playbook :: ransomware survival

hour 0-1what NOT to do

The instinct is to act fast. Correct — but most obvious fast actions make it worse. The next 60 minutes are the highest-leverage window, and the most common mistakes happen here.

do not pay the ransom Not in the first 60 minutes, not without exhausting every other option. The Qilin variant in our incident had decryptors available through third-party security researchers within 72 hours of the attack going public. Paying immediately buys you a promise from criminals, sometimes delivers nothing, and funds the next attack on someone else. Check nomoreransom.org first, always.
do not pull every plug at random The instinct to physically disconnect every machine is understandable. But if ransomware is still actively spreading across your network and you start pulling cables in random order, you may disconnect your logging infrastructure before it captures which systems were compromised — making forensic analysis much harder. Disconnection is step two, not step one. Identification is step one.
do not email your IT vendor from a potentially compromised machine If your email runs through Microsoft 365 and your environment is compromised, your email could be monitored by the attacker. Use a personal mobile hotspot and a non-compromised device (a personal phone, a laptop that was off-site) to make your first contact calls. Don’t communicate through the compromised environment.

What to do in the first 15 minutes:

  • Identify one confirmed-compromised machine. Note the hostname or IP and the time you discovered it.
  • Do NOT touch other machines yet. Observe. Look for symptoms spreading (ransom notes on desktop, encrypted file extensions, systems hanging).
  • Call your IT provider from a non-compromised device. If you don’t have one, use a personal cell with a personal hotspot, not the office WiFi.
  • If you have cyber liability insurance, pull up your policy number. You’ll need your insurance carrier’s incident response line within the first hour.
time matters Ransomware variants like Qilin often have a data exfiltration phase that runs before encryption begins. If you’re watching the attack happen in real time, there’s still a chance to limit exfiltration by cutting network access fast — but only after you’ve noted what’s affected. Those two steps happen together, not in either order.

hour 1-4isolate, communicate, document

You've made contact with your IT provider. This phase is containment — stop the spread, preserve evidence, establish clean comms.

Isolation priority:

  • Network segment isolation first: if your switches have VLAN capability, use it to cut infected segments from the broader network at the switch level, not the device level. This is faster and more thorough than unplugging individual machines.
  • After network isolation: disconnect affected machines from power (not a graceful shutdown — pull the plug or hold the power button). This preserves memory state which may contain encryption keys or indicators of the attack chain.
  • Explicitly do NOT reboot compromised machines. Rebooting destroys volatile memory. Memory forensics can extract encryption keys from RAM that have not yet been flushed. PCA was able to use this in the Qilin response.
  • Identify and physically isolate backup storage. If your backup device is network-connected and not air-gapped, disconnect it now. Ransomware specifically targets backup systems to maximize leverage.

Communication setup: Personal cell phones, personal email, personal mobile hotspot. Assume corporate email, Slack, and file shares are compromised until confirmed otherwise.

Documentation starts now: Timestamp every action: who, what, when, which system. Required by insurance, required by law enforcement, essential for forensics. A Google Doc on personal Gmail via personal hotspot is fine.

if you have an off-site backup that was isolated You are already ahead of most businesses in this situation. Don’t touch the backup yet — treat it as evidence until you’ve confirmed the attack vector is contained. A backup restored into a still-compromised environment will be re-infected. Containment first, recovery second.

hour 4-24triage what’s encrypted, what’s exfil’d, what’s still safe

Containment is established. Clean communications are running. Now the hard work begins: understanding the actual scope of the damage.

Encryption triage: Identify which file types were targeted. Most ransomware variants have a specific list of extensions they encrypt (Office docs, PDFs, databases, images). Identify which shares and servers are affected and which are not. Build a list of impacted vs. clean systems — this is your recovery priority order.

In the Qilin incident, we found that the ransomware had specifically targeted the file server and shared drives but had not reached the SQL database server — because the database server was on a separate network segment that had been configured months earlier for performance reasons. That segment isolation, not security-intentional, saved the most critical data.

Exfiltration assessment: This is harder than encryption assessment and is often overlooked. Ransomware-as-a-service operators frequently exfiltrate data before encrypting it, using the stolen data as additional leverage (“pay or we publish your customer records”). Look at firewall logs for unusual outbound traffic volumes in the 24-48 hours before the attack became visible. Large transfers to unknown external IPs in that window are a signal of exfiltration.

your MSP should be doing this If you don’t have access to your firewall logs — if your current IT vendor manages the firewall but hasn’t given you access to historical logs — this is a gap you cannot fix mid-incident. For future events: your logs need to be stored somewhere accessible to you, not only to your vendor. This is a standard requirement, not a premium add-on.

Identify what’s still safe: Confirm which systems never connected to the compromised segment. Confirm backup integrity (checksums if available, visual inspection of file listings if not). Confirm whether cloud services (Microsoft 365 SharePoint, OneDrive) are affected. In the Qilin incident, SharePoint was unaffected because it was cloud-hosted and the attacker had not escalated to M365 admin privileges.

Preserve evidence: Before any restoration or wiping begins, image affected drives. This is a forensic copy of the encrypted state. Your cyber insurance provider and potentially law enforcement will need this. Drive imaging before remediation is standard practice — skip it and you lose your claim documentation.

hour 24-48legal + insurance + customer notification (Texas law)

By this point your immediate technical crisis is contained. The next 24 hours are dominated by legal, insurance, and notification obligations — which have their own time windows that start running from the moment of discovery, not the moment of containment.

Cyber liability insurance: If you have a cyber liability policy, you should have already made first contact in hour one. If you haven’t, do it now. Most cyber policies have coverage that kicks in only if you’ve followed their incident response protocol — which often includes using their approved forensics vendor, not your MSP’s preferred one. Read the policy before you start remediating. Remediation that happens without insurer approval may void your claim.

Law enforcement: In the US, ransomware is a federal crime. Report it to the FBI’s IC3 (Internet Crime Complaint Center) at ic3.gov. This is not optional. The report helps investigators track variants and, in some cases, has led to decryptors being released when law enforcement has seized attacker infrastructure. The Qilin variant had known decryptors available through a coordinated law enforcement action — a report to IC3 connects you to that intelligence network.

Texas notification law: If you’ve determined that personal information was exfiltrated — customer names, email addresses, Social Security numbers, financial account data — Texas law requires notification. Tex. Bus. & Com. Code § 521.053 requires that affected individuals be notified “as quickly as possible” after discovery of a breach, and that the Texas Attorney General be notified if the breach affects 250 or more Texas residents. The clock starts from the date of discovery, not the date of forensic confirmation. Get legal counsel on the phone in this window — not after you’ve sent a notification that doesn’t meet the statute’s requirements.

scope of “personal information” under Texas law The statute covers name combined with: Social Security number, driver’s license number, account or payment card numbers in combination with a security code, or health information. If your customer database contains any combination of a name plus one of these, you likely have a notification obligation if any records were exfiltrated.

Customer and vendor communication: If your business has customers, vendors, or partners who may be affected by this incident — either because their data was at risk, or because your system outage affects their operations — communicate early and clearly. A brief, factual statement (“we are responding to a cybersecurity incident, we’ll update you by [date]”) is better than silence. Silence damages trust more than the incident itself in many cases.

the recovery decision tree

By the end of hour 48, you’re moving into recovery. The path depends on what you have available and what was affected.

recovery path
do you have a clean, tested backup from before the infection window?
YES → verify backup integrity (file checksums, spot-check critical files). rebuild affected systems to known-clean state, then restore. before restoring: confirm the attack vector that let ransomware in has been closed. restoring to a vulnerable environment restarts the clock.
fastest path. typical timeline: 48-72h to full restoration with a good backup.
NO / UNCERTAIN → check nomoreransom.org for your variant’s decryptor. check whether your cloud sync (SharePoint, OneDrive, Google Drive) has version history you can restore from.
if decryptor exists: use it on a copy of the encrypted files (never the originals). estimated timeline: 24-72h additional.
if no decryptor: evaluate rebuild-from-scratch vs. pay ransom. engage legal counsel before making the payment decision. note that payment has no guarantee of decryption.
worst case: rebuilding without backups and without a decryptor. timeline: 1-4 weeks. cost: significant. this is the situation immutable backups prevent.
is the attack vector closed?
confirm: the entry point (phishing email, exposed RDP, unpatched vulnerability) has been identified and closed before any system is restored to production. if you restore before closing the entry point, you will be re-infected.
common entry points for Qilin and similar variants: exposed RDP on non-standard ports, unpatched VPN appliances, compromised credentials from phishing.
+--[HOUR 0-1]-------+ +--[HOUR 1-4]-------+ +--[HOUR 4-24]------+ +--[HOUR 24-48]-----+ | DO NOT: | | ISOLATE | | TRIAGE SCOPE | | LEGAL + NOTIFY | | - pay ransom | | - VLAN segment | | - map encrypted | | - cyber insurance | | - pull all plugs |->| - pull power |->| - check exfil |->| - FBI IC3 report | | - use corp email | | - save RAM state | | - log each system | | - TX notification | | | | - isolate backup | | - image drives | | - customer comms | | IDENTIFY one host | | CLEAN COMMS only | | before wipe | | (Tex. 521.053) | +-------------------+ +-------------------+ +-------------------+ +-------------------+ | | | | v v v v call your IT document every identify clean check backup (personal cell + action with systems + cloud integrity + personal hotspot) timestamps (M365 may be OK) nomoreransom.org

six things to do BEFORE you ever get hit

Each item costs less than one hour of ransomware downtime. Most small businesses have none. Implement four out of six and you're in the top 20% for resilience.

  • Immutable backup, physically or logically isolated. A backup that lives on a network share on your office server is not a backup — it’s a second copy that will be encrypted along with the first. You need a backup that cannot be modified or deleted from the network: a cloud backup with object lock (AWS S3 with Glacier Vault Lock, Azure Blob with immutable storage), a tape or external drive that is physically disconnected after backup, or a managed backup service with air-gap capability. This is the single highest-ROI security investment for a small business.
  • MFA on everything with an internet-facing login. Microsoft 365, RDP, VPN, any cloud service your business uses. Qilin’s most common entry vector is compromised credentials. MFA means compromised credentials alone are not enough to gain access. This is free on Microsoft 365 and takes an afternoon to enable. There is no excuse for MFA not being on.
  • Patch everything, including network appliances. Your firewall, your VPN concentrator, your NAS — these are not “set and forget” devices. They have firmware updates that fix critical vulnerabilities. An unpatched SonicWall firewall was the entry point for a significant ransomware campaign in 2021. Check manufacturer advisories monthly. This is part of what a managed IT provider should be doing for you automatically.
  • Segmented network. Put your file servers on a different VLAN from your workstations. Put your backup storage on a third segment. Lateral movement is how ransomware spreads from one compromised machine to your entire environment. Network segmentation slows that spread and may limit the blast radius to a single segment. This is a configuration change, not a purchase.
  • Endpoint detection and response (EDR), not just antivirus. Traditional antivirus is signature-based — it looks for known malware. EDR is behavior-based — it looks for malicious activity patterns regardless of whether the specific malware is known. Qilin variants are regularly updated specifically to evade AV signatures. SentinelOne, CrowdStrike, and Microsoft Defender for Business all have EDR capability. Consumer AV does not.
  • Documented incident response plan. You are reading this guide mid-incident or pre-incident. If pre-incident: print this page and put it somewhere physical that survives the loss of your digital environment. A laminated sheet in the server room. An email to a personal account with the link to this page. The worst time to look up “what do I do in the first hour of ransomware” is during the first hour of ransomware.
if you’ve already done most of these You’re in a significantly better position than the median small business. A ransomware event, if it happens, will be a bad week rather than a potentially company-ending event. That difference — bad week vs. existential threat — is entirely determined by decisions made before the attack happens.
pca’s role in this

if you’re mid-incident in houston metro and you need help right now: email information@pcatechnologyinc.com with subject URGENT or book an emergency call.

PCA handled the Qilin response from Friday evening through Monday morning — discovery, forensics, restoration, hardening. this guide is free because too many houston small businesses get hit with no playbook. forward it.