60 Minutes to Containment: Your Ransomware Emergency Playbook
Imagine this: you walk into your office, coffee in hand, and see a red screen on your monitor. It says your files are encrypted. A countdown timer is ticking. Your heart races. Panic sets in. But you don’t have to panic. You have sixty minutes to contain the damage. This playbook is your lifeline. It’s written in plain English, step by step, for anyone who might face this nightmare. Let’s get to work.
The Golden Hour: Why 60 Minutes Matters
Ransomware spreads fast. In the first hour, it can move from one computer to your entire network. It can encrypt file servers, backup drives, and even cloud storage. Every second you waste gives the attacker more control. But if you act quickly and methodically, you can stop the spread. You can protect your data. You can keep your business running. This is your emergency playbook. Follow it minute by minute.
Minute 0 to 2: Breathe and Identify the Infection
Stop what you’re doing. Take a deep breath. Now, look at the screen. Do you see a ransom note? Is there a message demanding Bitcoin? Or did a strange file appear with a new extension like .encrypted or .lock? Quickly check if other computers in your office are showing the same symptoms. Ask your colleagues over Slack, Teams, or by shouting across the room. If more than one machine is affected, you have a rapidly spreading outbreak. The next step is critical.
Step 1: Unplug the Network Cable
Immediately pull the ethernet cable out of the infected computer. If you are on Wi-Fi, disable the wireless adapter. Do not shut down the computer yet. Leaving it on preserves evidence and may let you see if the encryption is still active. But cutting the network connection stops the ransomware from talking to its command-and-control server. It also stops it from spreading to other machines. This is your first line of defense.
Step 2: Disconnect Other Devices
Now, go to every computer, server, and device you can reach. Disconnect them from the network, too. If you have a networked printer, unplug it. If you have a NAS (network attached storage), pull its cable. The goal is to isolate the entire network. This might sound extreme, but it’s better to lose network access for a few minutes than to lose all your data. Remember: containment is your priority.
Minute 3 to 10: Assess the Damage and Stop the Spread
Now that you have disconnected everything, you can breathe a little easier. But the threat is still there. You need to understand how far the ransomware has spread. Start by walking through your office. Check every computer screen. Look for ransom notes, strange pop-ups, or files that won’t open. Don’t forget remote workers – call them immediately. Tell them to disconnect from the corporate network and not to turn off their computers. Write down which machines are infected.
Step 3: Shut Down the Switch or Router
If you have a network switch that connects all your computers, turn it off. Or unplug your main router. This ensures no device can talk to any other device until you are ready. Think of it as pulling the fire alarm. Yes, it stops work. But it also stops the fire from spreading. Your boss will understand. Everyone will understand once they know the alternative.
Step 4: Check Your Backups
This is the moment you find out if your backup strategy was solid. Go to your backup system. Look for offline backups – tapes, external drives that were not connected to the network, or immutable cloud backups. Do not connect them yet! First, verify that the backup data is safe. If your backups were connected to the network, they might also be encrypted. Look at logs. Check if any backup jobs ran after the infection started. If you have offline backups, you are in a good position. If not, don’t panic – you will still have options.
Minute 11 to 20: Communicate and Document
You now need to inform key people. Do not announce to the whole company yet – that can cause chaos. Instead, call your IT manager, security officer, or the person who handles data protection. If you are that person, call your CEO. Tell them clearly: “We have a ransomware incident. We have contained the network. We are investigating the scope.” Keep it brief and factual.
Step 5: Start a Log
Open a notepad (or use paper) and write down the time you discovered the infection. Note every action you take. This log is important for insurance claims, law enforcement, and understanding what happened. Write down:
- Time the infection was first noticed
- Which computers showed symptoms
- Name of the ransomware if you can identify it
- Any ransom note messages (take a photo with your phone)
- Steps you took to contain
Step 6: Take Screenshots
Take photos of the ransom note and any error messages. Use your phone. These images will help security experts identify the ransomware variant. Don’t click on any links in the note. Don’t pay yet. The note is a trap. Right now, you are gathering intelligence, not negotiating.
Minute 21 to 30: Isolate Infected Machines for Forensics
Now you need to decide what to do with the infected machines. Do not turn them off. Instead, label them with a sticky note: “INFECTED – DO NOT TOUCH.” If possible, move them to a separate room or at least put them away from other computers. The reason you keep them on is that security analysts may need to extract memory data to understand how the attack happened. If you turn them off, you lose that evidence.
Step 7: Document the Network Architecture
Draw a simple map of your network. Mark which devices are infected, which are clean, and which are unknown. This helps you plan the recovery. For example, if your file server is infected but your email server is clean, you can keep email running on a separate network segment later. But for now, everything is disconnected. Just map it on paper.
Minute 31 to 40: Plan for Recovery
You have contained the immediate threat. Now you can start planning the next steps. Recovery will take hours or days, but you need a strategy. There are two paths: restore from backups or use decryption tools. Most ransomware today cannot be decrypted easily. So, focus on backups.
Step 8: Identify Clean Backups
If you have offline backups, great. If not, look for backups on a separate network that was not connected to the infected systems. Check the dates. The newest clean backup is your best bet. If the backup is from before the infection, you can restore everything up to that point. If the infection happened weeks ago, you might lose weeks of work – but that is better than losing everything. Write down the location of the clean backups. Do not connect them yet. You need to ensure the network is clean first.
Step 9: Contact Your Incident Response Team
If you have a cyber insurance policy, call your insurance company’s incident response hotline. They often provide free access to ransomware negotiators and forensics experts. If you don’t have insurance, find a local cybersecurity firm that does incident response. Many offer emergency services. They can help you determine if the ransomware is still active in your environment and guide the recovery. Do this now, while you wait for the next step.
Minute 41 to 50: Secure Clean Systems and Prepare Rebuild
While waiting for experts, you can start preparing clean systems. Do not connect them to the network yet. Instead, take a clean computer and boot it from a USB drive that does not have any network access. Use it to research the ransomware variant. Look up the ransom note text online. There are websites like ID Ransomware that can identify the strain and tell you if a free decryption tool exists. But be careful – only use trusted sources. Do not download anything from suspicious sites.
Step 10: Create a Restore Plan
Write down the order in which you will restore systems. Usually, you start with the most critical business systems: email, customer database, accounting software. Then you restore file servers. Last, you restore user workstations. This plan will save time later. For each system, note the backup location and the steps to restore. If you have a disaster recovery plan, dig it out now. This is exactly what it is for.
Minute 51 to 60: Prepare for Next Phase and Stay Calm
The first hour is almost over. You have done the hardest part: containment. Now, you need to prepare for the long recovery ahead. But first, take a moment to update your CEO or key stakeholders. Tell them: “We have contained the ransomware. It affected X machines. We are working on recovery. No decision has been made about paying. We are contacting incident response experts.” Keep them informed, but do not overload them with technical details.
Step 11: Do Not Pay the Ransom – Yet
You might be tempted to pay to get your data back quickly. But paying does not guarantee you will get your data. Studies show that only about half of victims who pay actually get their files decrypted. Also, paying funds criminal networks. And once you pay, you become a target again. Only consider payment as a last resort after you have exhausted all other options, including backups and decryption tools. Your incident response team will advise you.
Step 12: Set Up a Communication Channel
Create a separate chat channel or email group for the incident response team. Do not use the main company email – that might still be compromised. Use a personal email or a different messaging app. This keeps your recovery plans confidential. Also, prepare a simple statement for employees. Tell them not to touch any computers until further notice. Reassure them that you are handling the situation. Panic spreads faster than ransomware. Keep your team calm and informed.
After the First Hour: What Comes Next
You have survived the first 60 minutes. But the fight isn’t over. Now you need to:
- Analyze the attack: How did the ransomware get in? Was it phishing? A weak RDP password? A vulnerability? Understanding the root cause prevents a repeat.
- Rebuild systems: Wipe infected computers completely and reinstall the operating system. Never restore from a backup that might have infected files. Only restore data from proven clean backups.
- Change all passwords: The attacker may have stolen passwords. Change every password – for user accounts, admin accounts, email, cloud services. Use strong, unique passwords.
- Enable multi-factor authentication: This is your best defense against future attacks. If you didn’t have it before, now is the time to turn it on.
- Update and patch: Install all security updates. Older systems are easier to infect.
- Train your team: Conduct a tabletop exercise. Go through this playbook again. Make sure everyone knows what to do if it happens next month.
Final Words: You Can Handle This
Ransomware is scary, but it does not have to be the end of your business. With a clear head and a plan, you can contain the damage within one hour. The steps are simple: disconnect, isolate, assess, communicate, plan. You did not cause this attack. But you can stop it from ruining everything. Save this playbook. Print it out. Put it on your wall. Then, when the red screen appears, you will know exactly what to do. Stay calm. Act fast. You’ve got this.
Note: This playbook is a guide for emergency response. Always consult with professional cybersecurity experts for your specific situation.
Sign in to join the conversation.
Sign In