For small and mid-size businesses, ransomware damage is decided in the first six hours.
This operational playbook explains what to do, what not to do, and how to recover without chaos.
Ransomware Readiness for Indian SMEs: The First 6 Hours Decide Survival
For small and mid-size businesses, ransomware damage is decided in the first six hours. This operational playbook explains what to do, what not to do, and how to recover without chaos.
Quick answer
Representative image
Ransomware attacks are no longer targeting only giant enterprises. Small and mid-size companies are now preferred targets because attackers expect weaker controls and slower response.
In most cases, business damage is determined in the first six hours—not in the first six days.
If you run an SME, this is the practical response sequence.
Hour 0 to 1: Contain, do not debate - Disconnect infected machines from network immediately. - Disable shared drives and remote desktop access. - Pause VPN access for non-essential users. - Do not reboot infected systems unless your responder asks you to.
Common mistake: teams waste 40 minutes arguing whether the alert is real. Assume real, isolate first.
Hour 1 to 2: Activate command structure Nominate one incident lead and one communication owner. - Incident lead: technical decisions. - Communication owner: staff updates, customer holding statement, legal coordination.
Without this split, companies create panic internally and contradictory messages externally.
Hour 2 to 3: Preserve evidence - Capture endpoint logs. - Record ransom note text/screenshots. - Save firewall and identity provider logs. - Mark timeline of first suspicious activity.
Evidence matters for insurance, legal reporting, and understanding initial access route.
Hour 3 to 4: Assess blast radius Classify systems into three buckets: A) Confirmed encrypted B) Potentially exposed C) Clean and isolated
Only when this map is ready should restoration start. Restoring too early can reintroduce malware.
Hour 4 to 5: Restore critical operations in priority order Use pre-agreed business criticality, not technical convenience: 1. Billing/collections 2. Customer support systems 3. Core production systems 4. Internal collaboration tools
Restore from offline or immutable backup snapshots only.
Hour 5 to 6: Regulatory and stakeholder communication Prepare a factual update: - What happened - What is affected - What remains operational - Next update time
Avoid speculation. Credibility is preserved by clarity and cadence.
Three controls SMEs should implement this month 1) Immutable backups with restore drills every 30 days. 2) MFA on email, VPN, and admin consoles. 3) Patch SLA for internet-facing systems under 7 days.
Final word Ransomware is not only a technology incident. It is a business continuity event. Companies that pre-assign roles, rehearse containment, and test backup restoration usually recover faster, cheaper, and with far less reputational fallout.
Preparedness is cheaper than panic.