Search
Ransomware Response Plan: What to Do First
Home | Learning Center | Ransomware Response Plan: What to Do First

Ransomware Response Plan: What to Do First

June 10, 2026
Blog

7 min read

A person uses a

What Should Your Ransomware Response Plan Actually Look Like?

A practical guide for business leaders who want to be ready before it happens

Here is a question most business owners cannot answer.

If ransomware hit your network at 9 a.m. tomorrow, what would happen in the first 15 minutes? Who would make the call to disconnect systems? Who would contact your IT partner? Would anyone know what not to do?

If the answer is mostly silence, you are not alone. But silence in a ransomware attack costs money, fast. This guide walks you through what a real response plan looks like, who builds it, and what it needs to include.

First, Why Does This Plan Matter?

Ransomware attacks have doubled in frequency over the past three years. They no longer target just large companies. Businesses with 20 to 500 employees are now the most common targets because they tend to have valuable data and fewer defenses.

The average ransom demand for a small to mid-sized business is over $200,000. But the ransom is only part of the cost. Downtime, lost productivity, legal fees, customer notification costs, and reputational damage often add up to far more.

Here is the part that changes everything: businesses with a documented response plan recover in hours. Businesses without one recover in days or weeks, if they recover at all.

The plan is not about being pessimistic. It is about being ready.

What Is a Ransomware Response Plan?

A ransomware response plan is a written document that tells your team exactly what to do, in what order, and who is responsible for each step, the moment a ransomware attack is detected.

It is not a technical document written for IT staff. It is a business document written for everyone. Your office manager, your operations lead, and your CEO all need to be able to pick it up and know what to do.

What It Is Not

A ransomware response plan is not the same as a cybersecurity policy. Your cybersecurity policy covers how you prevent attacks. Your response plan covers what you do when prevention fails.

You need both. But if you only have one, start with the response plan. Prevention is important. But recovery is survival.

How Long Should the Plan Be?

This surprises most people: your ransomware response plan should be short. Aim for 2 to 4 pages.

A 40-page document will not get read. It will not be practiced. And it will definitely not be used effectively at 9 a.m. on a Tuesday when everyone is panicking.

The goal is a plan that any employee could open, read in five minutes, and start following. Clear steps. Plain language. No jargon.

You can have a longer technical runbook for your IT team or managed IT provider. But the primary plan your business relies on should be short, clear, and actionable.

Who Should Build It?

Your ransomware response plan should be built by a small team, not one person. Here is who should be in the room:

Who Builds the Plan Why They Need to Be Included
Business owner or CEO Legal counsel (even one call is worth it)
Operations or office manager Cyber insurance carrier (if you have one)
Finance lead (handles ransom decisions) HR lead (if employee data is at risk)
Your managed IT provider or IT staff A department head who knows workflows

 

Your managed IT provider is especially important here. They will likely be the ones executing the technical response. They need to know the plan before an attack happens, not during it.

If you do not have a managed IT partner and your internal IT team is one or two people, consider bringing in an outside cybersecurity consultant for a single session to help build the plan. The cost is small compared to the risk.

What Should the Plan Include?

A solid ransomware response plan covers six areas. Here is what each one needs to say:

1. Detection and First Response (The First 15 Minutes)

This is the most important section. When someone suspects ransomware, what happens immediately?

  • Who do they call first? (Name a specific person, not just a job title)
  • Is there a number to call if it is after hours?
  • What systems should be disconnected right away? (Network cables, Wi-Fi, shared drives)
  • What should employees NOT do? (Do not pay the ransom independently, do not try to decrypt files yourself, do not turn off servers without IT guidance)

Speed matters here, but so does discipline. The wrong move in the first 15 minutes can make recovery harder.

2. Escalation and Notification

Who needs to know, and in what order?

  • Your managed IT provider or internal IT team
  • Your cyber insurance carrier (most policies require notification within 24 to 72 hours)
  • Legal counsel
  • Executive leadership
  • Customers or partners if their data may be affected
  • Law enforcement (FBI has a cybercrime unit and does not charge for assistance)

3. Assessment

Before any recovery begins, you need to know the scope of the attack.

  • Which systems are affected?
  • Has the attacker been removed from the network, or are they still active?
  • What data was encrypted? What data may have been stolen?
  • Is the backup environment clean, or was it also compromised?

This step is done by your IT team or provider, but leadership needs to understand the answers before decisions are made about recovery.

4. Decision Point: Pay or Recover?

This is the section most plans avoid. It should not be avoided.

Your plan should include a clear decision framework for whether to pay the ransom. That decision depends on several factors:

  • Do you have clean backups that can be restored quickly?
  • What does your cyber insurance policy cover?
  • Is the data encrypted truly irreplaceable, or can you operate without it?
  • What is the reputation risk if you pay versus if you lose the data?

Important

Paying a ransom does not guarantee your data comes back. In many cases, attackers take the payment and disappear, or provide decryption keys that only partially work. The FBI recommends against paying. Having clean backups is the only reliable alternative to this decision.

5. Recovery

Once the attacker is removed and the scope is understood, recovery begins. Your plan should document:

  • Which systems get restored first, in order of business priority
  • Where your backups are located and who has access to them
  • Your target Recovery Time Objective for each critical system
  • Who is responsible for verifying that restored systems are clean before they go back online
  • How employees will be notified when systems are safe to use again

6. Post-Incident Review

After recovery, do not just move on. Schedule a post-incident review within two weeks.

  • How did the attacker get in? (Phishing email, weak password, unpatched software?)
  • What slowed down the response?
  • What worked well?
  • What needs to change in your defenses or your plan?

The post-incident review is how a ransomware attack becomes a learning experience rather than just a loss.

Who Should Have Access to the Plan?

More people than you think. Here is the rule: anyone who has a role in the plan needs a copy of the plan.

Who Gets a Copy Where It Should Be Stored
CEO / Owner A printed copy in the office
Office or operations manager A printed copy at home or accessible offline
Department heads Saved in a location outside your main network
Managed IT provider Shared with your cyber insurance carrier
Finance lead Accessible on personal devices (not just company devices that may be encrypted)

 

That last point is critical. If your plan lives only on your company server and your company server gets encrypted, your plan is gone. Keep at least one printed copy in a physical location. Keep a digital copy in personal cloud storage or email.

How Often Should You Update It?

Review your ransomware response plan at minimum once a year. Also update it whenever any of the following change:

  • You switch managed IT providers or add new IT staff
  • You change cyber insurance carriers or update your policy
  • You adopt new software, cloud tools, or data storage systems
  • Your organization grows significantly or restructures
  • You or your team complete ransomware training

The One Thing That Makes the Plan Real

Writing a ransomware response plan is not enough. You have to practice it.

Once a year, run a tabletop exercise. Sit your key people down, walk through a simulated ransomware scenario, and see what happens. You will find gaps you did not know existed. You will find out who freezes and who leads. You will find out whether your backups are actually tested or just assumed to be working.

A plan on paper is a start. A plan your team has practiced is a defense.

Start Here If You Have Nothing

If you do not have a ransomware response plan today, here is your immediate next step: set a meeting with your managed IT provider and ask them one question.

“If ransomware hit us tomorrow, what would you need from us in the first hour?”

Their answer will tell you a lot about your current readiness. And it will start the conversation that leads to a real plan.

About Novatech

Novatech is a managed office technology provider serving businesses across the Southeast and beyond. We manage IT infrastructure, cybersecurity, cloud solutions, copiers, printers, and document software, all under one roof. When something goes wrong, you make one call.

To learn more or schedule a complimentary technology assessment, visit novatech.net or call your local Novatech office.

Written By: Editorial Team

Related Post

See All Posts
×