Modern ransomware does two things: encrypts files and exfiltrates data. Paying the ransom is not a quick fix — modern groups often leak the data anyway, and payment to a sanctioned entity is a strict-liability criminal offence under UK law. Get legal advice before paying anything.
First 30 minutes — contain
- Isolate the affected systems from the network. Do not power off.
- Disconnect shared drives and backup targets.
- Tell staff: stop using IT.
First hour — call
- Your IT supplier.
- Your cyber insurer. Most policies require notification within hours.
- The incident-response retainer, if you have one.
- NCSC if it's a serious incident.
First few hours — document
- Photograph the ransom note and encrypted file extensions.
- Record who noticed what, when.
- Identify the scope.
First 24 hours — decide
- Identify clean, recent backups.
- Get legal advice on data exfiltration, ICO notification, and any ransom decision — UK sanctions law makes payment to a sanctioned entity a criminal offence.
- Draft — do not send — customer and staff communications.
- If personal data was accessed: notify the ICO within 72 hours.
Common mistakes
- Restoring over the still-compromised network.
- Paying without legal advice.
- Not notifying the insurer in time — voids cover.
- Ignoring exfiltration risk.