Should we pay the ransom?

Paying does not ensure you will receive a working decryption key, and it does not remove the ransomware from your systems. Federal agencies including the FBI recommend against payment and ask that incidents be reported instead. Recovery through clean backups is the only reliable path.

Can I just restart the infected computer to stop the attack?

Restarting an infected machine is not recommended in the first hour. Some ransomware variants delete forensic artifacts — running processes, logs, memory contents — on shutdown, which makes it harder for an incident response professional to determine the attack's origin and scope. Leave the machine powered on and isolated until a professional assesses it.

Does Microsoft 365 Business Premium protect against ransomware?

Microsoft 365 Business Premium includes Microsoft Defender for Business, which provides endpoint detection and response, and OneDrive's Files Restore feature, which can roll back files up to 30 days. These tools reduce risk and aid recovery, but they are not a substitute for separate, tested backups and a managed incident response plan.

What counts as a clean backup for a small office?

A clean backup is a copy of your data stored separately from your primary systems — ideally offline or in a separate cloud environment — that was not accessible to the infected machines at the time of the attack. Version history in OneDrive helps but is not a standalone backup. Any backup solution must be tested regularly for restorability, not just existence.

When does a ransomware incident require notifying regulators or clients?

Notification obligations depend on the type of data involved and applicable law. Healthcare organizations covered by HIPAA must notify affected individuals and the Department of Health and Human Services. Law firms and financial services firms face state breach notification laws and, in some cases, federal regulatory requirements. Engage legal counsel early to determine your specific obligations.

← Back to Insights

Incident Response

What to do in the first hour after a ransomware attack

Discovering ransomware on an office computer is not the time to improvise. This step-by-step timeline tells an office manager exactly what to do — and what not to do — in the first 60 minutes after the ransom note appears.

Elevate Solutions

June 26, 2026 · 5 min read

In the first 60 minutes after discovering ransomware, a small office should isolate the affected machine without shutting it down, photograph all evidence before taking any other action, and call a managed IT or incident response provider before attempting recovery. Whether the event costs one day or one month of operations depends almost entirely on whether clean, tested backups exist and whether a response plan was in place before the attack began.

The ransom note is on the screen. Your stomach drops. Every instinct says do something — restart the computer, call your nephew who's good with tech, maybe just pay and get it over with. All three responses can make the situation significantly worse.

Here is what to do instead, minute by minute.

Minutes 0–5: Stop. Look. Do not touch.

Ransomware encrypts files while it spreads. Every second the infected machine stays connected to your network, the attack surface grows. Before you pull any plugs, take out your phone and photograph the ransom note on screen. That image is evidence. Note the exact time, the machine involved, and what you were doing when the note appeared.

Do not click "pay now." Do not click anything on the infected machine.

Minutes 5–15: Isolate the infected machine — not the whole office

Disconnect the affected computer from your network immediately:

If wired: unplug the ethernet cable from the back of the machine.
If wireless: disable Wi-Fi on that machine only, or physically remove it from the room.
If a network-attached storage device or shared file server shows encrypted folders, disconnect it the same way.

Do not shut the machine down. Ransomware variants increasingly delete themselves after encrypting files. A powered-on machine may still hold forensic artifacts — active processes, memory contents — that an incident response professional can use. Shutting it down destroys that evidence and can complicate recovery.

Leave the router and internet connection running for every other machine in the office. Your team needs access to Microsoft 365 and cloud systems for the next steps.

Minutes 15–25: Check your Microsoft 365 environment — from a clean device

Open a browser on an unaffected machine and sign in to the Microsoft 365 admin center at admin.microsoft.com. You are looking for two things:

Microsoft Defender for Business alerts. M365 Business Premium includes Defender for Business. Check the security dashboard for active threat detections and which endpoints, if any, are flagged beyond the machine you already isolated.
OneDrive Files Restore. OneDrive for Business includes a Files Restore feature that lets a user roll back their OneDrive to any point within the past 30 days. If the encrypted files lived in OneDrive, a restore point may already exist. Confirm the option is available. Do not restore yet.

Do not sign in to Microsoft 365 from the infected machine under any circumstances.

Minutes 25–40: Locate your backups — and leave them alone for now

Your recovery outcome hinges on one question: where are your backups, and when were they last tested? Work through this list on paper:

OneDrive version history. Files stored in OneDrive retain version history. Check whether affected files show prior clean versions in the file's version history panel.
Dedicated cloud or managed backup. If your office uses a separate backup service, identify the most recent restore point and the date of the last successful test restore.
External drives. Drives that were physically disconnected at the time of the attack are likely clean. Leave them unplugged until an IT professional confirms the environment is clear.

Write down every restore point you find. Do not start restoring files. Ransomware can persist inside backed-up data, and restoring to an unclean environment reinfects everything you just recovered.

Minutes 40–55: Preserve everything else

While you wait for professional help, document the incident in writing:

Which machines were affected and which were not
What files or folders appear encrypted — look for unfamiliar file extensions appended to filenames
Any unusual emails, links, or attachments anyone in the office opened in the previous 24 to 72 hours
Names of employees who used the affected machine recently

This written timeline matters to your IT provider, your insurer, and — depending on the data involved — potentially to regulators. Create it now, while the sequence of events is clear.

Minutes 55–60: Make the calls, in this order

Now you call for help. Sequence matters.

Your managed IT or incident response provider. They contain the damage, assess scope, and direct recovery. This is the first call. If you do not have a provider on retainer, that gap is exactly what ransomware operators count on.
Your cyber insurance carrier. Most policies require prompt notification. Many carriers have a pre-vetted incident response firm they will dispatch — and cover. Have your policy number ready before you dial.
Legal counsel. If your office handles protected health information, financial records, or confidential client data, your attorney determines your notification obligations under HIPAA, applicable state breach laws, or other regulations. Engaging counsel early also helps preserve attorney-client privilege over the investigation itself.
FBI Internet Crime Complaint Center at ic3.gov. Reporting is not mandatory for most small businesses, but it is recommended. The FBI does not charge for the report, and the information aids federal tracking of ransomware groups.

What this hour actually determines

The difference between a ransomware event that costs a small office one day and one that costs a month — or its client relationships — almost always comes down to two things that were true before the attack began: clean, tested backups and a managed response plan.

Microsoft 365 Business Premium gives a small office meaningful tools: Defender for Business for endpoint detection, OneDrive Files Restore for a 30-day rollback window, and device management through Intune. Those tools reduce exposure. They do not replace a dedicated team that knows your environment and can respond in minutes, not hours.

An incident response retainer costs a fraction of what a week of downtime costs. If your office does not have one, the first 60 minutes of a ransomware attack is a costly way to find out.

Elevate Solutions

Security & IT Advisory Team

Elevate Solutions' security and IT advisory team delivers managed cybersecurity (MDR/MXDR), managed IT, and compliance guidance (HIPAA, SOC 2, PCI DSS) for regulated mid-market firms across Los Angeles.

Reviewed by David Faramarzi · Founder, Elevate Solutions

Next story How AI made phishing harder to spot — and what your email filter probably misses June 26, 2026 · 5 min read

Incident Response

Test Your Backups Before a Hacker Does: The Restore Drill Small Firms Skip

Most businesses assume their backups work until a crisis proves otherwise. This checklist walks through a restore drill you can run in an afternoon — including the Microsoft 365 gap your IT vendor may not have explained.

June 27, 2026 · 5 min

Incident Response

What happens when your one server goes down

One server failure can bring a small firm to a near-standstill inside of an hour. Here is exactly what happens, step by step, and what determines whether you recover by noon or by next week.

June 26, 2026 · 5 min

Playbooks

When the Power, Internet, or Cloud Goes Down: A One-Page Continuity Plan for Small Teams

Power failures, internet outages, and cloud service disruptions share one trait: they happen without warning. A single printed page, filled out in advance and posted where everyone can find it, is the difference between two minutes of adjustment and a half-day of lost productivity.

June 27, 2026 · 5 min