Skip to main content
Home/Insights/Security
Security

Ransomware Response: What to Do in the First 24 Hours

When ransomware hits, the first 24 hours determine whether you recover in days or weeks. Most businesses aren't prepared. Here's what a proper response looks like.

4 min readMicroPro Team

Ransomware incidents have hit Canadian businesses of every size, from municipalities to dental offices. The technical response matters—but the first decisions made in the first few hours matter more.

What ransomware actually does (briefly)

Modern ransomware follows a pattern:

  1. Initial access — through a phishing email, exposed RDP port, or compromised credentials
  2. Lateral movement — the attacker moves through the network, escalating privileges and identifying valuable data
  3. Data exfiltration — sensitive data is copied out before encryption begins (for double-extortion leverage)
  4. Encryption — files are encrypted; ransom note appears
  5. Extortion — payment demanded to decrypt files and/or suppress publication of stolen data

The encryption event is what most businesses notice—but the attacker may have been in the environment for days or weeks before triggering it.

Hour 1: Contain before you investigate

Isolate affected systems immediately. Disconnect from the network—physically unplug Ethernet cables, disable Wi-Fi, remove from Active Directory if possible. Do not simply shut down machines (some ransomware variants are programmed to encrypt more aggressively on shutdown, and volatile memory can contain decryption artifacts useful for forensics).

Do not pay the ransom yet. Payment doesn't guarantee decryption, doesn't prevent publication of stolen data, and may trigger additional demands. Pause and assess first.

Activate your incident response plan. If you have one—now is the time. If you don't, document everything you're doing in writing from this point forward.

Contact your cyber insurance carrier. If you have cyber insurance, notify them immediately. Most policies require prompt notification and may direct you to approved incident response firms.

Hours 2–6: Assess the scope

With affected systems isolated, understand what you're dealing with:

  • Which systems are encrypted? Which are not affected?
  • What data was on the affected systems?
  • Do you have clean backups? When were they last tested?
  • Is the attacker still active in the environment?

The last question is critical. If the attacker still has access, restoring from backup and reconnecting to the network just gives them a second opportunity. The environment needs to be confirmed clean before restoration begins.

Engage a professional incident response firm if you don't have the internal capacity to investigate. They have forensic tooling and experience that materially affects outcomes.

Hours 6–24: Communication and legal obligations

Notify leadership. This is a business continuity event, not just an IT problem. Executives need to be involved in decisions about communication, legal obligations, and recovery priorities.

Assess notification obligations. Under PIPEDA, a data breach involving personal information must be reported to the Office of the Privacy Commissioner of Canada and affected individuals if it creates a "real risk of significant harm." Provincial laws (particularly Quebec Law 25) have additional requirements. Get legal counsel involved early.

Document the incident timeline. Who noticed what, when? What actions were taken? This documentation supports insurance claims, regulatory notifications, and post-incident review.

The recovery decision

If you have clean, tested backups from before the intrusion:

  1. Rebuild affected systems from known-good images (don't restore to compromised hardware without reimaging)
  2. Restore data from backup
  3. Verify the environment is clean before reconnecting to production networks
  4. Reset all credentials—every account, not just the ones you know were compromised

If backups are inadequate or also encrypted, you're weighing paying the ransom against rebuilding from scratch. This is a business decision involving legal counsel, your insurer, and executive leadership—not just IT.

Prevention: what actually works

  • Offline or immutable backups that ransomware can't reach (cloud backup with versioning; tape; air-gapped storage)
  • MFA on everything, particularly RDP, VPN, and email
  • Patching: most ransomware exploits vulnerabilities that have patches available
  • Network segmentation to limit lateral movement
  • Email filtering to catch phishing at the entry point

The businesses that recover fastest from ransomware are the ones that had good backups and had tested them. Everything else is secondary.

MicroPro provides security assessments, backup infrastructure design, and incident response preparation for Canadian businesses. Contact us to discuss your current exposure.

Ready to put this into practice?

MicroPro works with Canadian businesses on cloud, IT, and security. Book a free consultation.