Checklist Ransomware Response

What to do in the first hours of a ransomware attack. Operational checklist for the IT team and management. Printable as PDF.

Fill in the form to access the checklist. You will also receive it by email in PDF format.

Immediate actions for the first 2 hours
Separate checklist for IT / Management / Legal
Printable — optimised A4 format
24/7 emergency number included

By submitting you accept our Privacy Policy.

24/7 EMERGENCY

+39 04221490378

If the attack is ongoing, call immediately. Response within 2 hours.

This checklist is divided by role. In the first hours, the absolute priority is containment — not recovery. Do not format systems, do not reboot servers, do not disconnect everything indiscriminately before collecting evidence.

PHASE 1 — First 30 minutes (IT Team)
Immediately alert the IT manager / CISO / management
DO NOT reboot infected systems — preserve evidence in RAM
Isolate infected systems from the network (disconnect the network cable or disable the NIC)
DO NOT disconnect suspicious but NOT yet encrypted systems — they may be used for analysis
Photograph / screenshot any visible ransom messages
Identify the ransomware name (if visible in the message)
Immediately change passwords for admin and service accounts
Revoke active VPN and RDP sessions
Call AptGetDefence: +39 04221490378
PHASE 2 — Within 2 hours (Management + Legal)
Activate the internal crisis unit (if it exists) or the emergency management team
Assess operational impact: which services are down? Who is affected?
DO NOT communicate the incident publicly before assessing the situation
Contact the cyber insurer (if applicable) to activate the policy
Notify the company's legal counsel to assess notification obligations
Verify whether the incident is 'significant' under NIS2 (if applicable)
Start documenting everything: timestamps, actions, decisions taken
PHASE 3 — Within 24 hours (Post-containment)
Forensic acquisition of compromised systems (with DFIR team)
Identification of the entry vector
Verify the integrity of backups (DO NOT connect backups to the infected network)
Early warning notification to CSIRT-IT (if NIS2 entity — within 24h)
Notification to the Data Protection Authority (if personal data involved — within 72h)
Evaluate available public decryptors (no payment first)
Internal communication to employees (what they can / cannot do)
PRE-INCIDENT CHECKLIST — Preparation
24/7 emergency number saved in the contacts of ALL IT managers and executives
Offline backup tested and verifiable within the last 30 days
Incident Response Plan printed and available offline (not only on the server)
Emergency contact list (legal, insurer, CSIRT, DFIR team) kept up to date
MFA active on all remote access and admin accounts
EDR active and up to date on all endpoints