When ransomware hits, here are the nine steps your team needs to execute immediately: isolate affected systems, activate your incident response team, preserve forensic evidence, assess the blast radius, notify legal and your insurer, evaluate the ransom decision with counsel, restore from validated clean backups, conduct a post-incident review, and patch the entry vector.
This playbook walks through each step in detail with timing, ownership, and the mistakes that turn a contained event into a business crisis.
If you do not have this process documented before an attack happens, you will improvise it under pressure. That is where the real damage is done.
Here Is the Situation You Might Be In
It is 6:47 on a Tuesday morning. Your IT manager gets an alert — dozens of workstations are showing the same error. By the time she opens her laptop, the ransom note is already on screen. Files across three servers are encrypted. The backup server is throwing errors. No one knows how far it has spread.
In the next four hours, your team will make decisions that determine whether this is a two-day disruption or a six-week shutdown — whether you pay $400,000 and get nothing back, or restore operations from a clean backup; whether you comply with GDPR's 72-hour notification window, or face a regulatory investigation on top of everything else.
Ransomware is not just a technical incident. It is a simultaneous operational, legal, financial, and reputational crisis — and it unfolds in real time. Organisations that navigate it well have one thing in common: they had a plan before the attack happened.
What Makes Ransomware Different from Other Cyber Incidents?
Most cybersecurity incidents affect one layer of your business. Ransomware hits three at once.
Operational shutdown: Systems are encrypted and unavailable. Depending on what is hit, this can mean your entire workforce cannot work, customer-facing services are down, and order fulfilment, billing, and communications all stop.
Data exfiltration: Modern ransomware groups do not just encrypt your data. They exfiltrate it first and threaten to publish it if you do not pay — a tactic called double extortion. This means paying the ransom does not guarantee your data stays private.
Regulatory exposure: If the encrypted data includes personal data, health records, or payment information, you have breach notification obligations across GDPR, HIPAA, PCI DSS, and sector regulators, with timelines that begin the moment you become aware of the incident.
According to IBM's Cost of a Data Breach Report 2025, the average global cost of a ransomware attack is $5.13 million, and the average downtime is 24 days.
For organisations without a tested incident response plan, both figures are significantly higher. That is the context for the playbook below.
Before the Attack: What You Need in Place
The steps in the next section only work if the foundations exist before an attack. A brief readiness checklist:
- A documented Incident Response Plan with defined roles — who declares an incident, who leads the response, who handles legal and communications
- A named external cyber incident response retainer with pre-agreed activation terms and SLAs
- Offline, tested backups that are isolated from your primary network and verified to actually restore
- A current asset inventory so you know what exists, what matters, and what is connected to what
- Network segmentation to limit lateral movement once an attacker is inside
If any of these are missing, the steps below still apply — but your response will be slower, costlier, and more dependent on decisions being made under pressure.
Digisecuritas' Incident Readiness Checklist helps organisations build and test these foundations before an attack — including tabletop exercises that stress-test your plan under realistic conditions.
The Ransomware Incident Response Playbook: Step by Step
Step 1: Detect and Confirm (0 to 15 Minutes)
Do not act on assumption. Before triggering a full incident response, confirm that what you are seeing is actually ransomware — not a storage failure, a system update gone wrong, or a false alert from your endpoint agent.
Check your EDR and SIEM for correlated alerts. Look for mass file encryption activity, unusual process execution, or lateral movement indicators. Identify which systems are affected and, if possible, the initial point of compromise — without touching the infected systems.
This matters because the actions you take in the next 30 minutes are difficult to reverse. Confirm before you escalate.
Step 2: Activate Your Incident Response Team (15 to 30 Minutes)
This is not a job for your IT team alone. Ransomware response requires an incident command structure with clear ownership across technical, legal, and communications functions.
Who to activate immediately:
- Incident Response Lead — internal CISO or security lead, or your external retainer provider
- Legal Counsel — internal GC or external specialist, because every decision from this point is legally consequential
- Executive Sponsor — someone with authority to make decisions on ransom, business continuity, and communications
- Your external IR retainer provider, if you have one — this is exactly what they exist for
Do not put your IT manager in charge of an incident they were not trained to lead. Do not handle a live ransomware attack with a team that has never run a real response before.
Digisecuritas' Cyber Incident Response Management provides experienced incident commanders who take operational control from the moment of activation — so your team is supported, not overwhelmed.
Step 3: Isolate, Do Not Shut Down (30 to 60 Minutes)
The instinct when ransomware is discovered is to pull the plug. Resist it.
Shutting down infected systems destroys volatile memory — which may contain encryption keys, attacker tooling, and forensic evidence that is essential for both recovery and investigation. In some ransomware variants, a cold shutdown triggers additional payload execution.
Instead, isolate:
- Disconnect infected systems from the network at the switch level, not by powering them off
- Disable affected user accounts and revoke active sessions
- Block the relevant network segments at the firewall
- Identify clean systems and begin segregating them from the affected environment
The goal is to stop lateral movement and further encryption while preserving everything that is needed for forensic investigation and potential recovery.
Step 4: Assess the Blast Radius (Hours 1 to 3)
Before you can make any decision about ransom, recovery, or disclosure, you need to understand the scope of what has happened.
Map the following:
- What is encrypted: Which systems, servers, databases, and file shares are affected
- What has been exfiltrated: Check egress logs, firewall telemetry, and threat intelligence feeds for signs of data leaving the environment before encryption
- What is still clean: Identify systems that are unaffected and need to be protected from further spread
- What is the entry vector: How did the attacker get in — phishing, exposed RDP, vulnerable VPN appliance, compromised credential
This assessment drives every subsequent decision. Do not skip it to move faster on recovery.
Digisecuritas' Detection and Response capability includes threat hunting and forensic log analysis to map attacker activity across your environment — including exfiltration that occurred days or weeks before the encryption event.
Step 5: Preserve Forensic Evidence (Parallel to Steps 3 and 4)
This step runs in parallel — not after containment.
Before any system is wiped, rebuilt, or restored, your IR team should:
- Take forensic disk images of affected systems
- Capture live memory from systems that are still running
- Preserve all available logs: endpoint, firewall, DNS, Active Directory, cloud platform
- Document the chain of custody for all evidence collected
Why this matters beyond the investigation: cyber insurance claims require evidence of what occurred. Legal action against threat actors or negligent third parties requires preserved evidence. Regulatory investigations will ask for logs. Wiping and reinstalling before capturing evidence is one of the most costly mistakes in ransomware response.
Step 6: Notify the Right People (Hours 2 to 6)
Legal has been involved since Step 2. Now it is time to move on external notifications — but in the right order.
Cyber insurer: Notify your insurer as early as possible. Most policies have notification windows that, if missed, can affect coverage. Your insurer may also have preferred IR vendors or legal counsel that affect how you proceed.
Legal counsel: Before any external communication to customers, partners, regulators, or media, legal must review and approve the messaging.
Regulators: Under GDPR, personal data breaches must be reported to the relevant supervisory authority within 72 hours of becoming aware. HIPAA requires notification within 60 days for breaches affecting more than 500 individuals. PCI DSS requires immediate notification to your acquiring bank. Know your obligations before the incident happens.
Law enforcement: Reporting to FBI IC3 or CISA is not mandatory in most jurisdictions, but it is recommended. Law enforcement intelligence on the threat group may assist your response. It also creates a formal record of the incident.
What not to do: Do not post on social media, send customer notifications, or issue press statements before legal has reviewed everything. Premature or inaccurate public statements create additional regulatory and litigation exposure.
Step 7: Evaluate the Ransom Decision
This is one of the most consequential decisions in any ransomware response — and it should never be made by your IT team or made in isolation.
The framework for decision-making:
| Factor | Considerations |
|---|---|
| Backup availability | If clean, tested backups cover the affected systems, paying is rarely rational |
| Decryptor reliability | Many ransomware groups provide working decryptors. Some do not. Research the group. |
| Double extortion | Paying the ransom does not guarantee exfiltrated data will not be published |
| Regulatory risk | Paying groups on OFAC sanctions lists may itself be a regulatory violation |
| Insurance coverage | Your policy may cover ransom payments or may exclude them. Verify first. |
| Business continuity | What is the cost per day of downtime versus the cost of the ransom demand? |
The FBI's official position is that ransom payments should not be made, as they fund criminal organisations and do not guarantee recovery. That guidance is correct in principle. In practice, some organisations face situations where payment is the least-bad option — but that decision must be made by executives with legal and insurance counsel involved, not by your IT manager at 2 AM.
Step 8: Recover and Restore
Recovery is not a single action — it is a phased process that must be validated at each stage.
Verify backups before restoring: Confirm that backup systems were not themselves compromised or encrypted. Many ransomware groups specifically target backup infrastructure in the days before triggering the encryption event.
Build a clean environment: For significant incidents, restore into a clean, isolated environment rather than restoring directly onto potentially compromised infrastructure.
Prioritise by criticality: Restore critical business systems first — not necessarily the systems that are easiest to restore. Define your restoration priority list before the incident.
Validate before reconnecting: No system returns to the production network until it has been confirmed clean. Reconnecting a compromised system too early is how partial recoveries turn into complete reinfections.
Digisecuritas' Incident Response Recovery service manages the technical restoration process — including environment validation, phased reconnection, and confirmation that the threat has been fully eradicated before systems go live.
Step 9: Post-Incident Review
Once the immediate crisis is resolved, the work of actually learning from it begins.
A thorough post-incident review covers:
- Root cause analysis: How did the attacker get in? What vulnerability, misconfiguration, or human error was the initial vector?
- Timeline reconstruction: When did the attacker first enter the environment? What did they do between initial access and encryption? (In many cases, attackers dwell in environments for weeks before triggering ransomware.)
- What worked: Which controls, processes, and teams performed well under pressure?
- What failed: Which gaps in detection, response, or containment made the incident worse than it needed to be?
- Remediation: Patch the entry vector. Fix the gaps. Update the IR plan based on what you learned.
- Regulatory closeout: Submit required notifications to regulators, notify affected individuals where required, and close out your insurance claim.
The post-incident review is not a blame exercise. It is the mechanism by which organisations become genuinely more resilient after an attack — rather than simply recovering to the same vulnerable state they were in before.
The Biggest Ransomware Response Mistakes Organisations Make
Most of the damage done in ransomware incidents is not caused by the attackers. It is caused by the response.
- Paying the ransom without legal and insurance consultation: Ransom payments made to sanctioned groups create regulatory liability. Payments made without insurance consultation may void coverage. This decision requires counsel, always.
- Shutting down systems before capturing forensic evidence: Cold shutdown destroys volatile memory. You may lose encryption keys, attacker tooling, and the only evidence that supports your insurance claim or regulatory notification.
- Notifying customers before legal review: Premature or inaccurate breach notifications create independent liability. Every external communication must be reviewed by legal before it goes out.
- Restoring from backups that were already encrypted: Ransomware groups often compromise backup infrastructure weeks before triggering encryption. Verify backup integrity before restoring — or you will restore the problem.
- Trying to find an IR firm mid-crisis: When you are searching for an incident response provider at 3 AM during a live attack, you are negotiating from the worst possible position. Response times are slower, costs are higher, and the team has no prior familiarity with your environment.
Why a Cyber Incident Response Retainer Changes Everything
The organisations that contain ransomware attacks fastest share one characteristic: they had a relationship with an incident response provider before the attack happened.
A Cyber Incident Response Retainer provides:
- Pre-agreed SLAs: Guaranteed response times, typically measured in hours, not days
- Pre-authorised access: Legal and technical agreements already in place, so your IR team can begin work immediately without contract negotiation mid-crisis
- Environment familiarity: A retainer relationship typically includes pre-incident discovery — your IR provider already knows your environment, your critical systems, and your contacts before the call comes in
- Cost predictability: Retainer fees are predictable and budgetable. Emergency IR engagement fees during a live incident are not.
The cost difference between retainer-based IR and emergency IR is significant. But the more important difference is time — and in ransomware response, time directly determines how many systems get encrypted, how much data gets exfiltrated, and how long your business stays down.
Digisecuritas' Security Monitoring and Incident Response capability combines 24/7 monitoring with rapid incident response — so threats are caught earlier and responded to faster. Speak with our incident response team to understand retainer options for your organisation.
Final Thoughts
Ransomware is not a question of if — it is a question of when, and whether your organisation is ready when it arrives.
The nine steps in this playbook are not complicated. What makes them hard is executing them correctly, in sequence, under pressure, without a pre-built plan and a practised team. Every gap in your readiness — no tested backups, no retainer, no documented IR plan — compounds the cost and the downtime when the ransom note appears.
The organisations that recover in days instead of weeks are not lucky. They prepared.
If your organisation does not have a documented incident response plan, a tested backup strategy, or a retained incident response provider, now is the right time to fix that — before it becomes urgent.
Frequently Asked Questions
Should I pay the ransomware demand?
The FBI advises against paying ransom. Payment funds criminal organisations, does not guarantee file recovery, and does not prevent data publication in double extortion scenarios. That said, every situation is different — the decision must be made by executives with legal counsel and your cyber insurer involved, not unilaterally by IT.
How long does ransomware recovery take?
For organisations with tested, clean backups and an active IR retainer, recovery from a contained ransomware incident can take 24 to 72 hours. For organisations without these foundations, average downtime is 24 days or more. Preparation is the single biggest variable in recovery time.
Does cyber insurance cover ransomware attacks?
Most cyber insurance policies include ransomware coverage, but the specifics vary significantly — ransom payment coverage, business interruption, forensic costs, and notification costs may each have separate sub-limits and conditions. Review your policy before an incident and ensure your insurer is notified early in the response process.
What is the difference between an IR retainer and IR management?
An IR retainer gives you pre-agreed, priority access to an incident response team when an incident occurs — typically including some pre-incident preparation work. IR management is an ongoing service that actively monitors your environment, responds to alerts, and manages the full incident lifecycle. For most organisations, a retainer is the minimum; managed IR provides greater ongoing protection.
Do I need to report a ransomware attack to regulators?
If personal data was encrypted or exfiltrated, yes. GDPR requires notification to the relevant supervisory authority within 72 hours of becoming aware of a breach involving personal data. HIPAA has similar requirements for healthcare organisations. PCI DSS requires immediate notification to your acquiring bank. The specific obligations depend on your industry, geography, and the data involved — which is why legal counsel must be activated immediately in any ransomware response.
External sources
- IBM Cost of a Data Breach Report 2025: ibm.com/reports/data-breach
- FBI IC3 — Internet Crime Complaint Center: ic3.gov
- CISA Ransomware Guidance: cisa.gov/stopransomware
