The first 60 minutes of a ransomware incident are the difference between a manageable recovery and a six-figure disaster. We have walked Florida small businesses through both. The pattern is consistent: bad outcomes start with the wrong person making decisions in the first hour — touching infected systems, wiping evidence, paying a ransom before notifying the insurer, missing the FBI window. This post is the hour-by-hour playbook we hand to clients during onboarding so the response is decided in advance, not improvised at 11 p.m. on a Sunday.
200+ DAYS
Average attacker dwell time before detonation
30 DAYS
Florida FIPA breach notification window
72 HRS
Cyber-insurance carrier notification window
$1.85M
Avg total cost — SMB ransomware incident
The First 60 Minutes — Triage
The first hour is about stopping spread, preserving evidence, and starting the notification chain. Not solving the problem. The actions in this hour are deliberately limited.
01
Disconnect — do not power off
Unplug the affected machine from the network (Ethernet AND WiFi). Do NOT shut it down. Live memory holds forensic evidence and decryption keys that disappear on shutdown. If you cannot identify the affected machine, disconnect the local network from the internet at the firewall.
02
Stop touching files
Do not open files to verify the encryption. Every file access timestamps overwrite forensic timelines. Do not run anti-virus scans (they alter file metadata). Do not delete the ransom note.
03
Call your IT provider and your cyber insurer simultaneously
Most cyber-insurance policies require notification within 72 hours and many require it BEFORE you authorize forensic work, public statements, or ransom communications. Get them on the phone in the first hour.
04
Document the timestamp and visible indicators
Write down the exact time the ransom note was discovered, who discovered it, what they did next, and any visible file extensions or ransom-note text. This becomes the chronology investigators will need.
05
Isolate the backup systems immediately
Disconnect any directly-attached backup drives. Cloud-backup admin consoles should be put into read-only mode if possible. The attacker may already have credentials — the backups are the next target.
06
Pause all email send and file-share access
If the malware is exfiltrating data, every minute is more data lost. Pause Microsoft 365 / Google Workspace external sharing at the tenant level if you have admin access.
// Warning
Do NOT contact the threat actor in the first hour. Do NOT initiate a ransom payment. Most cyber-insurance policies make ransom payment your insurer's decision, not yours — and unauthorized payment can void coverage entirely. The threat-actor portal will still be there after the insurer's breach coach is on the call.
The First 24 Hours — Containment and Assessment
By the end of the first 24 hours the insurer's breach coach, the forensic firm, and your IT provider should be coordinating on the same incident channel. The objectives in this window are full scope assessment, regulatory notification preparation, and a documented response plan.
Forensic firm engaged and granted read-only access to affected systems (insurer typically pays under the policy)
Full inventory of affected systems documented — workstations, servers, cloud tenants, mobile devices, backups
Initial determination: encryption only, or exfiltration confirmed? Exfiltration changes the regulatory and notification obligations significantly
Microsoft 365 / Google Workspace audit logs preserved (logs roll off in 30 days by default — pull them now)
Password resets initiated for every potentially-compromised account, starting with admin accounts and finance / payroll users
If exfiltration is confirmed: legal counsel begins drafting Florida FIPA (F.S. 501.171) notification timeline (30 days from breach DISCOVERY)
Internal communication plan: what employees are told, who can speak to media, who handles client inquiries
Critical-business-function workaround plan: how do payroll, billing, and patient/customer service operate while systems are offline?
The First Week — Recovery, Notification, and Hardening
The first week is the recovery phase. The forensic firm clears systems for rebuild as evidence collection completes. Backups get restored to clean infrastructure (not the original infected systems). Notifications get sent. The hardening that should have been in place pre-incident gets deployed before users come back online.
Days 2-3: Forensic clearing
Forensic firm completes initial scope. Systems are cleared for either rebuild or quarantined preservation per insurer's legal direction.
Days 3-5: Clean rebuild
Rebuild OR restore-from-clean-backup. New hardware where required. Domain controllers replaced if compromised. New service-account credentials.
Days 4-7: Notification preparation
Legal counsel finalizes the FIPA, HIPAA Breach Notification Rule (if applicable), state AG, and FBI IC3 notifications. Counsel reviews any required customer / patient notification language.
Days 5-7: Hardened restore
MFA enforced on every account before restore goes live. EDR redeployed. Conditional access policies tightened. Network segmentation reviewed. Backup strategy verified against the failure that allowed encryption.
Day 7+: User-by-user controlled return
Users return to systems individually with new credentials and security training refresher. Phishing simulation campaign within 30 days to verify training stuck.
Florida & Federal Reporting Timelines You Cannot Miss
Cyber-Insurance Carrier
Within 72 hours (most policies)
Many policies require notification BEFORE forensic work or ransom communications. Late notification is the most common cause of coverage denial.
FBI IC3 (Internet Crime Complaint Center)
As soon as practical
ic3.gov — Required for any ransomware incident regardless of payment decision. FBI Tampa Field Office is the regional point of contact for North Central Florida.
Florida FIPA (F.S. 501.171)
Within 30 days of discovery
Required when 500+ Florida residents' PII is breached. Notification to affected individuals AND the Florida Attorney General. Earlier notification if reasonably possible.
HIPAA Breach Notification Rule
Within 60 days of discovery
For HIPAA-covered entities only. To affected individuals, HHS OCR, and prominent media outlets if 500+ individuals affected in a state.
FTC Safeguards Rule (16 CFR 314.4(j))
Within 30 days
For financial-services-covered firms: notification to FTC if 500+ customers affected. New as of May 2024.
The Don't-Do List
The five most common mistakes we see Florida SMBs make in the first 24 hours:
Powering off the affected machine (destroys forensic evidence in volatile memory)
Running anti-virus scans on encrypted systems (alters file metadata, breaks the forensic chain)
Paying the ransom before talking to the insurer (voids most cyber-insurance policies)
Wiping and reinstalling without forensic clearance (destroys evidence the insurer requires)
Notifying customers before legal counsel reviews the notification language (creates additional legal exposure)
"The clients who recover cleanly all have one thing in common: their incident response plan was a printed document the office manager could pull out of a drawer at 11 p.m. on Sunday — not a Google Doc on a server that may already be encrypted."
Steve Condit, Simply IT
How Simply IT Supports Florida Small Businesses Pre-Incident
Every Simply IT managed client gets a written incident response plan customized to their business — with named decision-makers, contact numbers for the insurer's breach coach, a printed copy in the office, and an annual tabletop exercise to make sure the plan still matches the team. Our managed-IT platform deploys EDR, immutable cloud backups, MFA enforcement, and 24/7 monitoring — the controls that turn the encryption attempt into a contained incident instead of a full encryption event. We do not promise zero incidents — we promise the controls and the documented response chain that make the next ransomware attempt survivable.
// Key Takeaway
The first 60 minutes of a ransomware incident decide most of what happens next. Build the response plan now, while nothing is on fire. Print it. Practice it once a year. The clients we walk through this playbook in advance — before any incident — recover cleanly in days, not months.
Founder & Owner, Simply IT · US Marine Veteran · 30+ Years IT Experience
Steve Condit founded Simply IT to bring enterprise-grade IT management to small and mid-sized businesses across North Central Florida. With over 30 years of IT experience and a background in the US Marine Corps, Steve built Simply IT around the principle that local businesses deserve the same quality of technology partnership that large companies take for granted — without long-term contracts or national call center support.
