Ransomware Recovery for Australian SMBs: A 72-Hour Playbook
The first three days of a ransomware incident decide the outcome. A field-tested hour-by-hour playbook for Australian businesses.
The first 72 hours of a ransomware incident determine whether you're rebuilding for a week or going out of business. This is the hour-by-hour playbook we run when an Australian SMB calls us at 2am.
Hour 0–1: Contain
- Disconnect — physically unplug network cables and disable Wi-Fi on every machine showing encryption activity. Speed beats elegance.
- Isolate the network at the firewall — block all outbound traffic except to your IR responder's IPs.
- Do not shut down infected machines if avoidable — RAM contains forensic evidence and possibly decryption keys.
- Notify your cyber insurer immediately. Their panel of IR firms is usually mandatory for the policy to pay out.
Hour 1–6: Assess
- Identify the ransomware strain (the ransom note usually tells you)
- Map the blast radius — which servers, which file shares, which cloud tenants
- Check Microsoft 365 audit logs for exfiltration — modern ransomware almost always steals data first
- Preserve evidence — image at least one infected machine before reformatting anything
Hour 6–24: Decide
Don't pay. The ACSC's official position is to never pay, and in 2024–25 several Australian businesses paid and got no decryption key or stolen data was leaked anyway. Restore from backups instead — assuming you have them.
Hour 24–48: Restore
- Build a clean network segment with new Wi-Fi SSID and new firewall rules
- Rebuild domain controllers from clean ISOs — never restore AD from a potentially compromised backup
- Restore file data to the clean segment, scan with two different EDR engines before moving to production
- Rotate every password, every API key, every certificate. Assume all credentials are compromised.
Hour 48–72: Notify
- OAIC notification if personal information was accessed and serious harm is likely (72 hours from awareness)
- Customers — get legal advice on wording before sending
- Staff — what to say to journalists and customers if asked
- ACSC ReportCyber for intelligence sharing
What separates 1-week recoveries from 6-week ones
Tested backups (you ran a restore drill in the last 90 days), documented network diagrams (the responder doesn't have to guess), and a single executive empowered to make decisions at 3am. Without all three, every hour stretches.
