☎ 1700-81-8170 [email protected] Mon–Fri 9:00–18:00 Seri Kembangan HQ · Nationwide delivery
Book a Consultation
CIDB G3 Registered Contractor (B04 · CE21) MOF Registered Supplier Authorised Technology Partners Nationwide Project Delivery
Cybersecurity

Ransomware: the 48 hours that decide everything

What actually happens after the ransom note appears — and the five preparations that change the ending.

By Ryzen ESolutions Engineering · 09 July 2026

By the time the wallpaper changes and the note appears, the interesting part of the attack is over — the intruder has usually been inside for days. What decides whether this is a bad week or an existential event is entirely about what you prepared earlier. Here is how the first 48 hours actually run.

Hour zero: isolate, don't investigate

The first instinct — poking around infected machines to "see what happened" — spreads damage. The correct first moves are isolation: pull the site's uplinks if needed, cut the backup server's network first (it is the crown jewel target), and preserve one infected machine untouched for later analysis. This requires knowing in advance who has authority to disconnect the business. Write that name down today.

Hours 1–12: establish what you still have

Everything now depends on one question: do you have a clean, reachable, restorable copy? If your off-site copy is immutable and your restore drills gave you real timings, you are negotiating with the attacker from a position of contempt. If your backups were on a mapped drive, they are encrypted too, and the 48 hours look very different.

Hours 12–48: rebuild in the right order

Identity first (domain controllers, password resets), then core services, then endpoints — onto clean networks, from verified images. Restoring user files first onto a still-compromised network is how businesses get encrypted twice in one week. A written restoration order, agreed when nobody was panicking, is worth more than any single security product.

The five preparations

One: an off-site copy the attacker cannot reach. Two: restore drills with timings. Three: an isolation decision-maker named in advance. Four: privilege reduction so one stolen password cannot own everything. Five: a one-page runbook printed — because the wiki will be encrypted with everything else. None of these five are expensive; all of them are cheaper than one payout. Our ransomware defence page covers how we build them.

Talk this through with an engineer

Free, technical, and specific to your site — that's the consultation.

Book a Consultation