You arrive at the office on a Tuesday morning. Screens are showing a ransom note. Files won't open. Someone calls in from home — their VPN-connected laptop is the same. This is ransomware, and the next 24 hours will determine how bad it gets.
Most Irish SMEs have no written plan for this moment. What follows is the practical playbook.
The First 60 Minutes
Isolate, Don't Shut Down
Your immediate instinct may be to power everything off. Resist it. Shutting down machines destroys volatile memory — RAM that may contain encryption keys, process traces, or attacker artefacts that your incident response team can recover. Instead, disconnect affected systems from the network. Pull the ethernet cable, disable Wi-Fi, take the switch offline if you need to. Kill network connectivity, not power.
Isolate everything you can confirm is affected, and start physically separating anything that looks clean.
Preserve the Evidence You Have
Before you do anything else, take photographs of every ransom note screen you can see. Write down — on paper — which systems appear affected, the times staff first noticed something wrong, and any unusual events from the preceding 24–48 hours. This is your incident log.
If you have IT support, have them pull firewall and authentication logs immediately and copy them off-network. Log files on compromised systems get overwritten. Get them now.
Don't Pay Yet
The ransom note will create urgency. That is by design. Do not pay until you have spoken to your insurer and an incident response professional. Payment does not guarantee decryption. It funds further attacks. And in some cases, paying a sanctioned group creates legal liability.
Call Your Cyber Insurer
If you have a cyber insurance policy, call the incident response number on the policy document now — in the first hour. Most policies have 24/7 lines. Your insurer will typically activate an IR firm on your behalf, and that firm's cost will be covered under the policy. Acting before you call your insurer, or making decisions that affect the claim, can complicate coverage.
Hours 2–6
Notify NCSC Ireland
The National Cyber Security Centre (NCSC) operates Ireland's national incident response capability. Ransomware affecting an Irish business is exactly the kind of incident they want to know about. Report at www.ncsc.gov.ie or by calling their 24/7 line. They offer practical guidance and, in some cases, direct technical assistance.
If your business is in scope for NIS2, you have formal notification obligations with defined timelines.
Engage Incident Response Support
If your insurer has not already activated an IR firm, engage one. An IR team will conduct forensic triage, identify the ransomware variant, check whether decryption tools are publicly available (many are — check www.nomoreransom.org), and begin scoping the attack.
Assess Backup Integrity
This is the question your survival depends on: are your backups intact and recoverable?
Sophisticated ransomware attacks target backup systems first. Before you rely on your backups for recovery, confirm:
- Are the backups themselves encrypted?
- Are they genuinely offline or immutable, or were they accessible from the compromised network?
- When was the last verified restore test?
Do not assume your backups are clean. Test before you commit to a recovery path.
Determine Scope
Work with your IR team to establish what was accessed, not just what was encrypted. Many ransomware groups exfiltrate data before encrypting it — double extortion. Whether data was exfiltrated changes your GDPR obligations significantly.
Hours 6–24
Legal Obligations: The 72-Hour Clock
Under GDPR, if personal data has been compromised, you have 72 hours from becoming aware to notify the Data Protection Commission (DPC) if the breach is likely to result in a risk to individuals.
If your business is in NIS2 scope, you have an additional notification pathway: an early warning to the NCSC within 24 hours of becoming aware of a significant incident, followed by a fuller notification within 72 hours.
Document your timeline meticulously. Regulators understand that investigations take time. What they do not accept is organisations that knew and delayed.
Board Decision on Payment
By now your IR team will have assessed whether decryption without payment is feasible. The board or senior leadership decision on payment needs to be made with legal counsel present and with full awareness of the sanctions landscape. If payment is being considered, your IR firm will handle negotiation — do not engage attackers directly.
Communications Holding Statement
Issue a brief internal communication to staff confirming the incident is being managed and instructing them not to discuss it externally or on social media. Have a short external holding statement ready: acknowledge a cyber incident is being investigated, confirm you are working with specialists, and commit to keeping stakeholders informed. Silence creates speculation.
Common Irish SME Mistakes
Wiping machines immediately. It destroys evidence, prevents forensic analysis, and may violate your legal obligations to preserve data for investigation.
Not preserving logs. Logs tell you how the attacker got in, how long they were present, and what they accessed. This information disappears within hours on unmanaged systems.
Paying without IR advice. Some ransomware groups do not provide working decryptors even after payment. Some are under sanctions. An IR professional will advise on both the technical and legal dimensions before you transfer funds.
Failing to notify the regulator. A DPC investigation after a breach that was not reported is significantly worse than one following a reported breach handled transparently.
What Good Preparation Looks Like
The businesses that handle ransomware well are the ones that prepared before the attack:
- A written incident response plan with named roles
- Tested, verified, offline backups
- Cyber insurance with an IR activation clause
- A pre-agreed relationship with an IR firm or MSSP
- Staff awareness of how to report suspicious activity immediately
- Known contacts for NCSC and the DPC
None of this is expensive. A one-day engagement to build an incident response playbook costs a fraction of the average ransom demand in Ireland — which now regularly exceeds €50,000 for SMEs.
If you want to work through what your business's response capability looks like before an attack, get in touch.
James McGee, CISA, CISSP, CISM, is the founder of Pragmatic Security. He has supported Irish businesses through cybersecurity incidents and regulatory engagements.