Skip to content
Archived content. You are viewing v1 of SME Digital Advisor — the original multi-section site (risks, scenarios, policies, OWASP, flashcards). Go to current site →

Incident response

Ransomware just hit. First 24 hours

Don't pay yet. Don't reboot. Don't restore over a still-infected system.

Modern ransomware does two things: encrypts files and exfiltrates data. Paying the ransom is not a quick fix — modern groups often leak the data anyway, and payment to a sanctioned entity is a strict-liability criminal offence under UK law. Get legal advice before paying anything.

First 30 minutes — contain

  • Isolate the affected systems from the network. Do not power off.
  • Disconnect shared drives and backup targets.
  • Tell staff: stop using IT.

First hour — call

  • Your IT supplier.
  • Your cyber insurer. Most policies require notification within hours.
  • The incident-response retainer, if you have one.
  • NCSC if it's a serious incident.

First few hours — document

  • Photograph the ransom note and encrypted file extensions.
  • Record who noticed what, when.
  • Identify the scope.

First 24 hours — decide

  • Identify clean, recent backups.
  • Get legal advice on data exfiltration, ICO notification, and any ransom decision — UK sanctions law makes payment to a sanctioned entity a criminal offence.
  • Draft — do not send — customer and staff communications.
  • If personal data was accessed: notify the ICO within 72 hours.

Common mistakes

  • Restoring over the still-compromised network.
  • Paying without legal advice.
  • Not notifying the insurer in time — voids cover.
  • Ignoring exfiltration risk.