Cybersecurity
Ransomware for SMBs: The First 60 Minutes Playbook
Cybersecurity

Ransomware for SMBs: The First 60 Minutes Playbook

Ransomware: The 60-Minute Response Plan for SMBs (Do This When Minutes Matter)

When a ransom note appears, the clock is unforgiving. This first-hour playbook prioritizes containment, minimal viable communications, and safe recovery—plus an in-page, copy-and-use runbook and a quick tabletop invite.

First, what not to do

Don’t power everything off blindly (you can corrupt evidence).

Don’t negotiate or pay from personal accounts.

Don’t share technical details on insecure channels.

Minute-by-minute: the first 60 minutes

Minutes 0–10 — Identify & triage

  • Scope: single user vs. domain? Any servers?
  • Quick snapshot (where applicable) and preserve logs.
  • Spin up a crisis channel (core team: IT lead, exec, legal).

Minutes 10–30 — Contain

  • Isolate affected endpoints/segments (unplug LAN/Wi-Fi/VPN).
  • Block/rotate compromised and privileged credentials.
  • Disable scheduled tasks/shares/GPOs that propagate.

Minutes 30–60 — Initial eradication & prepare to recover

  • EDR: kill/suppress IOCs, block hashes/URLs/C2.
  • Backups: validate the most recent clean restore point.
  • Draft a restore order (critical systems first).
  • Record everything: timestamps, actions, artifacts.

In-Page Playbook: 1-Hour Ransomware Plan

Step

Owner

Tool/Proof

Status

Isolate affected endpoints/segments

NOC/Helpdesk

Switch/AP/VPN

Reset privileged credentials

IAM

AD/Azure AD/PAM

Block IOCs in EDR/Firewall

SecOps

EDR/NGFW

Validate clean backups

Infra

Backup console

Critical restore order

IT Lead

Runbook

Preserve evidence & logs

SecOps

SIEM/EDR

Use this operational table in your runbook. Print this table; keep a hard copy in your IR binder.

Minimum viable communications

  • Internal: “We’re containing an incident. IT is restoring services. Next update at HH:MM.”
  • Customers/partners: share verified facts only, coordinate with legal and insurer.
  • Insurer: notify before making critical decisions.

Restore safely (and prevent repeat attacks)

  • Prefer rebuild over restore if integrity is uncertain.
  • Rotate keys/secrets after restoration.
  • Patch the initial vector (VPN/ESX/Outlook/etc.).
  • Harden: full MFA, 100% EDR, isolated backups, segmentation.
Run a 30-minute tabletop

Want to rehearse this plan with your team? Book a free 30-minute tabletop to validate gaps and timings→ Book a tabletop