"All our files are locked." "Customer data might have leaked." When that call comes in, do you know exactly what to do?
According to Japan's National Police Agency (NPA), ransomware attacks on small and medium businesses (SMBs) increased 37% year-over-year in 2024. About 49% of affected businesses took over a month to recover, and 50% spent over $70,000 on recovery costs alone. The trend is global — the Verizon DBIR 2025 confirms SMBs worldwide face disproportionate ransomware risk.
This article isn't about prevention — it's about what to do after you've been attacked. We cover three incident types: ransomware, data breaches, and DDoS/unauthorized access, with step-by-step instructions that work even without a dedicated IT team.
Small Businesses Are Prime Targets — The Numbers Don't Lie
"We're too small to be a target" is a dangerous myth.
According to the Verizon DBIR 2025, 88% of SMB breaches involved ransomware — more than double the overall average of 39%. The reason is simple: small businesses invest less in security, making them easy targets.
The top two intrusion methods tell the story (Sophos 2025 survey):
| Rank | Entry Point | Share |
|---|---|---|
| 1st | Exploited vulnerabilities (unpatched software) | 32% |
| 2nd | Compromised credentials (leaked/reused passwords) | 23% |
The second entry point — compromised credentials — is directly caused by password reuse and leaked passwords left unchecked. Running a breach check with NordPass Data Breach Scanner on your company domain can significantly reduce this risk.
The First Hour: What to Do Immediately After an Attack
Your actions in the first 60 minutes determine the scale of damage. Based on NIST SP 800-61 and CISA guidance, here's what to do — even without a dedicated IT team.
1. Disconnect from the network
Unplug the Ethernet cable. Turn off Wi-Fi. Do not power off the machine — you'll lose evidence stored in memory.
# Windows (Administrator Command Prompt)
netsh interface set interface "Wi-Fi" disable
netsh interface set interface "Ethernet" disable
# Mac/Linux
sudo ifconfig en0 down # Wi-Fi
sudo ifconfig en1 down # Wired LAN
2. Preserve evidence
Take screenshots of everything — ransom notes, error messages, suspicious emails. A smartphone photo of the screen counts as evidence.
Document the following:
- Timestamp (when discovered, how it was found)
- Scope (which machines, which systems)
- Actions taken (what was done before and after discovery)
3. Notify key contacts
| Contact | Purpose | Info |
|---|---|---|
| Management | Decision-making (ransom response, etc.) | Internal |
| CISA | Technical guidance | https://www.cisa.gov/report |
| FBI IC3 | Cybercrime reporting | https://www.ic3.gov/ |
| Legal counsel | Regulatory obligations | Your attorney |
| Clients/partners | Prevent secondary damage | After scope is confirmed |
Ransomware Response: Step-by-Step Recovery Without Paying
When your screen shows "Your files have been encrypted. Pay Bitcoin to decrypt" — follow these steps.
What NOT to do
- Don't pay the ransom. According to Veeam's 2025 research, 36% of organizations refused to pay, and 25% recovered their data without paying at all. Payment doesn't guarantee decryption
- Don't restart the infected machine. Decryption keys in memory may be lost
- Don't create backups after infection. The backup destination can become infected too
Step 1: Identify the ransomware
Check the file extension of encrypted files (.locked, .crypt, etc.). Upload a sample to ID Ransomware (https://id-ransomware.malwarehunterteam.com/) to identify the specific variant.
Step 2: Search for decryption tools
Check No More Ransom (https://www.nomoreransom.org/) for free decryption tools. This Europol-backed project covers 200+ ransomware families.
Step 3: Restore from backup
If you have offline backups (not connected to the infected network):
- Clean-install the OS on infected machines
- Restore data from backup
- Change all account passwords
If no backup exists, contact a digital forensics firm. It's expensive, but cheaper than total data loss.
Step 4: Reset all passwords company-wide
Whether or not the intrusion came through compromised credentials, reset all passwords as a precaution. A password manager lets you deploy strong, unique passwords to every employee instantly.
Data Breach Response: Legal Obligations and Notification Steps
Customer PII, employee records, trade secrets — what leaked determines your response.
Notification requirements vary by jurisdiction
| Jurisdiction | Timeline | Authority |
|---|---|---|
| GDPR (EU) | 72 hours | Supervisory Authority |
| Japan | 3-5 days (preliminary), 30 days (full) | Personal Information Protection Commission |
| US (varies by state) | 30-90 days (most states) | State Attorney General |
| Australia | 30 days | OAIC |
Step 1: Determine the scope
- Which databases/files were accessed?
- How many records are affected?
- How long was the breach active? (Check access logs)
Step 2: Stop the bleeding
- Close the breach vector (disable compromised accounts, patch the vulnerability, take the app offline)
- Monitor for leaked data on dark web marketplaces
Step 3: Notify and report
- File the required regulatory report
- Notify affected individuals (email/mail)
- Issue a press release if the scale warrants it
- Inform business partners
Step 4: Prevent recurrence
- Fix the root cause (patch, access control review)
- Reset all company passwords
- Set up continuous monitoring with NordPass Data Breach Scanner on your company domain
DDoS and Unauthorized Access: Containment Playbook
"The website suddenly got slow." "Someone logged in from an unknown IP." These are incidents too.
DDoS attacks
- Check your CDN/WAF: If using Cloudflare, enable "Under Attack Mode"
- Contact your ISP: Request upstream filtering
- Preserve access logs: Record attacker IPs (needed as evidence)
- Report to authorities: DDoS may constitute a criminal offense in your jurisdiction
Unauthorized access
- Disable the compromised account immediately
- Terminate all active sessions
- Identify the entry point from access logs (SSH? Admin panel? API?)
- Close the entry point (close ports, add IP restrictions, enforce MFA)
- Check for lateral movement to other systems
Five Things to Do After the Incident Is Over
The attack has stopped, but your work is just beginning.
1. Write an incident report
Document everything:
- Timeline (detection, response, resolution)
- Scope (affected systems, data, duration)
- Root cause
- Remediation actions taken
- Lessons learned
This report is essential for client communication, insurance claims, and legal proceedings.
2. Fix the root cause
"We strengthened our firewall" isn't enough. If the cause was password reuse, deploy a password manager company-wide. If it was an unpatched server, establish a patch management process.
3. Consider cyber insurance
With 50% of SMB recovery costs exceeding $70,000, cyber insurance is a rational business decision. Many policies cover forensics, legal fees, and notification costs.
4. Train your employees
While the incident is still fresh in everyone's mind, run a company-wide security training session. CISA's free resources for small businesses are an excellent starting point.
5. Update your response plan
Incorporate lessons from this incident into the response plan from the next section. Document specific improvements so you're better prepared next time.
Build Your Incident Response Plan Today (Free Checklist)
According to the Sophos 2025 survey, most small businesses lack a formal incident response plan. Creating one today puts you ahead of the vast majority of businesses.
At minimum, write down the following on a single sheet of paper:
Contact list
| Role | Name | Phone | |
|---|---|---|---|
| Incident lead | |||
| IT support (internal/external) | |||
| Legal counsel | |||
| Cyber insurance provider | |||
| CISA | — | — | https://www.cisa.gov/report |
| FBI IC3 | — | — | https://www.ic3.gov/ |
Immediate response checklist
- Disconnect from network (unplug Ethernet / turn off Wi-Fi)
- Screenshot everything visible on screen
- Notify incident lead
- Initial scope assessment (which machines, which data)
- Preserve evidence (logs, emails, screenshots)
- Decide whether to report to CISA / law enforcement
- If personal data may be involved → prepare breach notification
Prevention checklist
- Regular offline backups (at least weekly)
- Password manager deployed company-wide
- VPN for all remote access
- Automatic OS and software updates enabled
- MFA enabled on all accounts
Password management for SMBs — 14-day free trial
- xChaCha20 encryption with zero-knowledge architecture
- ISO 27001 / SOC 2 Type 2 certified
- Admin console for company-wide management
Wrapping Up
Cyberattacks are not a matter of "if" but "when." SMB incidents continue to rise, with 116 ransomware cases reported to Japan's NPA in the first half of 2025 alone — a record high for any half-year period.
The most critical factor is what you do in the first hour. Network isolation, evidence preservation, and contacting the right people — executing these three steps immediately can reduce damage by orders of magnitude.
Print the checklist from this article and pin it to your office wall. That single sheet of paper might save your business someday.
Related articles: