What actually happens in the first 6 hours of a ransomware attack.

What follows is a composite, assembled from incidents we have studied and worked, with identifying details changed. The company is fictional. The sequence is not.

Hour 0 — Friday, 4:45 PM

A front-office employee can’t open a shared file. Then a second employee can’t. Someone checks the server and finds a text file where the folder used to be: a ransom note, a contact address, a deadline. The owner is reached at 5:10, in the car.

The first decision arrives in minute one: do you power the machines off? Instinct says yes. The correct answer is to disconnect affected machines from the network and leave them powered on — powering off can destroy forensic evidence and, with some strains, the only remaining path to decryption. In the improvising company, nobody in the building knows that.

Hour 1 — The question with no owner

Who is in charge? The owner, who is driving back? The office manager, who found it? The IT provider, who is on hold with their own answering service? The first hour of an unrehearsed incident goes to deciding who decides. Companies with a written incident response plan skip this hour entirely: the plan names an incident commander and a call order, effective at minute zero.

Hour 2 — Finding out what the backups really are

Someone finally checks the backups. In a large share of ransomware incidents, the attackers found them first — backup shares on the same network get encrypted in the same pass, and cloud backup consoles get emptied with the stolen admin password. This is the hour where “we have backups” gets tested for the first time, under the worst possible conditions. With immutable, object-locked copies, this hour reads differently: the copies are intact by design, and the clock toward restore starts now.

Hour 3 — The insurance maze

Someone remembers the cyber policy. The questions come faster than the answers. Does the carrier have to be notified before any vendor is hired? Usually yes. Does the policy require approved vendors? Often. Can the wrong move void coverage? It happens. The improvising company spends this hour reading a PDF of its own policy for the first time. A response retainer that was built inside the policy’s rules — carrier notification, approved vendors, evidence preservation — answers all of this in advance.

Hour 4 — Fifty decisions, zero preparation

By now the decisions are stacking up. Do we tell staff tonight or Monday? What do we tell customers, and who says it? Do we answer the attacker? Does anyone negotiate? Would we ever pay, and who has the authority to decide? Are we legally required to report this — to whom, and by when? Do we touch the encrypted machines or preserve them? Can payroll run on Monday?

Every one of those questions is answerable. None of them is answerable quickly, for the first time, at night, under pressure. We count roughly fifty decisions like these in a typical small-business incident. Most breach chaos is not technical — it is fifty decisions nobody prepared to make.

Hours 5–6 — Two very different rooms

At hour six, the improvising company is still in discovery: no confirmed scope, no verified backups, no carrier call, staff texting each other rumors. Industry estimates put average ransomware downtime for unprepared small businesses at around three weeks.

The rehearsed company is somewhere else entirely. An incident commander has owned the situation since the first call. The carrier was notified inside the policy’s window. Immutable backups were verified intact by hour two. The restore is already running, in a priority order that was written months ago and timed in a drill last quarter. The two companies had the same first hour. They will not have the same month.

What a tabletop actually fixes

A tabletop exercise is two hours in a conference room walking your leadership through this exact scenario — Friday, 4:45 PM, payroll encrypted — and pressure-testing every decision before it costs anything. It always finds holes. That is the point. You make the fifty decisions once, on paper, and write down the answers. Then a timed restore drill proves the technical half the same way. After that, the first six hours stop being the story.