A step-by-step response guide for small and midsize businesses. Know exactly what to do in the first 60 minutes — before you make a mistake that costs you everything.
Ransomware moves fast. In the first 60 minutes after an attack is discovered, most business owners make at least one critical mistake — shutting down infected machines, paying without exploring options, or restoring from a backup that was also compromised.
This guide gives you the exact sequence of steps that incident responders follow. It won't replace an IT team, but it will keep you from making things worse while you get help.
The businesses that recover fastest are the ones who had a plan before the attack. Print this guide and put it somewhere your team can find it — even if your systems are down.
Enter your details below — we'll send the PDF directly to your inbox. No spam, no sales sequence. Just the guide.
Your information is never sold or shared. Unsubscribe anytime.
The guide covers both sides: what to do after an attack hits, and what to put in place before one happens. Most businesses find the prevention checklist is where they identify their biggest gaps.
It's two pages. Designed to be printed and stored somewhere accessible — including somewhere physical, since your systems may not be available when you need it.
Disconnect affected machines without shutting them down — memory may contain forensic evidence attackers don't want you to have.
Identify what's encrypted, whether the attack is still active, and whether data was exfiltrated before encryption began.
Document everything — ransom notes, error messages, timestamps. This is required for insurance claims and FBI reporting.
You cannot safely restore until you know how the attacker got in. Skipping this step leads to reinfection.
Legal counsel, cyber insurance (prompt notification required), and FBI IC3. If client data was exposed, additional obligations apply.
Assess backup integrity before restoring anything. Rebuild from clean images. Restore from the most recent verified clean backup.
We got hit with ransomware on a Friday. By the following week, Moore Technology had restored our data, rebuilt our entire Active Directory, and had every machine back online. They figured out how the attackers got in, cleaned everything up, and put real protections in place we never had before.
Managing Partner — Weintraub, Traub, Tracy & Virk, CPA's | Long Island, NY
Each step is a standalone article you can read now or come back to. Together, they cover what to do in the first hour, the first day, and the first week after a ransomware attack.
Stop lateral spread before you do anything else. Network disconnect — not power off.
Read Step 1 →Which systems, which data, which users. Map the impact before reacting further.
Read Step 2 →Stop accidentally destroying what your cyber insurer and law enforcement need.
Read Step 3 →How they got in. Phishing, RDP, VPN, or vendor. Close the door before re-opening.
Read Step 4 →Who to call, in what order, on what channels. Out-of-band communication only.
Read Step 5 →NYDFS, HIPAA, SEC notification deadlines. What you must report, when, to whom.
Read Step 6 →The next attack is already being planned. Identity, endpoints, backups, access — closing every gap that made the first attack possible.
Read Step 7 →If you're dealing with an active incident or want to make sure you're protected before it happens, call us directly. We pick up.
Stamford, CT · White Plains, NY · Westport, CT