HD Tech - SecurITy Delivered
Back to Blog
Managed IT

Ransomware Recovery: What to Do in the First 72 Hours

By Tom Hermstad · HD Tech

Ransomware Recovery: What to Do in the First 72 Hours

What should you do immediately after a ransomware attack?

Ransomware hits your business and the clock starts immediately. Disconnect infected systems first — containment comes before recovery. Preserve forensic evidence, notify your incident response team, and restore only from clean, verified backups once you've closed the entry point. For Orange County SMBs, the early hours of ransomware response determine whether you recover quickly or face a prolonged outage.


TL;DR — First Hours: What Actually Matters

  • Isolate immediately. Unplug infected machines from the network the moment you suspect ransomware. Do not power them down yet — you'll destroy forensic evidence.
  • Lock down credentials. Rotate every password and enforce multi-factor authentication before any system comes back online. Attackers frequently steal credentials before they deploy ransomware.
  • Verify your backups before you trust them. Assume backups are compromised until proven otherwise — especially if they lived on the same network as infected systems.
  • Report promptly. Notify the FBI's IC3, your cyber insurance carrier, and legal counsel. Regulatory notification deadlines are strict depending on your industry.
  • Patch the entry point before restoring. Rebuilding on the same vulnerability is how businesses get hit twice.

It's 6 a.m. Monday. Your plant manager calls — screens across the shop floor are locked, files are encrypted, and there's a ransom note demanding a significant sum in Bitcoin. Production stops. Your team is standing around. And you have no idea how far it's spread.

That's not a hypothetical. That's a Tuesday for someone in Orange County right now.

The first hours will determine whether your business recovers clean or limps forward with a compromised environment — and most of those decisions need to happen before you've had your second cup of coffee. The real cost of a ransomware attack in Orange County goes well beyond the ransom demand itself — lost production, regulatory exposure, and permanent reputational damage pile on fast. Don't let recovery chaos double the damage.

Here's exactly what to do.


Stop the Bleeding First

The moment you suspect ransomware, your only job is containment. Not paying the ransom. Not calling your insurance company. Not emailing your team. Containment first.

Step 1: Isolate infected machines immediately.

Pull the network cable. Disable Wi-Fi. If you can't reach the machine physically, have someone on-site do it now. Every moment a ransomware payload runs on a connected machine is another opportunity to spread to file servers, backups, and cloud-synced drives. CISA's guidance is direct: disconnect affected machines from the network and disable compromised accounts as quickly as possible.

Step 2: Do not power down — yet.

This is where most businesses make their first critical mistake. Turning off or reimaging infected machines too quickly destroys forensic evidence — the logs and artifacts your IT team (or law enforcement) needs to identify how the attacker got in. Recovery experts consistently warn against wiping systems before the entry point is understood, because without that knowledge, you risk reinfection the moment systems come back online.

Step 3: Document everything.

Take photos of ransom notes on screens. Screenshot any error messages. Write down what users noticed and when. This documentation matters for your cyber insurance claim, any law enforcement report, and your forensic investigation. Gaps in the timeline cost you.

Step 4: Stand up your incident response team.

This means your IT provider, legal counsel, cyber insurance carrier, and (depending on your industry) a compliance officer. If you're in healthcare, manufacturing with government contracts, or financial services, a ransomware event likely triggers regulatory notification requirements. Get your legal team on the phone now — not after you've started recovery.


Assess, Contain, and Communicate

Once the bleeding stops, you need to understand the scope before you touch anything else.

Step 5: Identify what's affected.

Work with your IT team to map every system that made network contact with the infected machine in the hours before isolation. Check file servers, backup systems, and any cloud-synced storage. If your backups live on a network share that the ransomware could reach, those backups may be compromised too.

Step 6: Notify the right people.

Report the incident to the FBI's Internet Crime Complaint Center (IC3.gov). This is not optional — it creates an official record, may connect you to active investigations involving the same threat actor, and is often required by your cyber insurance policy. Your insurer needs notification as well — check your specific policy for the required notification window, as timelines vary by carrier.

If your business handles protected health information, customer financial data, or defense contract data, your legal team needs to assess breach notification obligations immediately. The timelines are strict and the penalties for missing them are significant.

Step 7: Lock down credentials.

Rotating credentials and enforcing multi-factor authentication (MFA) — where every login requires a second form of verification beyond a password — is non-negotiable before any systems come back online. Credential theft is a common precursor to ransomware deployment. Restored systems with the same passwords are compromised systems.

Step 8: Communicate clearly with your team.

Your employees don't need a technical briefing. They need clear instructions: what they can and cannot use, who to contact with questions, and what the timeline looks like. Silence breeds rumors. Give people a simple, factual update and a point of contact.


Controlled Recovery

This is where most businesses rush — and where most reinfections happen. Recovery is a controlled process, not a race.

Step 9: Identify your clean backup.

Not all backups are created equal. Recovery from ransomware requires a clean, tested, verified backup — preferably immutable (meaning it cannot be altered or deleted, even by an administrator) and stored offline or in a separate environment the ransomware couldn't reach. If you don't know whether your backups are clean, assume they aren't until you've verified. This is exactly why ransomware protection strategies built around immutable, tested backups exist — because a backup you haven't tested is a backup you can't trust.

Step 10: Patch the entry point before restoring.

According to Mimecast research, unpatched systems account for 34% of ransomware entry points. If you restore systems without patching the vulnerability the attacker exploited, you're rebuilding on a broken foundation. Work with your IT team to identify the entry vector — phishing, unpatched software, exposed remote desktop protocol — and close it before any system goes live.

Step 11: Restore in stages, monitor aggressively.

Bring systems back one segment at a time. Start with the most critical business functions. Monitor every restored system for anomalous activity before expanding access. Attackers frequently leave backdoors or persistence mechanisms behind — post-restoration monitoring isn't optional, it's the difference between recovery and round two.

Step 12: Don't pay the ransom without expert guidance.

Paying does not guarantee recovery. You still need to clean the environment, patch the entry point, validate your data, and re-secure credentials — whether you pay or not. And paying may expose you to sanctions risk if the threat actor is on a government watchlist. Talk to legal counsel and your incident response team before making any payment decision.


What This Experience Should Teach You

Every business that survives ransomware walks away with the same lesson: preparation is always cheaper than recovery. The businesses that recover quickly are the ones with tested backups, documented response plans, and a trusted IT partner already in the room.

The businesses that take far longer — or don't recover at all — are the ones who assumed it wouldn't happen to them.

It's not if. It's when.

Understand the real cost of IT downtime in 2026 — and make sure your business can survive it.


Frequently Asked Questions

Disconnect every affected machine from the network right away — unplug the ethernet cable or disable Wi-Fi if needed. Do not power the machines down before your IT team or a forensics professional has a chance to preserve evidence. Document what you're seeing, stand up your incident response team (IT provider, legal, insurance carrier), and report the incident to the FBI's IC3. Speed of containment directly determines how far the attack spreads.

Not without expert guidance. Paying the ransom does not guarantee your data comes back intact, and it does not clean your environment — you still need to identify the entry point, patch it, validate backups, and rotate all credentials. In some cases, paying may also create legal exposure if the threat actor is subject to U.S. sanctions. Consult legal counsel and your incident response team before making any payment decision.

Assume they're compromised until proven otherwise. Ransomware frequently targets backup systems — especially backups stored on the same network as production systems. Safe backups are immutable (cannot be altered or deleted), stored offline or in a separate environment, and tested regularly before an attack occurs. If you haven't tested your backups recently, you don't know what you're restoring from.

It depends entirely on preparation. Businesses with tested, clean backups and a documented incident response plan tend to restore critical operations far more quickly than those without. Businesses lacking those safeguards can face extended downtime — and some never fully recover. The recovery timeline is almost always determined before the attack happens, not during it.

Yes, in most cases. The FBI's Internet Crime Complaint Center (IC3.gov) accepts ransomware reports and may connect your incident to active investigations. Many cyber insurance policies also require timely notification. Depending on your industry — healthcare, financial services, defense contracting — you may have additional legal obligations to notify regulators or affected parties. Get your legal counsel involved promptly.


If your business is facing a ransomware event right now, or if you want to know exactly how prepared you are before one hits, HD Tech is ready. We work with Orange County SMBs every day to build the backup, recovery, and monitoring infrastructure that makes the difference between a fast recovery and a business-ending event. Book your free Cyber Preparation Assessment — and find out where you actually stand.

ransomware recovery
Tom Hermstad, President of HD Tech

Tom Hermstad

President & CMO, HD Tech

Tom Hermstad has led HD Tech since 1995, building one of Southern California's most trusted managed IT and cybersecurity firms. He specializes in helping Orange County businesses eliminate IT headaches and stay ahead of evolving cyber threats — in plain English.

Need Help With Your IT?

Get a free, no-pressure IT health check. We'll show you exactly where you're exposed — in plain English.