Your Systems Are Encrypted Right Now — What to Do in the First 60 Minutes
If you are reading this because your business has just been hit by ransomware, stop and breathe. The next 60 minutes matter more than the next 60 days. What you do right now will determine whether this is a bad week or a business-ending event.
This guide is for the person in Donegal, Dublin, Galway, or anywhere in Ireland sitting in front of a locked screen, a ransom note, and a rising sense of panic. It is built from real incident response work with Irish businesses — not from theoretical frameworks. Follow these steps in order.
If your business is under attack right now: Book a free emergency call or email [email protected] with "INCIDENT" in the subject line.
Minute 0–5: Contain the Damage
Do not turn off your computers. This is the most common mistake businesses make. Powering down can destroy forensic evidence that investigators need to understand how the attackers got in — and whether they are still in your network.
Instead: disconnect affected machines from the network by unplugging the Ethernet cable or turning off Wi-Fi. If you have a network switch, pull the cables from the back. The goal is to stop the ransomware from spreading to other machines, servers, and backups. Do not log into anything from an affected machine — every password you type may be captured. Take a photo of the ransom note using your phone, capturing any reference numbers, Bitcoin wallet addresses, and countdown timers. Write down the exact time you discovered the attack and the time you disconnected machines — this timeline is critical for insurance claims, regulatory notifications, and law enforcement.
Minute 5–15: Assess the Scope
Before you call anyone, take five minutes to understand what you are dealing with. Walk the office. Count the machines showing ransom notes or locked files. Check whether your file server or email server is affected — server compromise makes recovery significantly more complex. Identify whether your backups are reachable, without attempting to restore yet. If backups are connected to the same network, they may already be encrypted. Check whether your phone system is working — many modern phone systems run on the same network.
Write this down on paper. You will need it for every conversation that follows.
You do not need to be a security expert to manage these first steps. You need to stay calm and follow the sequence.
Minute 15–30: Make the Critical Calls
Call your IT provider or managed service provider and tell them what has happened. Ask them to verify whether the attack has spread to cloud services, hosted servers, or other sites. If they cannot assist with incident response, ask them to say so directly — you need honesty, not reassurance.
Call your insurance broker. If you have cyber insurance, your policy almost certainly has an incident response hotline. Call it now. Many policies provide access to forensic investigators, legal counsel, and crisis communications — but only if you notify them within the timeframe specified in your policy. Delaying this call can void your coverage[^1].
Call An Garda Síochána. Report the incident to your local Garda station and ask for it to be referred to the Garda National Cyber Crime Bureau (GNCCB). The non-emergency number is 01 666 0000. You are not reporting this for paperwork — law enforcement may have intelligence on the specific ransomware group that attacked you[^2].
Report to the NCSC Ireland. The National Cyber Security Centre tracks ransomware campaigns targeting Irish organisations and may provide specific guidance for the variant you are dealing with.
Minute 30–45: Protect What Is Not Yet Compromised
Change all passwords from a clean device — a personal phone or a laptop that was not connected to your business network. Start with the most critical accounts: your email administrator account, your bank, your cloud services, and any remote access tools.
Enable Multi-Factor Authentication on everything if you have not already done this. MFA will not undo the damage already done, but it will prevent the attacker from using stolen credentials to return after you recover.
Notify your team. Tell your staff what has happened, be honest and direct, and tell them not to log into any business systems until further notice. If they are working remotely, tell them to disconnect from the VPN immediately.
Minute 45–60: Do Not Pay the Ransom Yet
The ransom note will create urgency — countdown timers, threats to publish your data, escalating demands. This is deliberate psychological pressure designed to make you act before you think.
The facts: only a small percentage of organisations that paid a ransom got all their data back. Paying does not guarantee a working decryption key. Paying funds criminal organisations and marks your business as a known payer, increasing the likelihood of a second attack. Before making any payment decision, wait for your incident responder to identify the ransomware variant — free decryption tools exist for many older variants, available at nomoreransom.org.
If your backups are intact and unencrypted, you may be able to recover without paying anything.
The First 24 Hours: Regulatory Obligations
If personal data has been compromised — and in most ransomware attacks, it has — you have a legal obligation to notify the Data Protection Commission within 72 hours under GDPR. This is not optional. The notification does not need to be complete — you can provide an initial report and supplement it as your investigation progresses[^3].
If your business is in scope for NIS2, you have additional reporting obligations to the NCSC Ireland, including an early warning within 24 hours of becoming aware of a significant incident.
The Five Mistakes That Make Ransomware Worse
| Mistake | Why It Hurts |
|---|---|
| Turning off machines immediately | Destroys forensic evidence needed to understand the attack |
| Paying the ransom within hours | Removes negotiating leverage and often results in partial recovery |
| Not checking whether backups are compromised | Leads to restoring infected backups, triggering a second encryption |
| Delaying insurance notification | Can void your cyber insurance coverage entirely |
| Not changing passwords from a clean device | Allows the attacker to maintain access during and after recovery |
What Next
If this is happening right now: email [email protected] with "INCIDENT" in the subject line. We will prioritise your case. Our team holds CISA, CISSP, and CISM certifications and has direct experience with ransomware incidents affecting Irish businesses.
If you are reading this before it happens: build your incident response plan now. Know who to call, in what order, and what steps to take. A documented plan, tested at least once, is the difference between a structured response and chaos.
Review your backup architecture. The businesses that recover fastest from ransomware are those with immutable offline backups — copies that ransomware cannot reach, in a location separate from your main network.
Related Reading
- Ransomware Response Playbook: Should You Pay the Ransom?
- What Your Cyber Insurer Wants to See — and How to Get There Fast
- What Is Business Email Compromise and Why Irish SMEs Are Prime Targets
[^1]: NCSC Ireland — Advice for Organisations [^2]: An Garda Síochána — Cyber Crime [^3]: Data Protection Commission Ireland
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.