When ransomware hits without a SOC
Most ransomware incident response guides assume you have a security operations center, dedicated incident responders, and 24/7 coverage. Most organizations have none of these. When an employee opens a spreadsheet and suddenly files start encrypting, a team of three IT generalists faces a crisis that would strain a Fortune 500 security department.
This guide is for that reality. It focuses on what small teams can actually do in the critical first hours, the decisions that cannot wait, and the preparations that make survival possible.
The first 60 minutes: stop the bleeding
Ransomware spreads fast. Your first priority is containment, not diagnosis.
Isolate infected systems immediately. Unplug network cables, disable WiFi, or shut down machines if necessary. Do not wait to confirm the infection. A false alarm costs minutes. A slow response costs the company.
Disconnect shared resources. Take file shares offline, disable VPN access, and pause backups if they connect to compromised systems. Attackers often target backups after encryption.
Preserve evidence. Capture screenshots of ransom notes before closing windows. Note the time of discovery, the user who reported it, and any suspicious emails or files. This information becomes critical for recovery and reporting.
Notify your response team. Even if that team is just your IT lead and CEO, get everyone on a call. Ransomware decisions (pay or not, restore or rebuild) require leadership input and should not be made unilaterally.
The next four hours: assess and communicate
Once the immediate spread is contained, shift to assessment and communication.
Determine the scope. Which systems are encrypted? Which backups are intact? Has data been exfiltrated (check for large outbound transfers in the hours before detection)?
Identify the variant. The ransom note usually names the ransomware family. Research that specific variant to understand its behavior, known decryptor availability, and typical ransom demands.
Engage legal and insurance. Your cyber insurance policy likely requires specific notification timelines. Legal counsel can advise on breach notification obligations and privilege protections for your response.
Prepare internal communications. Employees will notice disrupted systems. Have a clear, honest message ready. Avoid speculation. State what happened, what is being done, and when they can expect updates.
The critical decision: to pay or not to pay
There is no universal answer. Each organization must weigh its own situation:
Reasons to consider paying: No viable backups exist, business cannot survive the downtime, or the ransom is small relative to business impact.
Reasons to refuse: Paying does not guarantee decryption, it funds criminal organizations, it may violate sanctions laws, and it marks you as a paying target for future attacks.
Practical reality: Even if you intend to pay, negotiate. Initial demands are often reduced. And never pay without attempting recovery from backups first. Many organizations have restored from backups after initially believing they were lost.
The recovery checklist
- Verify backup integrity before beginning any restoration
- Rebuild compromised systems from known-good images, do not just clean infected ones
- Reset all credentials for affected accounts, especially privileged accounts
- Patch vulnerabilities exploited in the initial access
- Restore data in priority order (critical systems first)
- Test restored systems before returning them to production
- Document the entire incident timeline for post-mortem analysis
- File required breach notifications within regulatory deadlines
Preparing before it happens
The best incident response is preparation. Small teams should prioritize:
Offline backups: Ransomware targets connected backups. Maintain offline or immutable copies that cannot be reached from production systems.
Network segmentation: If your finance system and public website share a flat network, ransomware can pivot everywhere. Basic segmentation limits blast radius.
Response contacts: Have phone numbers ready for your cyber insurer, legal counsel, forensic consultants, and key vendors. Do not wait for a crisis to find them.
Tabletop exercises: Run through a ransomware scenario once per quarter. Identify gaps in your response plan while you have time to fix them.
For organizations evaluating security platforms that can help detect ransomware behaviors early, Pitch Black provides perimeter logging and enforcement capabilities designed for lean security teams.
Disclaimer: This post is for educational and informational purposes only and does not constitute legal, compliance, or professional security advice.