The ransomware events that we have seen go least badly are the ones where the affected organisation had a plan, knew who to call, and made calm decisions in the first 24 hours. The events that go worst start with people deleting evidence, restoring straight over compromised systems, or paying a ransom before doing any of the work that would have made paying unnecessary. This is a practical playbook.

Hour 0 to Hour 1: contain and preserve

Disconnect, do not power off. Powering off a compromised host destroys volatile evidence (memory) and can destroy the chain of forensic narrative needed later. Disconnect from the network instead — pull the cable or disable the switch port.

Isolate the blast radius. Segment compromised systems away from clean ones. If you have any reason to believe a domain controller is compromised, treat the entire identity tier as suspect until proven otherwise.

Preserve logs immediately. Pull endpoint logs, EDR telemetry, firewall logs, and email security logs to an offline location before they roll over. The cost of preserving and not needing them is trivial; the cost of needing and not having them is large.

Hour 1 to Hour 24: notify and engage

Activate your response retainer. Now is the moment for which you signed an incident-response retainer. If you don’t have one, this is the most expensive day to start shopping.

Notify ASD. The Australian Signals Directorate (ACSC) operates ReportCyber and provides incident triage support. Reporting early is in your interest and may be required depending on the nature of your business.

Notify your insurer. Cyber insurance policies typically require notification within a defined window and dictate which forensic providers, lawyers, and negotiators you may engage. Acting outside the policy can void cover.

Stand up a small, named decision team. Executive sponsor, technical lead, communications lead, legal contact. Decisions get made in this group, not by Slack consensus.

Day 1 to Day 7: investigate and recover

Establish patient zero. Determine the initial access vector before recovery. Restoring without knowing how the adversary got in invites them to walk back through the same door.

Recover from clean backups, not from production. If your backups have any path of network reachability from the compromised environment, treat them as suspect until verified.

Reset what needs resetting. All privileged credentials. Service accounts. KRBTGT (twice, if Active Directory was in scope). Cloud platform admin tokens. API keys baked into application code. Make a list and work it.

Notifiable Data Breaches. If personal information has been accessed or disclosed without authorisation and is likely to result in serious harm, the Notifiable Data Breaches scheme requires notification to affected individuals and the OAIC. Get legal advice on the specific facts.

Week 2 onward: lessons and hardening

The post-incident period is the one that decides whether the next event is harder or identical. Hold a structured post-incident review. Capture root cause — the actual organisational and technical conditions that allowed it — not just the proximate technical fault.

Common findings we see, in order of frequency:

  1. Compromised credentials without MFA on the entry point.
  2. Unpatched internet-facing system or management interface.
  3. Phishing-delivered malware to a user with excessive privilege.
  4. Backup compromised because it was reachable from production.
  5. Lack of EDR or only signature-based AV.

Should you pay?

This is a decision for your executive, your legal advisors, and your insurer — not for a blog post. Two observations:

  • Australian government policy strongly discourages payment, and there is active discussion about reporting obligations and potential restrictions on facilitating payments.
  • Payment does not guarantee recovery, does not guarantee deletion of stolen data, and creates a record of you as a payer.

The most useful insurance against ever needing to make this decision is a tested, isolated, immutable backup — combined with the Essential Eight controls in place beforehand.

What to do this week, before anything happens

  1. Confirm you have working, recently-tested, offline-protected backups of production.
  2. Confirm you know who you would call: insurer, IR retainer, legal counsel, and the ASD ReportCyber number.
  3. Print your contact tree. If your email is encrypted by ransomware, you cannot email people.
  4. Run a tabletop exercise with the executive in the next quarter.

If you would like help building a response capability before you need it, we can help — either as your IR retainer or by working with your existing one.