Ransomware First 30 Minutes Playbook (2026)

Systematic, well-informed action can significantly influence the scope of impact and your organization's recovery timeline. This guide provides a step-by-step crisis response checklist for business owners and employees who discover a ransomware attack. For comprehensive incident response planning beyond the first 30 minutes, see our complete incident response plan guide.

Preparation matters: Prompt response helps limit impact and preserve recovery options. Consider printing this guide and keeping it accessible—during an incident, having procedures readily available proves valuable.

Understanding Ransomware Warning Signs

Immediate indicators of a ransomware attack:

• Files suddenly become inaccessible or show unusual extensions
• Desktop wallpaper changes to a ransom message
• Pop-up windows demanding payment appear
• Systems running extremely slowly or freezing
• Network drives or shared folders become unavailable
• Antivirus software alerts about suspicious activity

Note: If you observe any of these indicators, treat the situation as a potential ransomware incident and initiate response procedures.

The Critical First 30 Minutes: Your Response Timeline

How to Contain Ransomware in the First 5 Minutes

Immediately disconnect affected devices from the network and Wi-Fi to stop the ransomware from spreading to shared drives.

1. Stay Calm and Document Everything (1 minute)

• Take photos of ransom messages with your phone
• Note the exact time you discovered the attack
• Screenshot any error messages or suspicious activity
• Do not restart computers or delete files yet

2. Isolate Infected Systems Immediately (2-3 minutes)

Physical disconnection (if no EDR available):

• Unplug network cables from affected computers
• Disconnect Wi-Fi on laptops and mobile devices
• Turn off Bluetooth connections
• Physically disconnect from any VPN connections

Technical note: Avoid shutting down computers when possible—this preserves forensic evidence. If network isolation isn't feasible, consider powering down as an alternative containment method.

3. Prevent Spread to Other Systems (1-2 minutes)

• Identify other computers on your network
• Immediately disconnect any shared storage devices
• Alert other employees to avoid accessing shared drives
• Check if cloud storage sync is still active and pause if necessary

4. Cloud & SaaS Isolation (for Microsoft 365/Google Workspace environments)

If your organization uses cloud productivity suites, take these additional isolation steps:

• Revoke active sessions: In Microsoft Entra ID/Azure AD (Admin Center > Users > select user > Revoke sessions) or Google Admin Console (Security > Session management)
• Pause file sync: Stop OneDrive, SharePoint, or Google Drive sync immediately to prevent encrypted local files from overwriting clean cloud copies
• Disable email forwarding: Check Exchange Online or Gmail for unauthorized auto-forwarding rules that attackers use for persistence
• Review OAuth grants: Verify no unauthorized third-party apps have been granted access to your cloud environment

Note: Cloud isolation must happen alongside physical network disconnection. Attackers often maintain persistence through cloud services even after on-premise systems are isolated.

Who to Contact During a Ransomware Attack

Alert your internal IT lead immediately, followed by your cyber insurance provider and the FBI Internet Crime Complaint Center (IC3).

5. Alert Your Response Team (2-3 minutes)

Internal notifications (in order of priority):

1. IT support person or company
2. Business owner/manager
3. Other key employees who need to know
4. Anyone with administrative access to critical systems

Message template: "We have a confirmed ransomware attack. Stop using all computers and network resources immediately. Do not attempt to access shared files."

6. Contact Law Enforcement (3-5 minutes)

FBI Internet Crime Complaint Center (IC3):

• Website: ic3.gov
• Phone: Contact your local FBI field office
• What to report: Time of discovery, affected systems, any ransom demands

Local law enforcement: Some departments have cybercrime units that can provide immediate assistance.

7. Notify Your Cyber Insurance Provider (3-5 minutes)

• Call the claims hotline immediately (not email)
• Report the incident as a potential claim
• Ask about approved incident response vendors
• Document your conversation with claim numbers

Critical: Do not hire a third-party incident response firm before speaking to your cyber insurance provider. Many policies are voided if you engage an unapproved vendor before notifying your carrier. Always ask for the carrier's approved vendor list first.

No cyber insurance? Contact a cybersecurity incident response firm immediately. Many offer 24/7 emergency services.

Minutes 15-25: Assessment and Protection

8. Assess the Scope of Impact (3-5 minutes)

Quick inventory checklist:

• How many computers are affected?
• Are servers or network storage impacted?
• Is email still functioning normally?
• Are customer databases accessible?
• Can you access your backup systems?

Document everything: Create a written list of affected and unaffected systems.

9. Secure Your Backup Systems (2-3 minutes)

• Check if backups are still accessible and unaffected
• Immediately disconnect backup drives from the network
• Verify cloud backups haven't been encrypted
• Do not attempt to restore from backups yet

Note: If you don't have verified backups in place, review our business backup solutions guide to implement a proper backup strategy after recovery.

10. Protect Unaffected Systems (2-3 minutes)

• Update antivirus definitions on clean computers
• Run full system scans on unaffected devices
• Change administrator passwords on clean systems
• Enable additional monitoring if available

How to Maintain Business Continuity During an Attack

Establish alternative communication methods and assign response roles to keep critical operations running while systems are offline.

11. Implement Emergency Communication Plan (3-5 minutes)

Customer communications:

• Prepare a brief, honest statement about service disruptions
• Avoid mentioning "ransomware" or "cyberattack" in public communications initially
• Set up alternative communication methods (personal phones, external email)

Employee coordination:

• Establish a communication method outside your normal systems
• Assign specific roles for ongoing response
• Determine if remote work is possible using personal devices

30-minute command matrix

What Actions Should You Avoid During a Ransomware Attack?

Never pay the ransom immediately, restart infected computers, or attempt to remove the malware yourself.

Never Do These During the First 30 Minutes:

Avoid these actions during initial response:

• Do not restart devices - Rebooting can trigger secondary encryption payloads and destroy volatile forensic evidence in RAM that investigators need to trace the attack
• Do not delete ransom notes - Investigators need the specific decryption IDs, attacker contact details, and ransom note metadata for recovery and law enforcement purposes
• Do not restore backups immediately - If the network is not properly sanitized, your clean backups will instantly become encrypted, eliminating your recovery path
• Do not pay ransom immediately - Payment doesn't guarantee data recovery, may encourage future targeting, and requires legal compliance verification (see OFAC requirements below)
• Do not attempt malware removal yourself - This can compromise forensic evidence and complicate professional investigation
• Do not communicate directly with attackers - Professional negotiators understand appropriate interaction protocols and legal constraints

Emergency Contact Template

Prepare this information in advance and keep it printed and accessible:

Primary Contacts

• IT Support: ________________________________
• Cyber Insurance: ____________________________
• FBI Local Office: ____________________________
• Company Legal Counsel: _______________________

Business Continuity Contacts

• Key Customers: ______________________________
• Critical Vendors: ____________________________
• Alternative Communication: ____________________
• Backup Communication Method: ___________________

Internal Response Team

• Decision Maker: ______________________________
• IT Coordinator: ______________________________
• Communications Lead: _________________________
• Documentation Lead: ___________________________

After the First 30 Minutes: Next Steps

Once you've completed the critical first 30 minutes, your focus shifts to systematic recovery:

Immediate Next Actions (Next 2-6 hours):

1. Engage professional incident response - Cybersecurity experts, legal counsel (see our complete recovery checklist for detailed guidance)
2. Comprehensive system assessment - Full scope of compromise
3. Evidence preservation - Forensic imaging of affected systems
4. Stakeholder communications - Detailed plans for customers, vendors, employees

Short-term Recovery (Next 24-72 hours):

1. Malware eradication - Professional removal and system cleaning
2. System rebuilding - Clean installation from known good sources
3. Data recovery planning - Backup assessment and restoration strategy
4. Security hardening - Implement endpoint protection and review your complete ransomware protection strategy

Reporting and escalation matrix (first 24 hours)

Prevention: Building Your Defense Before an Attack

Essential preparations every business should complete:

Technical Preparations:

• Implement our 5-minute security wins for immediate protection
• Deploy free cybersecurity tools for baseline security
• Follow our complete ransomware protection guide for comprehensive defense

Core security tools to consider:

• Endpoint protection: Deploy EDR tools like Bitdefender GravityZone or Malwarebytes ThreatDown to detect and contain ransomware before encryption starts
• Backup solutions: Implement automated backup systems like Acronis Cyber Protect or IDrive Business with offline copies and ransomware rollback features
• Offline backup storage: Keep air-gapped backups on Synology NAS devices physically disconnected from your network

Organizational Preparations:

• Create incident response procedures using our cybersecurity checklist
• Train employees with our cybersecurity training guide
• Plan your budget using our cybersecurity on a budget guide

Recovery Timeline Expectations

Typical recovery timeframes for small businesses:

• System assessment: 1-3 days
• Malware removal: 2-5 days
• System rebuilding: 3-7 days
• Data restoration: 1-14 days (varies based on backup quality and scope)
• Full operational recovery: 1-4 weeks
• Security enhancement: 2-8 weeks

Factors affecting recovery time:

• Quality and recency of backups
• Scope of system compromise
• Availability of professional assistance
• Complexity of business operations

Note: Recovery timing depends heavily on preparation quality. Verified backups, clear ownership, and tested runbooks usually reduce disruption.

Ransom Payment Decision Framework

Law enforcement and cybersecurity experts generally advise against paying ransoms. Payment does not guarantee clean recovery and may create legal, operational, and repeat-targeting risks. Business leaders still need a structured decision framework when:

• No viable backups exist for critical business data
• Business operations cannot continue without encrypted systems
• Regulatory requirements mandate data recovery
• Professional negotiators believe payment may be necessary

If considering payment:

• Consult with legal counsel immediately
• Engage professional ransomware negotiators
• Assume recovery may still require full rebuild and hardening even if payment occurs
• Document all decisions for insurance and legal purposes

Measuring Your Response Effectiveness

Key performance indicators for ransomware response:

• Detection to isolation time: Under 10 minutes
• Professional engagement time: Under 2 hours
• Stakeholder notification time: Under 4 hours
• Business continuity activation: Under 24 hours

Post-incident review questions:

• How quickly did we detect the attack?
• Were communication procedures effective?
• Did our backup systems perform as expected?
• What security improvements are needed?

Key principle: Effective ransomware response focuses on systematic damage limitation rather than perfect execution. Following established procedures provides the foundation for efficient recovery and reduced business impact.

FAQ

Related Articles

More from Incident Response Guides

View all security guides

Incident Response

Feb 2026

My Business Got Hacked: Recovery Checklist (2026)

Follow a structured containment-to-recovery playbook for SMB cyber incidents.

21 min read

Implementation Guide

Feb 2026

Cybersecurity Incident Response Plan (2026)

Build a durable incident response operating model with clear ownership and escalation paths.

26 min read

Resilience

Feb 2026

Ransomware Protection Guide (2026)

Strengthen prevention, detection, and resilience controls against ransomware campaigns.

24 min read

Affiliate disclosure: We may earn a commission from product purchases made through affiliate links in the Prevention section at no additional cost to you. Recommendations are based on operational fit and product quality, not commission size.

Primary references (verified 2026-02-26):

• CISA Stop Ransomware Guidance
• NIST Cybersecurity Framework 2.0
• FBI Internet Crime Complaint Center (IC3)