Hit by Ransomware? Here's Exactly What to Do in the First 24 Hours

Discovering ransomware on your systems is one of the most stressful things that can happen to a small business. Files are suddenly inaccessible. A ransom note is on your screen. You don't know how bad it is or what to do next.

The decisions you make in the next few hours matter enormously. This guide walks you through exactly what to do — step by step.

Step 1: Isolate Immediately

Your first priority is to stop the ransomware from spreading to other devices on your network. Do this now, before anything else:

• Disconnect affected devices from the network — unplug the Ethernet cable or turn off Wi-Fi
• Do NOT shut the device down — some forensic evidence and recovery options are preserved in memory; turning off can destroy them
• Disconnect any external drives or USB devices attached to the infected machine
• Alert other staff immediately — tell them not to open unusual emails, not to use shared drives, and to report anything strange on their own devices

If you have network-attached storage (NAS) or a file server, disconnect it from the network as well. Ransomware frequently targets shared drives and can encrypt them quickly.

Step 2: Assess the Scope

Once you've contained the immediate spread, try to understand what you're dealing with:

• Which devices appear to be affected?
• What data was stored on those devices or accessible from them?
• Does the ransom note identify the ransomware variant? (Take a photo of it — you'll need this information later)
• When did you first notice the problem, and has anything unusual happened in the past few days?

Don't try to access or "fix" affected files yourself. You could overwrite evidence or make recovery harder.

Step 3: Do Not Pay the Ransom

It's understandable that paying feels like the fastest way out. But there are strong reasons not to:

• Payment doesn't guarantee recovery — many businesses pay and receive nothing, or receive broken decryption tools
• It marks you as a target — attackers share lists of paying victims, and you may be hit again
• It may be illegal — some ransomware groups are subject to international sanctions, and paying them could expose you to legal liability
• It funds further attacks — every payment funds the criminal operations targeting other Australian businesses

Exhaust every other option before considering payment, and consult a legal professional if you're under pressure to pay.

Step 4: Contact Your Insurer

If you have cyber insurance, contact your insurer as soon as possible — ideally within hours of discovering the attack. Most cyber insurance policies have specific notification requirements, and delaying contact can affect your claim. Your insurer may also have an incident response panel they can connect you with immediately.

If you don't have cyber insurance, this is a painful reminder of why it matters. Add it to your recovery to-do list.

Step 5: Report to the ACSC and ReportCyber

Australian businesses are encouraged — and in some cases required — to report ransomware attacks. Report the incident at cyber.gov.au/report (ReportCyber). The Australian Cyber Security Centre (ACSC) uses these reports to track threat actors and can provide guidance.

If the attack has resulted in a data breach involving personal information, you may also have mandatory notification obligations under the Privacy Act 1988 and the Notifiable Data Breaches (NDB) scheme. Check whether customer or employee data was on the affected systems, and seek legal advice if you're unsure about your obligations.

Step 6: Engage a Professional Incident Response Provider

Unless you have in-house IT expertise, you need professional help. An incident response specialist can:

• Identify the ransomware variant and check for a public decryption tool (check nomoreransom.org)
• Determine the attack vector — how the criminals got in
• Assess the full scope of the infection
• Guide your recovery process safely
• Preserve evidence if law enforcement involvement is needed

Your insurer, IT provider, or the ACSC can help you find an accredited specialist.

Step 7: Restore from Clean Backups

If you have recent, clean backups, this is your fastest path to recovery. But before you restore, take these precautions:

• Verify the backups are clean — ransomware can sit dormant before activating, and your backups may include infected files. A specialist can help you check.
• Restore to a clean environment — don't restore onto systems that are still compromised
• Close the entry point first — restoring before fixing the vulnerability that allowed the attack means you could be hit again immediately

If you don't have usable backups, this is where recovery becomes much harder. Cloud-based tools like Microsoft 365 often have version history and backup features — check whether your data is recoverable through those.

Step 8: Identify and Close the Entry Point

Before you bring systems back online, you need to understand how the attackers got in. Common entry points include:

• A phishing email that an employee clicked
• Weak or reused passwords on a remote access tool (like Remote Desktop Protocol)
• Unpatched software with a known vulnerability
• A compromised supplier or third-party tool

Closing the entry point is essential. Reconnecting to the network without doing this is like changing the locks after a break-in but leaving the window open.

After the Immediate Crisis: What Comes Next

Once you've stabilised, there's important follow-up work:

• Notify affected parties — if customer or employee data was exposed, you likely have legal and ethical obligations to inform them
• Review your security posture — what controls would have prevented or limited this attack?
• Improve your backup strategy — if this attack exposed gaps, fix them now
• Train your staff — if the attack started with a phishing email, security awareness training is your best investment
• Document the incident — for insurance purposes, legal obligations, and your own future reference

Recovering from ransomware is hard and expensive. But businesses that have clean backups, respond quickly, and get professional help can and do recover. The worst outcomes typically happen when businesses delay action, attempt to negotiate without professional guidance, or restore without first closing the vulnerability that let the attackers in.