Key Points
- Disconnect infected systems immediately but don't power them off—you need forensic evidence and may need to preserve decryption keys in memory
- Notify your cyber insurance carrier within hours, not days—most policies have strict reporting windows that affect coverage
- The pay/don't-pay decision involves legal risk (OFAC sanctions), operational reality (backup viability), and data exposure (exfiltration for double extortion)
- Recovery happens in phases: critical systems first (email, phones, payroll), then customer-facing operations, then full infrastructure—expect weeks, not days
- Post-recovery means addressing the root cause—often compromised credentials, unpatched systems, or inadequate network segmentation
- Texas businesses handling state data must report breaches under Tex. Bus. & Com. Code § 521.053 within 60 days
Hours 0-4: Immediate Containment
The moment you suspect ransomware, your priority is stopping the spread. Disconnect affected systems from the network—unplug Ethernet cables, disable Wi-Fi, but do not power down machines yet. Shutting down can destroy volatile memory that contains encryption keys or forensic evidence your incident response team will need.
Identify a clean machine to coordinate from—ideally a personal device not connected to your business network. You’ll use this to contact your incident response team, insurance carrier, and legal counsel.
What to Document Right Now
Take photos of ransom notes with your phone. Screenshot any error messages. Note the time you first observed symptoms and which systems or users reported issues first. This timeline matters for insurance claims and forensic analysis.
If you have an IT contact or managed service provider, call them immediately. If you don’t have a pre-existing relationship, you need an incident response firm within the hour. Your cyber insurance policy likely includes a list of approved vendors—use them, because insurers often won’t cover costs from non-approved responders.
Hours 4-12: Notifications and Assessment
Your cyber insurance carrier must be notified as soon as possible. Most policies require notification within 24-48 hours, and delays can void coverage. The carrier will typically assign a breach coach (an attorney) and an incident response firm if you haven’t already engaged one.
Your breach coach will advise on legal obligations. If you handle payment card data, HIPAA-covered health information, or personal information of Texas residents, you have notification requirements. For Texas businesses, Tex. Bus. & Com. Code § 521.053 requires notification to affected individuals without unreasonable delay if sensitive personal information was accessed.
Scope Assessment: What You Need to Know
Your incident response team will begin determining what was encrypted, what was accessed, and what was exfiltrated. Modern ransomware is often “double extortion”—attackers encrypt your data and threaten to publish stolen files if you don’t pay. This changes the risk calculation significantly.
Key questions your team will investigate: How did the attacker get in? (Often via compromised credentials, phishing, or unpatched vulnerabilities.) How long were they in your environment before encrypting? (Average dwell time is weeks, sometimes months.) What data did they access? Can you restore from backups without paying?
If backups are encrypted or inaccessible, you face a harder decision about payment. If backups are intact but data was exfiltrated, payment doesn’t eliminate the exposure—your data is already out.
Hours 12-24: The Payment Decision
CISA, the FBI, and the Secret Service all recommend against paying ransoms. Paying funds criminal operations, doesn’t guarantee decryption, and doesn’t prevent attackers from returning or selling your data anyway. But the guidance acknowledges that businesses sometimes face existential threats when critical systems are down and no backup exists.
If you’re considering payment, understand the legal risks. If the ransomware group is on the OFAC Specially Designated Nationals list (like many Russian and North Korean groups), paying them violates U.S. sanctions law. Your breach coach and incident response team can help determine attribution, but it’s often unclear in the first 24 hours.
What Payment Doesn’t Solve
Even if you pay and receive a decryption tool, decryption is slow—often days or weeks for large datasets. The tools are often buggy. And payment doesn’t address the vulnerability that let attackers in. If you don’t remediate the root cause, they’ll be back, or another group will exploit the same weakness.
If you have viable backups, restoration is almost always faster and more reliable than decryption. Your incident response team will help you test backup integrity and plan a phased restoration.
Hours 24-48: Recovery Sequencing
Recovery happens in phases, prioritized by business impact. Your incident response team will rebuild or restore systems in a segmented environment to prevent reinfection.
Phase 1: Critical communications and financial systems. Email, phones, payroll processing. You need to communicate with employees, customers, and vendors, and you need to make payroll.
Phase 2: Customer-facing operations. Point-of-sale systems, order processing, customer service tools. The goal is resuming revenue generation.
Phase 3: Internal operations and full infrastructure. Accounting systems, inventory management, HR platforms, full network restoration.
What “Clean” Means
Before bringing systems back online, your team must confirm the attacker’s access has been eliminated. This typically means resetting all passwords, disabling compromised accounts, patching vulnerabilities, and often rebuilding domain controllers from scratch. Bringing systems online too quickly risks reinfection.
Expect this process to take weeks for full recovery, even with good backups. If you’re restoring terabytes of data over network connections, throughput is a limiting factor.
Hours 48-72: Communications and Continuity
Your customers, vendors, and employees need to know what’s happening. Your breach coach will guide what you can say publicly, but silence creates more problems than transparency. A basic holding statement—”We experienced a cybersecurity incident, we’ve engaged experts, we’re working to restore operations”—is better than radio silence.
If customer data was accessed, you’ll need a more detailed communication plan. Texas law requires you to notify affected individuals and, in some cases, the Attorney General. Your breach coach will help draft notifications that meet legal requirements without creating additional liability.
Business Continuity Workarounds
While systems are down, you need manual workarounds. Paper order forms, phone-based customer service, offline payment processing. Document these processes—they’re your disaster recovery plan in action, and you’ll improve them for next time.
If you’re a critical supplier or service provider, communicate with your customers about delays and expected restoration timelines. Losing customer trust is often more damaging than the direct costs of the incident.
Beyond 72 Hours: What Recovery Actually Means
After 72 hours, you’re likely still in restoration mode, but you should have critical systems back online and a clear timeline for full recovery. But “recovery” doesn’t mean returning to the way things were—it means restoring operations while fixing the problems that allowed the attack.
Your incident response team’s forensic report will identify how attackers got in and what they accessed. Common findings: compromised credentials from phishing or password reuse, unpatched VPN or remote desktop services, inadequate network segmentation allowing lateral movement, or insufficient endpoint detection.
Remediation, Not Just Restoration
Restoring from backup without addressing the root cause means you’ll be back in the same situation within months. Post-incident remediation typically includes: implementing multi-factor authentication across all remote access, patching or replacing vulnerable systems, segmenting networks to limit lateral movement, deploying endpoint detection and response tools, and establishing security awareness training.
For Texas businesses, if the incident exposed weaknesses in how you handle state data, you may need to demonstrate corrective actions to comply with Tex. Gov. Code §§ 2054.5191 and 2054.5193, which establish cybersecurity standards for state contractors and entities handling state data.
Many small businesses discover they need ongoing security monitoring and management—either by hiring in-house expertise or partnering with a managed security provider. The cost of prevention is a fraction of the cost of another incident.
Frequently Asked Questions
Should I pay the ransom if I don't have backups?
CISA and the FBI recommend against paying, but acknowledge businesses sometimes face existential choices. Before paying, verify the ransomware group isn’t on OFAC sanctions lists (paying sanctioned groups violates federal law). Understand that payment doesn’t guarantee working decryption tools, doesn’t prevent data publication if it was exfiltrated, and doesn’t stop attackers from returning. Consult your breach coach and incident response team before making any payment decision.
How long does ransomware recovery actually take?
Critical systems can often be restored in 3-7 days if you have good backups and a competent incident response team. Full recovery—including all systems, data validation, and security remediation—typically takes 4-8 weeks. Decryption after paying ransom is usually slower than backup restoration and often incomplete. The timeline depends on data volume, backup integrity, and how thoroughly you remediate the vulnerabilities that allowed the attack.
Do I need to report a ransomware attack to law enforcement?
Reporting to law enforcement (FBI, Secret Service) is voluntary but recommended. They can provide guidance on attribution, connect you with resources, and sometimes help with decryption if they have keys from prior cases. For Texas businesses, if personal information was accessed, you must notify affected individuals under Tex. Bus. & Com. Code § 521.053. If you handle state data, additional reporting may be required under state contracts.
What happens if customer data was stolen, not just encrypted?
Modern ransomware often involves data exfiltration (“double extortion”). If customer data was stolen, paying ransom doesn’t eliminate the exposure—attackers still have the data and may publish or sell it. You’ll need to notify affected individuals per Texas breach notification law, offer credit monitoring if appropriate, and prepare for potential regulatory scrutiny. Your breach coach will guide the notification process and help assess exposure.
Can I prevent ransomware from happening again?
You can significantly reduce risk but not eliminate it entirely. Post-incident remediation should include: multi-factor authentication on all remote access, regular patching, network segmentation, endpoint detection and response tools, regular backup testing, and security awareness training. Many businesses also implement 24/7 security monitoring through a managed security provider. The key is addressing the specific vulnerabilities that allowed your incident, not just generic security improvements.
How much does ransomware recovery cost if I don't pay the ransom?
Incident response, forensics, legal counsel, and restoration costs typically range from $50,000 to $500,000+ for small businesses, depending on scope and complexity. Cyber insurance covers most of these costs if you have a policy and follow reporting requirements. Indirect costs—lost revenue, customer churn, regulatory fines, reputation damage—often exceed direct response costs. This is why prevention and preparedness investments are worthwhile.
Last reviewed and updated: May 8, 2026
