confirm the Incident

Is this actually ransomware?
Look for:

• Files with new extensions appended (.crypto, .locked, .encrypted, .xyz or random 4-character extensions)
• A ransom note file (often named README.txt, HOW_TO_DECRYPT.txt, or similar)
• Inability to open files you could open 10 minutes ago
• Pop-ups or desktop backgrounds changed to ransom messages

Check your backup status immediately:

• Can you access your last backup?
• When was the last backup completed?
• Is the backup disconnected from the infected network?

If you have a clean, recent backup offline or in the cloud, you may not need to negotiate with attackers at all.

Minutes 5–15: Isolate and Contain

Disconnect affected machines from the network:

• Unplug Ethernet cables from infected machines
• Turn off Wi-Fi on laptops
• Disable network share access

Why this matters: Ransomware spreads. It finds other machines on your network and encrypts them too. Every minute you stay connected, it may be spreading.

Identify the scope:

• How many machines are affected? (Check one, then quickly scan others)
• Has it reached servers or just workstations?
• Is your backup infrastructure accessible or is it also showing symptoms?

Document what you're seeing — take photos of ransom notes, note exact times, save any error messages. You'll need this for your incident response log and potentially for law enforcement/cyber insurance.

Minutes 15–30: Notify Your Response Team

Who needs to know right now:

• Your IT person or managed services provider (MSP) — if you have one
• Your CEO or business owner — they need to know before it's too late
• Your cyber insurance provider — most policies require notification within 24-72 hours to be valid; faster is always better

What to say:
"We've identified a ransomware incident affecting [scope]. We've disconnected affected machines from the network. This is under active response. I'll update you within 30 minutes with more detail."

What NOT to say publicly yet:

• Don't post on social media about the incident
• Don't notify clients until you've assessed the scope
• Don't send internal mass emails that might tip off the attacker

Minutes 30–45: Assess Your Backup and Decide on Law Enforcement

Check your recovery options:

1. Do you have a clean backup from before the infection? ✓ → Recovery is possible without paying
2. Do you have shadow copies or previous file versions? ✓ → Partial recovery may be possible
3. Is your backup also encrypted? → You'll need to assess the ransom option

Contact law enforcement:

• FBI Internet Crime Complaint Center (IC3): ic3.gov
• Your local FBI field office
• Your state's cybersecurity office (many states have dedicated units)

Why report? You may get decryption keys or intelligence that helps your recovery. You're also building the case against these attackers for the next SMB they target.

Contact your attorney: Ransomware incidents may trigger data breach notification laws (even if no data was exfiltrated, many states require notification if systems were compromised). Your attorney can advise on notification obligations within the required timeframes.

Minutes 45–60: Evaluate the Ransom Carefully

Understand what you're dealing with:

• Most ransom demands are negotiable — initial demands are often 3-5x what they expect to receive
• If you decide to pay, never pay via gift cards or cryptocurrency without guidance from a professional
• Getting decryption keys doesn't mean your systems are secure — you still need a full security review

If you decide to pay (after consulting with IT and/or a ransomware recovery specialist):

• Document everything
• Understand that payment does not guarantee decryption or that attackers won't return
• Consider whether you have cyber insurance that might cover part of the cost

Key decision: Do you have cyber insurance?

• Many policies cover ransomware payments and recovery costs
• Most require you to notify them before paying
• Many provide access to ransomware recovery specialists who can often negotiate or bypass decryption

After the First Hour: What Comes Next

Once you've contained the spread and assessed your situation, you need:

Forensic analysis: Find out how they got in. Was it a phishing email? An unpatched system? A compromised remote desktop (RDP)? If you don't know the entry point, they or another attacker may return.

System rebuild: Don't just decrypt and move on. Start fresh on clean systems. Ransomware often leaves persistence mechanisms — even a "clean" decrypt may be compromised.

Post-incident review: What failed? Was training missing? Were patches delayed? Use this incident to improve your defenses before the next one.

How to Avoid This Scenario Altogether

The best ransomware response is the one you never have to execute. Here's what actually prevents SMB ransomware:

Multi-layer backups (the 3-2-1 rule):

• 3 copies of your data
• On 2 different media types
• With 1 stored offsite or in immutable cloud storage

Endpoint detection and response (EDR): Basic antivirus isn't enough. EDR tools can detect and stop ransomware behavior before files are encrypted.

Regular patch management: Many ransomware attacks start with unpatched systems. Keep your operating systems and software updated.

Multi-factor authentication: If attackers get credentials, MFA can stop them from using them to spread across your network.

Security awareness training: Most ransomware starts with a phishing email. A trained team that doesn't click malicious links stops the most common entry point.

One Step Better Than Hoping for the Best

If you're running a small or medium business without a dedicated IT security team, you need a partnership that fills that gap — someone who thinks about the scenarios in this guide before they happen.

SecurEveryone's ransomware tabletop exercise puts your leadership team through a realistic ransomware scenario in a zero-stakes environment. You practice the decisions in this guide — containment, communication, negotiation — so when it's real, your team isn't learning on the job.

Book a Business-tier ransomware tabletop session →

This 2-hour engagement includes your full leadership team and produces a written incident response plan tailored to your organization.

Get your free pocket guide

Enter your work email and we'll send the SMB Phishing Defense Pocket Guide — 6 red flags + 5-step incident response playbook.

Send me the pocket guide →

✓

Check your inbox!

Your pocket guide is on its way.

No spam. Unsubscribe anytime. Unsubscribe