De4sec Technology
De4sec Technology
de4sec.technology
๐ŸŒ AU + KE

Ransomware Incident Response Guide

A step-by-step guide for the first 72 hours of a ransomware incident โ€” what to do, what not to do, and how to recover.

Prepared by
De4sec Technology
Contact
support@de4sec.technology
Edition
2026 ยท Updated March
CONFIDENTIAL ยท FOR CLIENT USE ONLY
Contents
  1. Why the First 30 Minutes Determine Everything
  2. Immediate Actions โ€” First 30 Minutes
  3. Containment โ€” Hours 1 to 4
  4. Assessment โ€” Hours 4 to 24
  5. Recovery โ€” Hours 24 to 72
  6. Post-Incident: Prevent Recurrence
01

Why the First 30 Minutes Determine Everything

Ransomware incidents don't announce themselves. You discover them when files are encrypted, a ransom note appears, or systems become inaccessible. By that point, the attacker has typically been inside your environment for hours or days. The damage is already done.

The first 30 minutes after discovery are critical. The actions you take โ€” or fail to take โ€” in this window determine how contained the damage is and how quickly you recover.

The businesses that recover fastest have a documented incident response plan they practiced before the incident happened. The ones that struggle are making decisions under crisis pressure without a playbook.

02

Immediate Actions โ€” First 30 Minutes

DO these immediately

โœ“Disconnect affected devices from the network โ€” unplug ethernet, disable Wi-Fi. Do not power off unless the device is still actively encrypting and you have no other option
โœ“Notify your IT provider or De4sec immediately: support@de4sec.technology | AU: +61 451 500 909 | KE: +254 741 777 681
โœ“Preserve logs โ€” do not delete or modify any logs, even suspicious-looking ones. They are forensic evidence
โœ“Document everything โ€” take photos of ransom notes, unusual screens, error messages
โœ“Notify leadership โ€” incident response is a business decision, not just an IT decision

DO NOT do these

โœ—Do not pay the ransom without professional advice โ€” payment does not guarantee decryption
โœ—Do not attempt to decrypt files yourself with random tools โ€” this can permanently corrupt data
โœ—Do not delete suspicious files โ€” they are evidence
โœ—Do not communicate with attackers directly
โœ—Do not attempt to 'clean' infected systems yourself before forensic imaging
03

Containment โ€” Hours 1 to 4

Network containment

โœ“Identify the blast radius โ€” which systems are affected, which appear unaffected
โœ“Isolate affected network segments โ€” if you have VLANs, isolate them now
โœ“Check backups immediately โ€” are they intact and accessible? Are they connected to the affected network?
โœ“Disable compromised user accounts โ€” not just the one you think was breached, but all accounts that had access to affected systems
โœ“Block malicious IPs and domains identified by your IT provider or MDR service

Communication

โœ“Internal staff notification โ€” keep messaging factual, avoid panic, tell staff what they can and cannot use
โœ“Client notification โ€” prepare a holding statement if operations are disrupted
โœ“Cyber insurer notification โ€” call your insurer immediately, they have incident response support included
โœ“Legal counsel โ€” if personal data may be involved, legal advice is required for notification obligations
04

Assessment โ€” Hours 4 to 24

Forensic investigation

โœ“Identify the initial attack vector โ€” phishing, RDP, unpatched vulnerability?
โœ“Determine the scope of lateral movement โ€” how far did the attacker travel?
โœ“Identify the encryption timeline โ€” when did encryption start, which backups are clean?
โœ“Collect forensic images of affected systems before rebuilding
โœ“Determine if data was exfiltrated before encryption โ€” attackers often steal data for double extortion

Backup assessment

โœ“Verify backup integrity โ€” are they in the recovery environment or connected to encrypted systems?
โœ“Identify the clean restore point โ€” what's the most recent backup before compromise?
โœ“Calculate data loss โ€” the gap between last clean backup and the encryption event
โœ“Test restore of a non-critical system to validate the backup is functional
05

Recovery โ€” Hours 24 to 72

Rebuild, don't restore infected systems

Do not attempt to clean infected operating systems. Rebuild from scratch or from a known-good image. Ransomware frequently leaves persistent backdoors that survive remediation attempts.

โœ“Rebuild systems from clean OS images โ€” not from backup of the infected system
โœ“Restore data from verified clean backups to rebuilt systems
โœ“Reset ALL credentials โ€” every user password, every service account, every API key. Attackers frequently capture credentials during dwell time
โœ“Apply all outstanding patches before reconnecting to production
โœ“Re-enrol devices into Intune/MDM before reconnecting

Priority restoration order

โœ“Critical infrastructure: DNS, email, authentication
โœ“Core business systems: ERP, practice management, POS
โœ“Productivity: file shares, communication tools
โœ“Non-critical: analytics, reporting, secondary systems
06

Post-Incident: Prevent Recurrence

Recovery is not complete when systems are back online. The incident exposed gaps. Those gaps must be closed before the next attack โ€” and there will be a next attack.

โœ“Deploy EDR if not already present โ€” Microsoft Defender for Endpoint or equivalent
โœ“Implement SIEM monitoring โ€” Microsoft Sentinel for proactive threat detection
โœ“Review and enforce MFA and Conditional Access policies
โœ“Implement network segmentation โ€” limit lateral movement
โœ“Conduct security awareness training โ€” the attack likely started with a phishing email
โœ“Review and test backup strategy โ€” implement immutable offsite backup
โœ“Update and practice the incident response plan

De4sec provides post-incident security uplift engagements covering all of the above. Contact support@de4sec.technology.

// NEXT STEP

Ready to implement this in your environment?

De4sec provides hands-on implementation, not just advice. Book a free discovery call โ€” we assess your current environment against this guide at no cost, no obligation.

Book a Free Discovery Call โ†’or visit de4sec.technology
De4sec
ยฉ 2026 DE4SEC TECHNOLOGY. ALL RIGHTS RESERVED.