The First 72 Hours After a Ransomware Attack (What To Do Step-By-Step)

Hour 0-4: Isolate, Contain, Protect the Evidence

Your goal in the first few hours is simple: stop the bleeding without destroying critical forensic data.

Disconnect infected systems

Unplug network cables, disable Wi-Fi, and isolate compromised servers or workstations.
Do not power off, wipe or reimage anything yet. Your future recovery, insurance claim, and legal protection may depend on preserved evidence.

Disable remote access

Immediately shut down:

• VPN connections
• RDP access
• Remote management tools
• Admin accounts that may have been compromised

Speed matters here. Attackers often linger and spread laterally.

Notify your internal leadership

Executives, office managers, compliance officers, and your IT partner must know fast.
In healthcare and financial institutions, this includes privacy/security officers and compliance administrators.

Security-first note

At Johnson BTS, our first move is always triage: isolate the threat, identify what's impacted, and confirm whether compliance-regulated data is at risk.

Hour 4-12: Assess the Impact and Start Documentation

Once the immediate threat is contained, shift into structured incident response.

Identify the ransomware strain

This helps determine:

• Whether decryptions exist
• What the attacker typically steals
• Whether you're dealing with double-extortion (encryption + data theft)

Document everything

Create a timeline:

• When the issue was discovered
• Systems affected
• Screenshots of ransom notes
• Encryption indicators
• Any suspicious activity

This documentation matters during:

• Insurance claims
• FTC, HIPAA, PCI, or SEC compliance reporting
• Legal review
• Law enforcement involvement

Secure your backups

Before you touch anything, verify whether backups are:

• Intact
• Unencrypted
• Offsite or immutable

Do not restore yet—first determine if the threat is fully contained.

Hour 12-24: Notification Decisions

Many Middle Tennessee SMBs don't realize that breach notification deadlines may start ticking in under 24 hours, depending on the industry.

Determine whether sensitive data was accessed

Regulated businesses must evaluate potential exposure of:

• PHI (HIPAA)
• Financial data (PCI, SEC)
• Personally identifiable information (FTC Safeguards Rule)

If evidence suggests exfiltration, you must prepare for breach notification steps.

Contact law enforcement

For ransomware, this typically includes:

• FBI Cyber Division
• Tennessee Bureau of Investigation (when critical infrastructure is impacted)

Law enforcement does NOT fix the issue, but this step is important for documentation and insurance.

Contact your cyber insurance carrier (if applicable)

Most policies require:

• Immediate notification
• Verified forensic investigation
• Vendor approval before restoration

Failure to follow their process can void coverage.

Hour 24-48: Begin Secure Restoration

When containment is confirmed and compliance steps are underway, focus on getting back to business.

Wipe and rebuild infected systems

Never trust previously encrypted or compromised devices.
Fresh builds only.

Restore from verified clean backups

Key questions before restoring:

• When was your last clean snapshot?
• Are cloud backups immutable?
• Are Microsoft 365/Google Workspace files backed up separately?
  (Most businesses still don't realize they are not.)

Increase monitoring

For 48 hours after the attack, implement:

• 24/7 endpoint monitoring
• Temporary network isolation zones
• Zero-trust access restrictions
• Strict MFA enforcement

You're watching for lingering backdoors or dormant malware.

Hour 48-72: Hardening and Compliance Follow-Through

Once operations resume, it's time to close the gaps that made the attack possible.

13. Patch systems and update credentials

Reset:

• All passwords
• Local admin accounts
• Service accounts
• Privileged credentials

Patch everything including, OS, apps, specialty systems, servers, and firmware.

Conduct a post-incident forensic review

This determines:

• Attack vector
• Dwell time
• Data accessed
• How to prevent repeat incidents

Many Middle Tennessee SMBs skip this. It's a mistake.
Ransomware actors nearly always return to companies who haven't fixed their weaknesses.

15. File required compliance notifications

Depending on your industry, you may have required timelines:

• HIPAA: 60 days (for breaches affecting <500 individuals)
• FTC Safeguards Rule: Notice for unauthorized access impacting customer data
• PCI: Rapid notification to acquiring bank and card brands
• SEC: Material cybersecurity events require public reporting

Your documentation from the first 24 hours is essential here.

Common Mistakes We Still See in Middle Tennessee SMBs

Even established businesses accidentally complicate recovery by doing the following:

"We powered everything off."

This destroys forensic evidence and makes insurance claims harder.

"We restored from infected backups."

If the malware was dormant for weeks, the restored system becomes reinfected instantly.

"We didn't call anyone because we didn't want to sound the alarms."

Compliance fines for delayed reporting can be far worse than the attack itself.

"We assumed Microsoft 365 files were backed up."

They are not—unless you have third-party backup.

"We tried to pay the ransom quietly."

This is not always legal, and it often doesn't work.

The Johnson BTS Simple 3-Step Plan to Protect Your SMB

1. Schedule a 15-minute discovery call
2. Get a free security and network assessment
3. Receive a tailored ransomware readiness and recovery plan

You don't have to panic when something goes wrong and you don't have to navigate a ransomware incident alone.

You can stop worrying about data loss, downtime, and compliance fallout, and instead operate with security, confidence, and reliable support behind you.

Click Here or give us a call at 615-989-0000 to Book a FREE 15-Minute Discovery Call