Ransomware suspected, first 30 minutes checklist
Ransomware is a race against spread. The first 30 minutes decide whether you lose a few laptops or your whole office. Do not pay, do isolate, log, call for help. No reboots until evidence is preserved.
Try this first
- 1Minute 0-5: unplug network cables on suspect endpoints and disable wifi on them. Do not power off, do not reboot, photograph what is on screen (ransom note, file extensions).
- 2Minute 5-15: call your IT partner and leadership. Open a channel outside your regular Teams/Slack if those may be compromised (Signal, phone). Maintain radio silence on internal channels.
- 3Minute 15-25: widen isolation. More endpoints offline, suspicious M365/Entra accounts get session tokens revoked and MFA reset, shared shares set read-only or unmounted. Preserve logs before reboot.
- 4Minute 25-30: prep notification. The 72-hour breach notification clock to the DPA starts now, prepare but do not send yet. Call your cyber insurer, they often have an incident team.
When to bring us in
Stop DIY at minute 30. From there a professional belongs at the table: forensics, restore strategy, comms. We have run this script often and keep it calm.
See also
- We have backups but we do not know if they workA backup that cannot be restored is not a backup. Testing matters as much as taking the backup.
- Suspected ransomware: what to do RIGHT NOWThe first 30 minutes are critical. One wrong move spreads the damage. Read before acting.
- Someone accidentally deleted an important folderUsually fine to recover. The trick: do not save anything new on that drive until you know how.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.