All notes

// NOTE · MAY 13, 2026

The first hour of a ransomware incident — a small-business playbook

12 min read/Draft preview

// Draft

This article is in progress. The opening section below is the published portion; the remaining sections are outlined to give you a sense of what's coming. Have a question that can't wait? Send a message.

At 9:15 on a Tuesday morning your front-desk staff calls you and says the EHR is “acting weird” and there's a strange message on the screen. By 9:18, you've looked at it and you know. Files have new extensions. There's a text file on the desktop with a payment address. The screensaver has been replaced with a ransom note. This is the moment most small-business incident response plans fail — not because they're bad, but because they were written for a 9:00 AM Monday-morning drill and not for a real one.

The first hour is where most of the damage either compounds or gets contained. Decisions you make in the first hour determine how long the rest of the recovery takes, whether you have to notify regulators and patients, and whether your backups are still intact when you go to use them. This playbook is written for the person who is going to have to make those decisions, with no SOC, no incident retainer, and probably the wrong people at the practice that morning.

Two things to know before we start. First: nothing in here is legal or insurance advice. If you have cyber insurance, the very first call after the immediate containment is to them, because your policy may require specific steps. Second: the steps below assume you have not yet engaged the attackers. Do not engage the attackers without guidance — every interaction is leverage they use against you, and ransomware negotiation is a specialty skill.

What this article covers

  1. 01

    Minute 0–5: stop the bleed

    Unplug network cables from the affected machines. Disconnect Wi-Fi. Do not power them off — memory contents are forensically useful and powering off destroys them. If you have a network switch you can physically reach, isolate the affected segment. The goal here is to prevent lateral movement; you have a short window before the malware finishes spreading.

  2. 02

    Minute 5–15: identify scope without making it worse

    From a known-clean device (your phone is fine), check whether other systems are showing the same behavior. Do NOT use a domain admin account to log into a potentially-infected machine to investigate — you'll harvest the credentials. Document what you see with photos or screenshots from your phone. List affected systems by name and what data they hold.

  3. 03

    Minute 15–30: notifications and decisions

    Call cyber insurance if you have it (they may direct your response). Call your IT provider and your security consultant. If ePHI or NPI is potentially affected, the regulatory clock starts now — note the time. Inform leadership; in a small business this is probably the owner, who is probably you. Do not yet notify patients or clients; do not yet pay anything.

  4. 04

    Minute 30–45: containment and credential rotation

    Reset passwords for all admin accounts from a clean device. Revoke active sessions in Microsoft 365 / Google Workspace. Disable any account showing unusual activity. Pull a list of what was logged in where in the last 48 hours and look for anomalies. Confirm backup systems are isolated from the infected network.

  5. 05

    Minute 45–60: validate backups, plan the restore

    Find your most recent backup that predates the infection. Verify it's accessible and not encrypted. Do NOT restore yet — first decide what you're restoring to (you cannot restore onto compromised infrastructure). This is the moment you find out whether your backup strategy was real. Most small businesses find out the hard way that it wasn't.

  6. 06

    What NOT to do (the expensive mistakes)

    Don't power off infected machines. Don't pay the ransom before exhausting other options and consulting insurance/counsel. Don't restore onto the same infrastructure that got compromised. Don't tell patients/clients anything before you understand scope. Don't talk to the attackers without a negotiator. Don't post about it on social media. Don't blame staff in the first hour — focus on containment.

  7. 07

    The 24-hour window after

    Engage forensics if scope is unclear or regulatory notification is likely. Determine whether ePHI/NPI was accessed (not just encrypted — exfiltration is the bigger compliance trigger). Begin the regulatory clock formally if applicable. Plan communications: staff first, then clients/patients, then public if needed. Document everything; the post-incident review is what prevents a second incident.

  8. 08

    How to prepare before this happens

    Print this playbook and put it somewhere offline. Test your backup restore quarterly. Have your insurance and consultant contact info written down on paper. Make sure at least two people at the business know where the network kill switches are. Run a 30-minute tabletop exercise once a year. The goal is that when 9:15 Tuesday happens, the first response is muscle memory, not improvisation.

Want to talk through your environment?

Book a free consultation. We'll walk through what applies to your business and outline a practical plan.

Book a Free ConsultationOr send a message