During a Ransomware Attack: What Your IT Team Is Actually Doing
A guide for the business owner who needs to understand what is happening behind the scenes.
By Nate Olson, Fractional IT Director & vCIO | N.O. IT Strategy LLC
Table of Contents
This is the companion to Briefing No. 12, “Who Pays the Ransom?” That briefing covered industry-standard guidance on responding to a ransomware attack, including the legal gates you have to clear before any payment decision, what your cyber insurance policy actually covers, and the steps you need to take as a leader to protect your business.
This one explains what your IT team or managed service provider should be doing during those same critical hours, and why the process often feels slower or quieter than you might expect.
The First Call That Has to Happen
You pay for cyber insurance every month. You also have an incident response plan (IRP) that you hoped you would never need. However, your worst fear has been realized, systems are locked out, employees are standing around with nowhere to go, and a ransom demand is sitting on the screen.
This is exactly where your IRP takes effect. Think of it as the insurance policy for your cyber insurance. It tells everyone in your organization who does what, in what order, starting from the moment the attack is confirmed.
The first step in that plan is straightforward. You contact your designated Incident Response Lead and inform them of what is happening. From that point forward, they own the process. The Incident Response Lead contacts your cybersecurity insurance agent or broker, the agent reports the incident to the carrier, and the carrier activates the approved incident response team. Every step that follows flows from that first call.
IT does not contact the insurance company directly unless they are the designated lead. This sequence is intentional. Professional incident response teams are engaged to preserve evidence for your insurance claim, your legal protection, and any law enforcement involvement that follows. Bypassing that sequence by rushing to wipe machines or restore systems before the IR team provides direction can compromise your coverage and eliminate options that would otherwise be available to you.
If your organization has no formal incident response plan, this sequence collapses into improvisation under the worst possible conditions. That is the cost of deferred preparation.
One Critical Warning Before Anything Else
There is an operational reality that most business owners are not aware of until they are inside an active incident, and it has direct consequences for how the response is executed.
After the initial compromise, ransomware groups frequently maintain a monitoring presence inside the environment to detect whether their activity has been discovered. If they identify indicators that a response is underway, they may accelerate lateral movement to additional systems or execute the ransomware payload across a broader scope before containment can be established. The window between detection and full deployment can be measured in minutes.
For this reason, your incident response team communicates through out-of-band channels during the initial response phase, meaning direct phone calls rather than company email, internal chat platforms, or any communication infrastructure that runs through the compromised environment. A disorganized response where employees are unplugging machines at random, sending company-wide notifications about the attack, or discussing the situation in monitored channels can cause significantly more damage than the initial intrusion. Coordination and operational security in the first minutes of response are not procedural preferences. They are technical necessities.
The Play-by-Play
Detection and Analysis: Before Anything Else
Before IT isolates a single machine, they have to confirm what they are actually dealing with. Ransomware shares behavioral characteristics with other types of malware, and acting on an incorrect assumption early in the response can compromise forensic evidence, trigger premature system shutdowns, and create gaps in your insurance documentation that are difficult to explain later.
IT identifies the specific ransomware strain using the ransom note, encrypted file extensions, and threat intelligence databases such as ID Ransomware. That identification is operationally critical. Different variants use different encryption methods, communicate with different command and control infrastructure, and in some cases have known decryption keys available through the No More Ransom project. A response built around the wrong strain is a response built on a flawed foundation.
Simultaneously, IT is conducting scope analysis. Which systems are confirmed compromised? Which are potentially exposed? Which remain clean and need to stay that way? Critically, IT is reviewing network logs for unusual outbound traffic or data transfers that may have occurred in the hours or days before the attack surfaced. Ransomware groups increasingly operate under a double extortion model, meaning they exfiltrate data before encrypting it. If that activity is present in the logs, the legal and regulatory obligations your organization faces change immediately, and your cyber attorney and insurance carrier need to know before any other decisions are made.
This phase moves fast. It is also the phase that determines whether every subsequent decision is made with accurate information or incomplete assumptions.
First 15 Minutes: Confirm, Then Contain
Your Incident Response Lead initiates the notification chain while IT executes the first confirmation steps. These two tracks run in parallel, and neither waits for the other to complete.
IT first verifies that what they are looking at is an active ransomware event and not a partial system failure, a misconfigured tool, or an isolated malware infection with different response requirements. That confirmation, even if it takes only minutes, determines the actions that follow. Responding to the wrong incident type with ransomware-level containment procedures creates its own set of problems.
Once confirmed, IT isolates affected systems by disabling network access. The operational standard is clear: disconnect from the network, but do not power off. Powering down a compromised system destroys volatile evidence, including active memory captures and running process data, that the incident response team requires for forensic analysis, insurance documentation, and any law enforcement referral. Volatile evidence cannot be recovered after the fact. IT works exclusively from clean machines throughout this process and avoids touching compromised hardware outside of the containment actions directed by the IR team.
First 30 Minutes: Protect What Is Still Clean
With initial containment actions underway, IT shifts focus to two parallel objectives: ensuring that clean systems remain isolated from the compromised environment, and confirming that backup infrastructure is unreachable from affected systems.
Backups are a primary target for sophisticated ransomware operators. If backup systems are accessible from the compromised network at the time of the attack, they are at risk. IT verifies backup integrity and network separation immediately. Concurrently, the IR team begins directing evidence preservation activities, including system image captures, memory dumps, and log collection from affected devices. Remediation does not begin until evidence preservation is complete. That is not a procedural delay. It is a legal and financial protection for your organization.
First Hour: Scope Assessment and IR Coordination
The first war room meeting convenes on the leadership side. High-level decisions begin to take shape.
On the technical side, IT is working with the incident response firm to build a complete picture of the attack: confirmed entry point, lateral movement path, systems affected, data potentially exfiltrated, and current threat actor presence in the environment. This phase is often quiet from the leadership perspective, and that silence is frequently misread as inaction. The IR team is executing a structured forensic process that requires concentration and accuracy. Interrupting that process for frequent status updates degrades both the speed and the quality of the analysis at the moment when both matter most.
First 8 Hours: Eradication and Prioritized Recovery
Leadership is managing payment decisions and external communications. IT is executing eradication and beginning controlled recovery.
Eradication is a distinct and deliberate phase. It is not enough to restore systems from backup if the “back door” remains open and the attacker still has a foothold in the environment. IT works with the IR team to identify and close the entry point, remove all malicious tooling and persistence mechanisms from the environment, reset credentials across all potentially compromised accounts with priority on administrative access, and validate that the threat has been fully removed before any production systems are brought back online. Recovery then proceeds in priority order, with revenue-critical systems restored first from verified clean backups in an isolated environment before reconnection to the network.
Beyond 8 Hours: The Long Road Back
The average ransomware recovery takes 21 to 24 days. A small organization with a limited number of endpoints and verified, tested, immutable backups may restore critical operations within a few days. That timeline extends substantially as the environment scales, with hundreds/thousands of endpoints, servers, distributed locations, the recovery process involves reimaging every affected machine, validating clean restoration, testing for re-infection before reconnection, and coordinating each stage with the incident response team to ensure the threat has not persisted in any part of the environment.
What business owners often experience as a slow recovery is in most cases a disciplined one. Rushing reconnection before the environment is verified clean is how organizations end up in a second encryption event within days of the first.
Who Does What
| Time Window | Leadership Side | IT Side |
|---|---|---|
| Detection | IR Lead notified, notification chain begins | Strain identification, scope analysis, exfiltration review |
| First 15 min | Insurance activation initiated | Confirm incident type, network isolation, do not power off |
| First 30 min | IR team engaged through carrier | Backup verification, evidence preservation |
| First hour | War room convenes, high-level decisions | Full scope assessment with IR firm |
| First 8 hours | Payment decisions, external communications | Eradication, credential reset, prioritized recovery |
| Ongoing weeks | Claims management, customer and vendor communications, strategic review | Full environment restoration, documentation, hardening |
After the Smoke Clears: Post-Incident Review
Restoration of systems does not mean its the end of incident response. Under the NIST SP 800-61 framework, post-incident activity is a required phase, not an optional debrief. For organizations that treat it as optional, the data is consistent: they get hit again.
The post-incident review is a structured, documented analysis conducted once operations are stabilized. It is not a blame exercise. It is a professional accountability process that answers the questions that matter most from a risk management perspective. How did the attacker gain initial access? How long did they operate inside the environment before the ransomware was deployed? What detection controls were in place and why did they not surface the intrusion earlier? Where did the response plan hold and where did it fail under real conditions?
Every finding produces a direct remediation action. The vulnerability that served as the entry point gets patched and documented. Backup and recovery procedures that performed well get formalized as organizational standards. Communication failures that created delays during the response get rebuilt into the next version of the incident response plan with defined owners and escalation paths.
Leadership teams should understand that this review is also what your cyber insurer and legal counsel will reference when evaluating your organization’s security posture for future coverage and liability purposes. A documented, executed post-incident review is evidence of an organization that takes its obligations seriously. The absence of one tells a different story.
The Hard Truth
Organizations that navigate ransomware without catastrophic loss share a consistent set of characteristics. They made decisions in advance, under no pressure, with time to think clearly.
Endpoint detection and response tools were deployed and actively monitored before the attack occurred. Backups were immutable, air-gapped, and tested for successful restoration on a regular schedule, not assumed to be functional. Cyber insurance was in place with sublimits reviewed and IR vendor relationships pre-approved by the carrier. An incident response plan existed, had been exercised, and assigned clear authority to specific individuals before any crisis arose.
Without those elements in place, the technical response becomes improvised, the insurance claim becomes complicated, and the pay-or-not decision gets made under conditions specifically designed by the attacker to be as disorienting as possible.
Your IT team can only work with what was built before the attack. Your incident response firm can only optimize an environment that has something to work with. The preparation decisions that feel optional during normal operations are the ones that determine whether your organization survives the worst day it will ever have.
If you are not certain your organization has these pieces in place, that uncertainty is the answer. Most small and midsize businesses do not find out until it is too late. A gap assessment takes less than an hour and costs nothing. The conversation is free. The ransomware attack is not.
Schedule a no-obligation consultation at noitstrategy.com or call 458.262.5571.
Nate Olson is a Fractional IT Director and vCIO serving small and midsize businesses. N.O. IT Strategy LLC provides independent IT leadership with no vendor incentives and no product bias.
This briefing is intended for general informational purposes only and does not constitute legal, insurance, or cybersecurity advice. Incident response requirements, cyber insurance terms, and regulatory obligations vary by organization, industry, and jurisdiction. Consult qualified legal counsel, a licensed insurance professional, and a certified cybersecurity practitioner before making decisions related to ransomware response, ransom payments, or incident response planning. Pricing and service availability are subject to change. N.O. IT Strategy LLC makes no warranties regarding the completeness or accuracy of third-party statistics referenced herein.
info@noitstrategy.com | 458.262.5571 | noitstrategy.com