Ransomware Recovery Checklist for Small Businesses
Hour-by-hour ransomware response and recovery checklist for NY/NJ SMBs. What to do in the first 60 minutes, the first 24 hours, and the first week.
If you are reading this because something is happening right now: stop reading. Call your MSP. If you don’t have one, call us at (646) 886-7604. Then come back and read.
If you are reading this for planning purposes — that is the right time. Here is the checklist we run when a managed client gets hit, scaled to what a typical SMB without enterprise tooling can actually execute.
First 60 minutes — contain the blast radius
- Disconnect, don’t power off. Disconnect affected machines from the network — pull ethernet cables, disable Wi-Fi. Do not power off if you can help it. Forensic data lives in memory.
- Isolate the segment. If your network is segmented, isolate the affected segment at the switch or firewall. If it is not segmented, prepare to isolate the whole site.
- Stop file synchronization. Pause OneDrive, Google Drive, Dropbox, and any other sync clients on every machine — sync will spread encryption to the cloud.
- Notify leadership. A short text or call: “We are responding to a likely ransomware incident. Will know more within the hour.” Do not put detail in writing yet.
- Open the incident log. Note the time. Every action from now forward gets a timestamp and the name of who did it. This will matter for your insurance carrier and any law enforcement involvement.
- Do not engage the attackers. Ransom notes often contain a chat URL or email. Do not click. Do not respond. Anything you say can change the negotiation later if your insurer decides one is needed.
Hours 1–4 — assessment
- Identify patient zero if possible. Which machine was first? When did it happen? An EDR product (CrowdStrike, SentinelOne, Defender for Endpoint, Huntress) makes this trivial; without one it is investigative work.
- Identify the strain. A ransom note usually identifies the actor. Cross-reference at No More Ransom — for some strains, free decryptors exist.
- Verify your backups. Specifically: are they reachable, are they recent, and are they intact? An attacker who fully owned your domain may have deleted or encrypted backups. This is why immutable backup architecture matters.
- Notify your cyber insurance carrier. Most policies require notification within 24–72 hours. They will assign a breach coach, often a law firm, who manages everything else from here.
- Notify counsel. If you do not have a relationship with breach counsel, your cyber carrier will assign one.
Hours 4–24 — decision
- Decision: restore from backup, decrypt, or pay.
- Restore from backup is almost always the right answer if backups are intact. RTO depends on backup architecture — typical SMB with proper BCDR is 4–24 hours.
- Decrypt if a free or commercial decryptor exists for the strain.
- Pay is a last resort, controversial, and your carrier and counsel must be involved. Sage Solutions does not pay ransoms.
- Notify regulators if required. NY SHIELD Act requires notification within a “reasonable time” if NY-resident PII was exposed. HIPAA, PCI, and other frameworks have their own rules. Counsel handles the timing and content.
- Notify affected parties if required. Customers, employees, business partners. Counsel handles wording.
- Begin restoration in an isolated environment. Do not restore to your production network until you understand how the attacker got in. Otherwise you will be re-encrypted.
Days 1–7 — recovery and root-cause
- Rebuild, don’t restore, where possible. Wipe affected endpoints and rebuild from a clean image. Restore data only, not full systems.
- Reset every password. Domain admin first. All service accounts. All user accounts. Force MFA re-enrollment.
- Rotate API keys, certificates, and secrets. Anything the attacker could have exfiltrated is compromised.
- Identify the entry vector. Phishing? Unpatched VPN appliance? Compromised RDP? Until you know, you cannot guarantee the next attack does not start the same way.
- Patch the vector. Whatever it was — close it.
- Scan for persistence. Attackers leave backdoors. Modern EDR + a fresh sweep with a tool like Microsoft Defender for Endpoint, Huntress, or a dedicated incident response firm.
Weeks 1–4 — post-incident
- Forensics report. What happened, what was exfiltrated, what was encrypted, root cause. Required for insurance, often required for regulators, and useful for your board.
- Lessons-learned review. A blameless review with leadership and IT. What worked, what did not, what changes.
- Insurance claim. Document everything. Submit the claim.
- Hardening. Whatever the gap was — close it permanently. This usually means EDR, MFA everywhere, immutable backup, and phishing training if those were not in place.
What you should already have in place
If you do not have these, fix that before the attack happens — not after:
- Endpoint Detection and Response (EDR) on every workstation and server — part of any serious cybersecurity stack
- Multi-factor authentication (MFA) on every business-critical system
- Immutable, off-site backup that an attacker who fully owns your network cannot delete
- Cyber insurance with reputable carrier and a known incident response retainer
- Documented incident response runbook with names, phone numbers, and decision authority
- Phishing simulation program — phishing is the entry vector in roughly 70% of SMB ransomware incidents
- Regular patch management — many attacks exploit vulnerabilities patched months ago
A note on prevention
Ransomware is a business operations problem disguised as an IT problem. The technical controls above are necessary but not sufficient. The real protection is layered: people who can spot a phishing email, processes that limit blast radius, and architecture that survives a worst-case incident.
How Sage Solutions helps
Ransomware resilience requires three things working together: cybersecurity controls that stop the attack, backup and disaster recovery that survives when they don’t, and managed IT that keeps both current. We deploy this stack as part of our Secure tier for managed clients across NY/NJ.
If you want to know whether your current setup would survive, book a free 30-minute risk review.
Download the printable checklist
We turned this article into a printable PDF with checkboxes, an incident information form, preventive controls audit, and a critical contacts table. Print it and keep it in your server room or IT binder.
Keep reading
- Cybersecurity
Cyber Insurance Requirements in 2026: What Your Carrier Actually Wants
Cyber insurance carriers have specific technical requirements. Here's what underwriters look for, what gets you denied, and how to pass the renewal questionnaire.
Read more about Cyber Insurance Requirements in 2026: What Your Carrier Actually Wants - Planning
How to Build an IT Budget for a Small Business (With Real Numbers)
A practical framework for IT budgeting at 10-100 employees. Covers hardware, software, MSP fees, security, and the line items most businesses forget.
Read more about How to Build an IT Budget for a Small Business (With Real Numbers) - Managed IT
What Are Managed IT Services? The Plain-English Guide for Small Businesses
Managed IT services explained in terms a business owner actually understands. What's included, what it costs, and when it makes sense.
Read more about What Are Managed IT Services? The Plain-English Guide for Small Businesses
Want to talk about this?
We are happy to have a 30-minute call about anything in this article — your environment, your risks, your options.