Threat Intelligence & Incident Response
A practical first-24-hours ransomware checklist for small businesses: isolate systems, preserve evidence, call the right parties, and avoid the panic moves that make recovery worse.
If you are in the middle of a ransomware scare, the first 24 hours are mostly about not making the situation worse.
My short answer is this: in the first 24 hours after a small business ransomware scare, isolate affected systems, preserve evidence, call your cyber insurance carrier, and do not start restoring anything until you know what was hit and whether the attacker still has a path back in.
That sequence is not theory. It lines up with CISA's ransomware response checklist, which starts with determining impact and immediately isolating affected systems. CISA also notes that if you cannot disconnect devices individually, powering them down may be necessary to stop spread.
Source: Ransomware Response Checklist | CISA
The FBI's public guidance also tells victims to report ransomware to the FBI through ic3.gov or a local field office. And the 2025 IC3 annual report shows ransomware remains a material business problem, with more than 3,600 complaints and over $32 million in reported losses in 2025 alone, while the FBI notes that reported losses understate the real business impact because downtime and remediation costs are often excluded.
Sources: Ransomware | FBI, 2025 IC3 Annual Report | FBI
If you need the compressed version, do this in order:
That is the first-day operating model.
| Situation | Bad instinct | Better move |
|---|---|---|
| One laptop shows a ransom note | Reboot it to see if the message clears | Disconnect it from the network and preserve the note |
| Multiple machines look affected | Keep the office online while you investigate | Isolate the impacted subnet or take the switch segment down |
| MSP or IT person wants to start cleanup | Let them delete tools and reinstall immediately | Preserve logs, screenshots, and sample images first |
| Leadership asks about paying | Start discussing bitcoin before scope is known | Call carrier, counsel, and responders first |
| Backups exist | Start restoring right away | First verify the intrusion path is understood and backups are clean |
Small businesses lose time by treating every symptom as a separate problem. Most of the time it is one incident with one root access problem and several visible consequences.
This is one reason I push businesses toward managed detection and response instead of relying on antivirus and hope. The earlier you catch loader activity, suspicious PowerShell, remote admin abuse, or ransomware canary trips, the more likely you are dealing with a contained event instead of a full office outage.
This is where small teams often get the order wrong.
CISA's guidance is straightforward: determine what systems were impacted and isolate them immediately. If several systems or subnets appear affected, taking the network offline at the switch level may be more realistic than trying to unplug devices one by one.
Source: I've Been Hit By Ransomware! | CISA
My view is even simpler: if you are unsure whether spread is still happening, bias toward isolation early and inconvenience second. A noisy half-day caused by intentional containment is better than an extra twelve encrypted machines because nobody wanted to interrupt operations.
What isolation usually means in practice:
What it does not mean:
That last point matters. A ransomware event may include mailbox access, malicious forwarding rules, stolen credentials, and cloud persistence. The first day should include a tenant review on Microsoft 365 or Google Workspace, not just workstation triage. This is the exact gap managed ITDR is meant to close.
I understand why small teams want to clean first. The note is on screen, users are calling, and everyone wants to "fix it."
But if you wipe evidence too early, you make three things harder:
CISA's checklist explicitly includes taking system images and memory captures of sample affected devices where feasible. That is not enterprise-only advice. Even in a small environment, preserving a sample workstation, the server that first showed signs, suspicious emails, and key logs can materially improve the investigation.
Source: Ransomware Response Checklist | CISA
Preserve these if you can:
Small businesses do not need perfect forensic maturity on day one. They do need enough preserved context that the people helping them are not reconstructing the incident blind.
One of the most expensive first-day mistakes is calling the cyber insurance carrier too late.
If you have cyber insurance, the policy may require you to use the carrier's incident response panel, breach counsel, negotiator, or forensics firm. Starting expensive response work before reading that path can create coverage friction at exactly the wrong moment.
This is not a sales point. It is an operational one. If you carry the policy, use it the way the policy expects. That is also why I keep pointing businesses back to cyber insurance readiness: the policy is not just a purchasing decision, it is part of the response playbook.
You should also remember that ransom payment is not just a business decision. Treasury's OFAC ransomware advisory warns that facilitating a payment to a sanctioned actor can create sanctions risk, and it specifically encourages prompt law-enforcement reporting and cooperation as mitigating factors.
Source: Ransomware Advisory | OFAC
My opinion here is blunt: if leadership starts talking about paying before the carrier, counsel, and responders are on the call, the company is operating from fear rather than process.
The core group is usually:
Everyone else should get status updates, not a decision seat. Small incidents get messy when twenty people are forwarding screenshots, restarting devices, and asking users to try logins again.
This is also the point where you decide how to communicate with staff. Keep it plain:
"We are investigating a potential ransomware incident. Leave affected devices disconnected. Do not reboot systems. Do not click suspicious messages. Wait for direct instructions before reconnecting to company resources."
Simple instructions beat detailed speculation.
The first visible damage is rarely the full story.
In the first 24 hours, you should be asking:
CISA's #StopRansomware material makes an important point that many small businesses miss: ransomware may be the last step in a broader compromise, and earlier attacker activity can include credential theft, persistence, and data theft.
Source: #StopRansomware Guide | CISA
That is why "we restored the files" is not the same as "the incident is over." Treat the first day as an access problem, not just a file problem.
This is probably my strongest opinion in the piece.
Restoring from backup feels productive, but it is often premature in the first day. If the same admin account is still compromised, the same remote access path is still open, or the same malicious tooling is still present in the tenant, you can rebuild straight back into the attacker's hands.
The better rule is:
restore only after you have a defensible view of scope, an understood access path or at least a containment plan around it, and confidence that the backup source is clean enough to trust.
That does not mean waiting forever. It means avoiding fake progress.
Businesses that have already pressure-tested backups, identity response, and detection coverage have a much easier day here. If you are not sure whether your environment is built for that kind of response, start from the business page or the briefing form after the incident is stabilized.
The first 24 hours after a ransomware scare are not about heroics. They are about control.
Contain first. Preserve evidence second. Use the insurance path if you have one. Treat identity and cloud scope as part of the event. Do not mistake early restoration for real recovery. And do not let the ransom note set the agenda before you understand the incident.
For small businesses, that discipline is more important than having a massive in-house team. Most SMBs do not need a war room. They need a response sequence that works when everyone is stressed.
If you already know your business lacks 24/7 detection, tested backups, identity monitoring, or a real first-day playbook, fix that before the scare becomes an incident. The related pieces on MDR vs EDR vs MSSP vs SOC as a service and tax-season ransomware for accounting firms are good follow-ons if you want the operational version of that conversation.
First decide whether encryption or attacker activity is still live, then isolate affected devices or network segments. The first priority is stopping spread, not resetting passwords at random or reading the ransom note line by line.
Usually no, unless isolation is not possible any other way. CISA's guidance prioritizes immediate isolation because leaving systems powered can preserve memory and other evidence that helps responders understand what happened.
Call your cyber insurance carrier, internal leadership, your IT or security owner, and any outside incident response or legal contact the policy requires. Report the incident to the FBI through ic3.gov or a local field office as part of the first-day workflow.
No. Paying early is usually panic, not strategy. Payment may not restore operations, may not stop data leakage, and can create sanctions risk depending on the actor involved. That decision belongs with counsel, the carrier, and responders.
Preserve the ransom note, screenshots, sample affected systems, identity and network logs, suspicious emails, and a timeline of observations and decisions. Those details shape both the investigation and the insurance claim.
Only after you understand scope well enough to avoid restoring into the same compromise. Backups are part of recovery, not a substitute for containment and investigation.
No. The same intrusion can involve compromised email, cloud identity, malicious forwarding rules, stolen credentials, and data exfiltration. If you only look at the laptop with the ransom note, you may miss the bigger access problem.
Last updated
May 21, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
Figure out whether systems are actively being encrypted, then isolate affected devices and, if needed, take the impacted network segment offline. The first priority is containment, not email cleanup or debating the ransom note.
Usually no, unless you cannot disconnect them from the network. CISA's guidance prioritizes immediate isolation first because powered-on systems may preserve memory and other evidence that helps scope the incident.
Call your cyber insurance carrier, internal leadership, your IT/security response owner, and if needed your outside incident response or legal contacts. Report the event to the FBI through IC3 or your local field office as part of the first-day response.
No. Paying early is a panic move. It does not guarantee a working decryptor, it may not stop data leakage, and OFAC guidance makes sanctions screening part of the decision. That decision belongs with counsel, the carrier, and incident responders on the call.
Preserve ransom notes, screenshots, system images, memory captures where feasible, firewall and EDR logs, suspicious emails, and a written timeline of who saw what and when. Those details shape both containment and insurance handling.
Only after you have a defensible view of scope and confidence that the attacker no longer has the same access path. Restoring too early can put the attacker right back into a freshly recovered environment.
Related reading
How BEC and wire-fraud unfold in CPA firms — refund redirect, payroll wire interception, vendor payment scams — and the controls that catch the chain before the wire leaves.
Read articleWhy ransomware operators target accounting firms during tax season, the attack chains that work, the recovery timelines firms cannot afford, and the controls that break the chain.
Read articleHow BEC and wire fraud actually unfold in a dental practice — the supplier-impersonation pattern, the inbox-rule trick, the controls that catch it, and what to do in the first 4 hours.
Read article