Should I pay the ransom?

Not in the first hour. Payment is a decision for your cyber insurer, legal counsel, and incident response firm together. Many cases are recoverable from backups without payment, and paying does not guarantee a working decryptor.

Do I call my cyber insurer before calling anyone else?

Yes. Most cyber policies require you to use an approved incident response and forensics vendor. Engaging a vendor your policy does not cover can void part of the claim. Call the insurer hotline on your policy first.

Should I shut the servers down?

Isolate, do not shut down, unless actively spreading and no other option exists. Shutting down clears volatile memory that often contains encryption keys and attacker indicators. Unplug network cables or disable switch ports to contain spread while preserving evidence.

Ransomware Note on Your Screen: The First 60 Minutes

Ransomware is no longer a smash-and-grab. Modern affiliate groups live inside networks for days or weeks before detonation, exfiltrate data, disable backups, and then trigger encryption at the worst possible time (Friday evening, long weekend, payroll run). By the time you see the ransom note, the attacker has already decided how valuable you are. What you do in the next 60 minutes decides whether the damage is hours, days, or months.

If you are a managed client: call Hexafusion on (604) 332-1500 now. Professional and Enterprise clients have 24/7 response with retained forensics partners and pre-approved insurance panels. Everyone else gets business-hours triage with after-hours best-effort callback, and the steps below are still valid while you wait.

The Order Matters

The single most common ransomware mistake is doing things in the wrong order: shutting servers down before forensics, calling the attacker before the insurer, or restoring backups before anyone has confirmed the environment is clean. The sequence below is the order we follow for clients and recommend for anyone else.

Minutes 0 to 10

Contain, do not destroy

Isolate infected systems from the network. Pull network cables, disable switch ports, revoke Wi-Fi access at the controller, or disconnect the VPN gateway. Do not power machines off. Live memory on an encrypting host sometimes contains the key material and almost always contains the attacker's tooling.

Block outbound traffic to unknown destinations at the firewall if you can. Encryption is often still in progress on some hosts, and exfiltration may still be running in parallel.

Minutes 10 to 20

Call your cyber insurance carrier first

Before you call a forensics firm, a lawyer, or the police, call the incident hotline on your cyber insurance policy. Nearly every Canadian cyber policy issued since 2023 has a pre-approved panel of breach counsel and forensics vendors. If you hire someone off-panel, the insurer may refuse to cover that work, and you may lose coverage for the rest of the incident too.

The insurer will typically connect you with breach counsel within an hour. Breach counsel then engages forensics under privilege. This sequence exists for a reason and is the single biggest lever on how much of your costs get recovered.

Minutes 20 to 35

Preserve evidence

Collect the ransom note file itself, a photograph of the screen, a list of hostnames affected, and firewall logs from the past 14 days. Disable log rotation if you can. Take a snapshot of your hypervisor if you run one; VMware and Hyper-V snapshots are often the cleanest way to preserve a dying host without powering it down.

Do not delete the note. Do not rename encrypted files. Keep a running timeline with timestamps, who did what, and when. Your breach counsel and insurer will need this timeline.

Minutes 35 to 50

Identify the strain and check for leaks

The file extension on encrypted files and the ransom note text usually identify the family (LockBit, Akira, BlackCat/ALPHV successors, Play, 8Base). ID Ransomware and the No More Ransom project both maintain free identification tools. Strain identification drives what your response actually looks like. Some families have free decryptors. Many practice "double extortion" where stolen data is also leaked publicly.

Check the group's leak site (via breach counsel, not from a compromised machine) to see whether your organisation is already listed. This changes whether you have a data breach reporting obligation.

Minutes 50 to 60

Decide what to notify, not whether to pay

Paying the ransom is not a 60-minute decision. It is a legal, insurance, and business decision that follows forensic scoping and runs through breach counsel. In the first hour, focus on notifications that are time-bound: the Office of the Privacy Commissioner of Canada if personal information is involved, the BC Information and Privacy Commissioner if PIPA applies, the Canadian Anti-Fraud Centre, and your sector regulator if one applies.

The Canadian Centre for Cyber Security also accepts voluntary reports at cyber.gc.ca and will share indicators back.

What Not to Do in the First 60 Minutes

Do not contact the attacker. Breach counsel does this, under privilege, if a decision is made to negotiate.
Do not restore backups yet. If the attacker still has access, a restored system will be re-encrypted within hours.
Do not wipe and rebuild "just one" machine. That machine is often the one that has the answers.
Do not post on social media or reassure customers with details you do not yet know. Public statements come after breach counsel has confirmed scope.

Backups: The Only Thing That Matters Later

Whether you recover in days or months is decided by whether your backups are offline (or immutable), whether they were tested recently, and whether the attacker had time to touch them. Almost every catastrophic ransomware recovery we have seen traces back to backups that were technically present but either online, writable by the attacker's compromised credentials, or untested. If you want to understand the difference between malware and ransomware in more detail, see our malware vs ransomware guide.

Reporting Obligations at a Glance

For BC businesses, the main thresholds to know:

PIPEDA (federally regulated or commercial activity across borders): breach of security safeguards involving personal information must be reported to the Privacy Commissioner if there is a real risk of significant harm, and records kept for 24 months. See our PIPEDA 72-hour playbook.
BC PIPA: notification to affected individuals where a reasonable person would consider significant harm likely.
Sector-specific: healthcare, financial services, and regulated professions often have separate and faster obligations.
Contractual: many enterprise and government customer agreements require 24 or 48-hour notification regardless of the statutory threshold.

One practical note on insurance vendors. Your policy likely lists specific forensics vendors and may exclude the IT provider you already work with. That is not a slight against your IT team. It exists so the forensics work is independent of the team that runs the environment. A good IT provider will cooperate with the insurer's vendor rather than compete with them.

The Day After Hour One

Hour one gets you out of triage. Hours two through twenty-four are forensic scoping, data exfiltration assessment, breach counsel strategy, and communication planning. Day two onward is rebuild, restore, and rotate every credential and certificate that touched the environment. None of that is possible if hour one was spent on the wrong things.

Rebuilding After Ransomware in Vancouver?

Hexafusion supports Vancouver and Lower Mainland businesses during and after ransomware events. We work alongside your insurance-appointed forensics firm to rebuild environments cleanly, rotate credentials, and implement the controls that stop recurrence. Request a quote and we will scope the work.

Request a Quote Our security services

← Back to Blog