Ransomware: what to do in the first hour
A message appears on the screen demanding money, files stop opening, and the office goes quiet. What you do in the first hour matters more than everything you do over the following week, and, counterintuitively, the best moves are the calm ones. The list below is written to be read beforehand, not on the day it happens.
The first few minutes: isolate, don’t shut down
The first correct move is to disconnect the affected machine from the network: pull the cable, turn off the Wi-Fi, so you stop the spread to the rest of the workstations and to the server. The second correct move is not to power it off. Traces that help with analysis (and sometimes even with recovery) can remain in its memory. Disconnected, but still running.
If you suspect other workstations are affected, isolate their network segment too. And tell people to stop opening attachments or links until the situation is clear. These attacks usually arrive by email, and the first click is rarely the last one.
What not to do, however tempting
Don’t pay right away. Payment doesn’t guarantee recovery, it funds the next attack, and in some cases it raises legal questions. That decision is made coolly, with every option on the table, and if the backup is in order, it usually doesn’t come up at all.
Don’t delete anything and don’t reinstall “to get it working fast.” A rushed reinstall destroys exactly the information needed to find out how the attack got in, and without that answer you risk repeating the same day a month later, with the same doors left open.
The phone calls in the first hour
First call: the person or company that manages your IT. With us, critical incidents carry a response time of one hour at most (SLA), written into the contract. The second call depends on severity: the national cyber security authority runs a reporting line (1911 in Romania), free and available around the clock. And if personal data is affected, remember that GDPR requires notification within 72 hours. Your data lawyer or consultant needs to know on the first day, not the third.
What actually decides the day: the backup you had beforehand
The uncomfortable truth is that the day’s outcome was decided months earlier. A company with a verified backup, kept separate from the network, loses a few hours and some nerves: it isolates, cleans, and restores. A company without a backup ends up negotiating with criminals. Attackers also look for and encrypt any backups they can reach, which is exactly why a separate backup, tested with a trial restore, is the only one that counts on the day.
If you don’t know for certain which of the two companies you are, that’s easy to find out, and without a crisis. The free audit checks precisely these points (backup, access, updates) and leaves you a written report. It’s the kind of list that’s far cheaper to read beforehand.