TL;DR

  • Ransomware attacks on SMBs increased 62% in 2024 according to the Sophos State of Ransomware 2024 report. The average ransom demand for small businesses exceeded $100,000, and the average total cost of recovery was $1.82 million.
  • The first 24 hours are critical: Your actions in the immediate aftermath determine whether the attack stays contained or spreads to backup systems, connected networks, and cloud accounts. Wrong moves in the first hours can make recovery impossible.
  • Do NOT wipe systems or pay immediately: Both instincts are common and both are mistakes. Wiping destroys forensic evidence needed for insurance claims. Paying without proper analysis often leads to incomplete decryption, repeated targeting, or sanctions violations.
  • A pre-built playbook eliminates panic-driven decisions: The worst time to figure out your response plan is during the attack itself.

The Moment Everything Stops

It usually starts with a phone call. "The files won't open." "There's a weird message on my screen." "Everything is really slow." Then the realisation hits: encrypted files, ransom notes appearing across systems, business operations grinding to a complete halt.​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​​​‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌​‍​‌‌​‌​​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

This is the moment that separates businesses that survi

ve from businesses that don't.

Sophos' State of Ransomware 2024 report surveyed 5,000 IT/cybersecurity leaders across 14 countries and found that 59% of organisations were hit by ransomware in the past year. For businesses with fewer than 500 employees, the average total cost of recovery was $1.82 million — including downtime, lost business, remediation, and ransom payments. According to the ASD's ACSC Annual Cyber Threat Report 2024-25, ransomware remained the most destructive cybercrime threat to Australian organisations, with the average self-reported financial loss increasing to over $46,000 for businesses and significantly higher for businesses that paid the ransom.​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​​​‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌​‍​‌‌​‌​​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

The businesses that recover quickly share one common characteristic: they had a plan before the attack. They knew exactly what to do in the first hour, the first 12 hours, and the first 24 hours. They didn't waste time Googling, arguing, or panicking.

Hour 0-1: Containment (Stop the Bleeding)

The first hour is about preventing the ransomware from spreading further. Every minute of delay means more systems encrypted and more data at risk.

Disconnect — Don't Power Off

Immediately disconnect affected systems from the network — pull the Ethernet cable, disable WiFi. Do NOT power off the systems. Powering off can destroy evidence stored in memory (RAM) that forensic investigators need. It can also trigger some ransomware variants to begin destroying encryption keys.

Isolate the Network

If multiple systems are affected, consider disconnecting your entire network from the internet at the router/firewall level. This prevents the ransomware from communicating with its command-and-control server and stops it from spreading to cloud-connected services.

Identify the Scope

Take 15 minutes to assess: How many systems are encrypted? Which departments are affected? Are servers hit, or just workstations? Are backups accessible? This initial scoping determines your response intensity.

Preserve Evidence

Do NOT start "cleaning up" or reimaging systems. Photograph ransom notes on screens. Note the file extension of encrypted files (this helps identify the ransomware variant). Document everything you observe — times, systems, symptoms.

Alert Your Insurance Provider

If you have cyber insurance, notify your insurer immediately. Most policies have 24-48 hour notification requirements. Your insurer will often provide access to incident response professionals, legal counsel, and negotiation specialists at no additional cost.

Hour 1-4: Assessment and Mobilisation

With immediate containment complete, shift to understanding the full scope and mobilising your response.

Identify the Ransomware Variant

The ransom note and encrypted file extensions can help identify which ransomware family you're dealing with. Use free tools like ID Ransomware (id-ransomware.malwarehunterteam.com) to upload a ransom note or encrypted file sample. Some variants have known decryptors available for free from nomoreransom.org.

Check Backup Integrity

This is the most critical question in any ransomware response: do you have clean, restorable backups? Check your backup system — but do NOT connect it to the infected network. If backups are on a network-connected drive, there's a possibility they've been encrypted too. Modern ransomware specifically targets backup systems.

If you have clean offline backups, recovery without paying the ransom becomes feasible. If you don't, your options narrow significantly.

Assemble Your Response Team

Internal: Business owner/executive, IT manager, legal/compliance contact. External: Cyber insurance provider, IT service provider or MSP, legal counsel (your insurer often provides this), law enforcement (ASD's ACSC ReportCyber in Australia, FBI IC3 in the US).

Document Everything

Start a chronological incident log. Every action taken, every decision made, every person contacted — with timestamps. This log is critical for insurance claims, regulatory notifications, and post-incident review.

Hour 4-12: Decision Point

This is where the hard decisions happen.

The Payment Question

Should you pay the ransom? This is a business decision, not a technical one, and it's more complex than it appears.

Arguments against paying:

  • Payment encourages further attacks and funds criminal organisations
  • Sophos found that only 65% of data was recovered on average after payment
  • Some ransomware groups demand additional payments after the first
  • Payment may violate sanctions regulations (OFAC in the US, DFAT in Australia) if the group is on a sanctioned list
  • There's no guarantee the decryption key will work

Arguments for paying:

  • Business survival may depend on data recovery
  • When no viable backups exist, payment may be the only option
  • Insurance may cover ransom payments (check your policy)

The right answer depends on your specific situation: the value of the encrypted data, the availability of backups, the ransom amount, the ransomware variant, and the financial impact of extended downtime.

This decision should never be made in a vacuum. A pre-built incident response plan with decision trees helps you evaluate your options systematically, not emotionally. The Incident Response Plan Template includes specific ransomware playbooks with decision frameworks for exactly this scenario — plus communication templates and evidence checklists. $47 AUD. Instant download →

Begin Regulatory Assessment

Determine whether notification is required:

  • Australia (NDB): Notify OAIC and affected individuals if personal information is involved and "a reasonable person would conclude that the breach would likely result in serious harm"
  • GDPR: Notify supervisory authority within 72 hours if EU residents' data is involved
  • US: Check state-specific notification requirements (timeframes vary from 30-90 days)

Your communication templates should already be drafted (in your IRP). Fill in the specifics and route through legal review.

Hour 12-24: Recovery and Communication

Begin Recovery Operations

If clean backups are available, begin restoring critical systems. Prioritise in this order:

  1. Domain controllers and authentication systems
  2. Email and communication platforms
  3. Line-of-business applications
  4. User workstations

Before restoring, ensure the attack vector has been identified and closed. Restoring systems into the same vulnerable environment will result in re-infection.

Communicate Transparently

Notify affected parties as required by law and good practice:

  • Employees: Inform staff about the situation, what's being done, and what they should/shouldn't do
  • Customers: If their data may be affected, transparent early communication builds trust. Delayed disclosure destroys it
  • Vendors/Partners: If shared systems or data are involved, notify relevant partners

Plan Post-Incident Actions

Before the adrenaline fades, schedule a post-incident review for 48-72 hours after recovery. Cover: How did the attacker get in? Why weren't existing controls effective? What would we do differently? What investments are needed to prevent recurrence?

The Preparation That Saves Millions

The businesses that navigate ransomware successfully share common preparation elements: they have offline backups tested regularly, an incident response plan that's been rehearsed, cyber insurance with appropriate coverage, and employee training that reduces the likelihood of the initial compromise.

The time to prepare is before the attack, not during it.

Frequently Asked Questions

Yes. In Australia, report to the ASD's ACSC via ReportCyber. In the US, report to the FBI's IC3. In the UK, report to the NCSC and Action Fraud. Law enforcement may have intelligence about the specific threat actor, known decryption keys, or the ability to assist with recovery. Reporting also helps protect other organisations.

Most cyber insurance policies cover ransomware-related costs including ransom payments, forensic investigation, business interruption, legal expenses, and notification costs. However, coverage depends on your specific policy terms and whether you met the policy's security requirements (like having MFA enabled). Review your policy before an incident.

Recovery time varies dramatically. Organisations with clean offline backups and tested IRP can recover critical systems within 24-72 hours. Without backups, recovery can take weeks or months — or may not be possible at all. Sophos reports the average recovery time for SMBs is 2-4 weeks.

Sometimes. The No More Ransom project (nomoreransom.org) maintains a collection of free decryption tools for known ransomware variants. Check ID Ransomware to identify your variant, then check No More Ransom for available tools. However, newer ransomware variants rarely have free decryptors available.

The most effective prevention measures are: employee security awareness training (the most common entry point is phishing), regular offline backups (tested quarterly), endpoint detection and response (EDR), prompt patching, multi-factor authentication (MFA) on all accounts, and network segmentation to limit lateral movement.

Monster has responded to 30+ ransomware incidents across SMBs. Don't wait for an attack to build your response plan. The Incident Response Plan Template includes ransomware-specific playbooks, communication templates, and evidence checklists. $47 AUD →

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation