Security Strategy

Your Company Just Got Hit with Ransomware: A 48-Hour Survival Playbook for SMBs

March 30, 2026 Red Hound InfoSec 9 min read

It is Monday morning. Your team arrives to find file servers encrypted, a ransom note on every screen, and critical business applications offline. The phone starts ringing. Customers cannot access their data. Your accounting system is locked. Backups may or may not be intact -- nobody is sure yet.

This is not hypothetical. Approximately 2 in 5 ransomware attacks in Q4 2024 targeted companies with 101 to 1,000 employees, and another 30% hit companies with 11 to 100. Recovery costs averaged $1.53 million in 2025, excluding any ransom payment. Average downtime is 24 days. And 60% of small businesses that suffer a significant cyber attack close permanently within six months.

What you do in the first 48 hours determines whether your company recovers or becomes a statistic. Here is the playbook.

Hour 0-2: Stop the Bleeding

The first two hours are about containment, not investigation. Every minute you spend diagnosing the problem while infected systems remain connected is a minute the ransomware has to spread further. Speed matters more than precision here.

Immediate actions:

  • Disconnect infected systems from the network. Pull ethernet cables. Disable Wi-Fi adapters. If you cannot identify which systems are infected, disconnect everything and bring systems back selectively. Aggressive containment is always preferable to half-measures that let the ransomware propagate.
  • Do NOT power off infected machines. Volatile memory contains forensic evidence -- encryption keys, running processes, network connections -- that disappears when you shut down. Disconnect from the network but leave systems running.
  • Preserve the ransom note. Photograph it. Screenshot it. Record the file extension on encrypted files. This information identifies the ransomware variant, which determines whether a free decryptor exists and informs your response strategy.
  • Switch to out-of-band communication. If the attacker is in your environment, they may be reading your email and Slack messages. Move incident coordination to personal cell phones, a new Signal group, or a completely separate communication channel the attacker cannot access.
  • Assess your backups immediately. Are they accessible? Are they encrypted? When was the last successful backup? Are they stored offline or in immutable cloud storage? The answers to these questions determine your recovery path.

Hour 2-6: Mobilize and Assess

With containment underway, assemble your response team and start building a clear picture of the damage.

Activate your response team:

  • Internal: IT lead, executive decision-maker (CEO/COO), legal counsel, and communications lead. If you have a CISO, they run the response. If not, your most senior technical person takes point.
  • External (call now, not later): Cyber insurance provider (if you have one -- they often have pre-approved IR firms), incident response firm, and legal counsel experienced in data breach law.
  • Law enforcement: File a report with the FBI via IC3 (ic3.gov) and contact CISA at report@cisa.gov or (888) 282-0870. This is not optional -- it creates a legal record, may connect you to existing intelligence about the threat actor, and CISA maintains free resources including known decryption tools.

Determine the scope:

  • Which systems are encrypted vs. which are clean?
  • What data was potentially accessed or exfiltrated? (Modern ransomware almost always steals data before encrypting it.)
  • What is the ransomware variant? Tools like ID Ransomware (id-ransomware.malwarehunterteam.com) can identify it from the ransom note or an encrypted file sample.
  • Check nomoreransom.org for free decryptors. This project, backed by Europol and major security vendors, maintains decryptors for hundreds of ransomware variants.
  • How did the attacker get in? The most common entry points for SMBs are compromised credentials (30% of attacks) and exploited vulnerabilities (29%).

Hour 6-24: Make the Critical Decisions

By now you should have a clearer picture of what is encrypted, whether backups are viable, and what ransomware variant you are dealing with. This is where the hard decisions happen.

Decision 1: Can you recover from backups?

If your backups are intact, offline, and recent, this is your recovery path. Do not restore directly onto compromised infrastructure. Stand up a clean network segment, verify backup integrity, and restore critical systems first. Prioritize in this order: (1) authentication and identity systems, (2) communication tools, (3) revenue-generating applications, (4) everything else.

Critical: before restoring, ensure you have identified and closed the initial access vector. Restoring from backup onto a still-compromised environment just gives the attacker another chance.

Decision 2: Should you pay the ransom?

This is a business decision, not a technical one, and it should involve your legal counsel and executive leadership. The facts to weigh:

  • The median ransom payment in 2024 was $115,000. But payment does not guarantee full data recovery -- decryptors provided by attackers frequently fail or corrupt data.
  • An estimated 97% of organizations that had data encrypted in 2025 were able to recover it through some combination of backups, free decryptors, or payment.
  • If the attacker exfiltrated sensitive data (customer PII, financial records, health information), paying the ransom does not prevent them from publishing or selling it later.
  • The FBI discourages payment because it funds criminal operations and incentivizes future attacks. However, they also acknowledge that each organization must evaluate its own situation.

Decision 3: Who needs to be notified?

Data breach notification laws vary by state and industry. If personal data was potentially compromised, you likely have legal notification obligations -- often within 72 hours. Your legal counsel should advise, but do not wait until the investigation is complete to start the clock on notifications. Document everything meticulously from the first hour.

Hour 24-48: Recover and Harden

With decisions made, the focus shifts to restoring operations and eliminating the attacker's access.

Recovery steps:

  1. Rebuild from known-good images. Do not attempt to "clean" infected systems. Wipe them and rebuild from verified clean images and backups.
  2. Reset every credential. All passwords -- domain admin, service accounts, user accounts, application passwords, API keys. The attacker had access to your credential store. Assume every credential is compromised.
  3. Patch the entry point. Whether it was a vulnerable VPN appliance, an unpatched Exchange server, or compromised RDP credentials, close the door the attacker walked through before you restore operations.
  4. Segment your restored environment. Bring systems back in phases on isolated network segments. Monitor each restored system for signs of persistent access or reinfection before connecting it to the broader network.
  5. Monitor aggressively. Attackers frequently maintain backdoors and persistence mechanisms beyond the initial ransomware. The weeks following a ransomware event are a high-risk period for reinfection. If you do not have 24/7 monitoring capability, engage a managed detection and response (MDR) provider.

What You Should Have in Place Before This Happens

The difference between a 3-day recovery and a 3-month crisis comes down to preparation. Here is the minimum you need:

  • Tested backups with offline or immutable copies. Weekly full backups, daily incrementals, stored where ransomware cannot reach them. Test restoration quarterly -- backups that have never been tested are not backups.
  • A written incident response plan. Not a 200-page document nobody reads. A concise playbook with contact lists, decision trees, and step-by-step procedures for the first 48 hours. NIST SP 800-61 provides the framework; the CISA Ransomware Guide provides the specifics.
  • Cyber insurance. A policy that covers incident response costs, forensic investigation, legal fees, notification costs, and business interruption. Read the policy carefully -- many require specific security controls (MFA, EDR, backups) as conditions of coverage.
  • Network segmentation. If ransomware can reach every system from a single compromised endpoint, your blast radius is your entire company. Segmentation limits the damage.
  • Phishing-resistant MFA on everything. 30% of ransomware attacks on SMBs begin with compromised credentials. MFA is not optional. Phishing-resistant MFA (FIDO2, passkeys) is the current standard.
  • Endpoint detection and response (EDR). Traditional antivirus does not stop modern ransomware. EDR provides behavioral detection, automated containment, and forensic data that is critical during incident response.
  • Tabletop exercises. Run a ransomware simulation at least twice a year. Walk through the scenario described in this article with your actual team. Identify the gaps before an attacker does.

The Bottom Line

Ransomware attacks on SMBs jumped 34% in 2025. The attackers are getting faster -- in many cases, the window between initial access and encryption is less than two hours. Your disaster recovery plan from five years ago was not designed for an adversary who exfiltrates your data, destroys your backups, and encrypts everything in the middle of the night.

The organizations that survive are the ones that prepared before the attack, contained it in the first hours, and recovered with discipline. Everything in this playbook is something you can build today -- before your Monday morning looks like the one described at the top of this article.

Need help building your ransomware response plan?

We help small and mid-size companies build incident response playbooks, test recovery procedures, and harden infrastructure against ransomware. Book a session with our team.