Ransomware recovery plan for small business

It's 8:47am on a Monday. You unlock the office, flip on the lights, and sit down at your desk. The screen is already on — but it isn't showing your desktop. It's showing a red countdown timer, a Bitcoin wallet address, and a message that tells you every file on your network has been encrypted. Your server. Your shared drives. Your backups. The clock is ticking. You have 72 hours.

This is not a hypothetical. It happens to small and medium businesses every week. What you do in the next 30 minutes determines whether you recover in days or months.

The first 30 minutes — isolation and containment

Your immediate priority is to stop the ransomware spreading further. Most modern ransomware moves laterally across a network within minutes. Every device still connected is a potential next victim.

Take these steps immediately, in this order:

1. Disconnect affected machines from the network — unplug ethernet cables and disable Wi-Fi. Do not simply shut the devices down — some ransomware variants trigger a full encryption wipe on shutdown.
2. Isolate your server and NAS devices — if they are not already encrypted, physically disconnecting them may preserve your data.
3. Disable VPN and remote access — revoke active sessions immediately to prevent attackers maintaining persistence.
4. Do not delete anything — do not attempt to clean infected machines yourself. Forensic evidence is critical for insurance claims, law enforcement, and recovery.

Take photos of every affected screen before you do anything else. The ransom note, the wallet address, the timer — all of it is evidence.

Who to call and when

Once containment is underway, make these calls in parallel — not sequentially:

• 📞 Your cyber insurance provider — call them first. Your policy likely has a dedicated incident response line with a 24/7 number. They control the coverage, they often have pre-approved recovery vendors, and everything you do outside their process may affect your claim.
• 🖥️ Your IT provider or MSP — if you have one, they need to be on-site or remote immediately. If you don't, this is the moment you find out what that gap costs.
• ⚖️ Your legal team — ransomware attacks frequently involve data exfiltration before encryption. Depending on your industry and jurisdiction, you may have mandatory breach notification obligations under GDPR, HIPAA, or state-level laws. Time limits apply.
• 🚔 Law enforcement — in the US, report to the FBI's Internet Crime Complaint Center (IC3). In the UK, report to Action Fraud and the NCSC. Law enforcement rarely recovers your data, but reporting creates a record and supports wider intelligence on active threat actors.

Do not contact the attacker until you have spoken to your insurer and legal team. Anything you say in a ransom negotiation can affect coverage and liability.

Assessing the damage — what was encrypted, what was exfiltrated

Once your environment is isolated, the focus shifts from containment to understanding scope. This is where a qualified incident response partner becomes critical.

The questions that need answers:

• Which systems and data stores were encrypted, and which are intact?
• Were backups affected — including cloud backups and offsite copies?
• Is there evidence of data exfiltration before encryption? Many ransomware groups now operate double extortion: they steal your data first, then encrypt it, threatening to publish unless paid.
• What was the initial infection vector — phishing email, exposed RDP port, compromised credentials, vulnerable software?

The last question matters for recovery. If the attack vector is still open, restoring from backup puts you straight back in the same position.

The decision nobody wants to make — to pay or not to pay

There is no universal answer to whether a business should pay a ransom. Here is what actually frames the decision:

• Do you have clean, restorable backups? If yes, payment is rarely necessary. If no, or if backups were also encrypted, the calculation changes.
• What is the cost of downtime vs the ransom demand? For some businesses, three weeks of recovery outweighs a five-figure ransom. That is a commercial decision, not a moral failing.
• Who is the threat actor? Paying certain sanctioned groups — including some ransomware operators on OFAC lists — may itself be illegal. Your insurer and legal team must confirm this before any payment is made.
• Will payment actually work? Reputable ransomware groups (and there is a dark irony in that phrase) generally do provide decryption keys — they have a business model to maintain. But decryption is slow, incomplete, and does not address exfiltrated data.

If you do pay, do so only through proper channels with documented legal and insurance oversight.

Recovery, reimage, and hardening so it never happens again

Once the immediate crisis is resolved, recovery follows a clear sequence:

1. Reimage affected machines from scratch — do not attempt to clean and reuse compromised systems. A full OS reinstall from known-good media is the only reliable path.
2. Restore data from the cleanest available backup — verify backup integrity before restoring to production. Confirm the infection predates the backup snapshot you are using.
3. Reset all credentials — assume every password on the network is compromised. Rotate all accounts, enforce MFA across the board, and audit privileged access.
4. Patch the infection vector — close whatever door let the attacker in. This means patching exposed services, disabling unused protocols, reviewing email filtering rules, and auditing firewall configurations.
5. Conduct a post-incident review — document the attack timeline, the response, what worked, and what failed. Update your incident response plan accordingly.

The businesses that recover fastest are invariably those that had a tested incident response plan, offline backups, and an IT partner who already knew their environment. Engaging Andi-Tech's cybersecurity solutions before an attack — not during one — is the difference between a bad week and a business-ending event.