What should we do in the first hour of detecting ransomware?

Isolate affected systems at the network layer (not just shutdown), preserve forensic evidence immediately, stop all backups of encrypted systems, and brief your operating partner and CFO with a 15-minute situation update. This golden window determines your recovery speed and cost.

Should we pay the ransom or restore from backup?

This depends on three factors: dwell time (how long was the attacker in your system), data exfiltration scope (what was stolen), and backup recovery time. Your forensics partner should give you a decision matrix comparing recovery speed and cost. If clean backups exist and dwell time is short, restoration is typically faster and cheaper than ransom negotiation.

Why are PE-backed companies targeted during integration?

Security ownership is blurry during M&A transition. The legacy MSP is being replaced, the new MSP is still spinning up, network segmentation is loose, and credentials are still unified. This 90-day window of reduced visibility makes acquisitions attractive targets for ransomware operators.

What do we legally need to do after a ransomware incident?

Notify your cyber insurance broker within 24 hours (delays can void coverage), notify affected parties if data was exfiltrated (timeline varies by state, typically 30-60 days), and involve outside counsel for notification language. Your IT team owns damage scope documentation; your lawyer owns notification compliance.

How do we prepare for ransomware before an incident happens?

Establish a ransomware response decision matrix with approval thresholds, implement and test clean backups monthly, verify your cyber insurance includes incident response coverage, segregate critical systems on separate networks, and create a clear escalation protocol. These should be in place during your first 30 days post-acquisition.

Ransomware Response Playbook for PE-Backed Companies

Ransomware Hits During Due Diligence. Here's What Happens Next.

You're 6 weeks into integration. Revenue visibility is solid. Then your CFO gets an email: "We have your files. $500K or they're public." Your board meeting is in 72 hours.

This isn't theoretical. It's happening to portfolio companies right now. And the response matters more than you think—to your SLAs, your buyer's next acquisition, and your valuation.

Why Standard Incident Response Plans Fail at PE-Backed Companies

Your legacy IT consultant will tell you to follow CISA guidelines. Those guidelines assume you have time. You don't. Your operating partner needs decision-ready intelligence in 4 hours. Your lender needs a damage assessment by EOD. Your insurance broker needs containment proof by morning.

Standard playbooks also don't account for deal context: active integrations, separated systems, third-party dependencies, and board pressure. They assume you're a mature enterprise with dedicated IR resources. You're not.

The 72-Hour Ransomware Response Framework

Hour 0-2: Detection & Isolation (The Golden Window)

The moment you detect active encryption or extortion communication, you execute the isolation protocol—not to fix it yourself, but to create clean decision-making room.

Isolate affected systems at the network layer (not just shutdown—you need forensics). Identify scope: single server, department, or full environment.
Preserve evidence immediately. Capture network logs, memory, and endpoint timelines before they cycle or get overwritten.
Stop all backups of encrypted systems. If your backup runs now, you've infected your recovery infrastructure. That's a $2M problem.
Brief your operating partner and CFO in parallel. Give them a 15-minute situation update, not a 45-page assessment. "We're isolated. Systems are frozen. We can make recovery calls by Hour 4."

Hour 2-4: Forensics & Decision Points

While your team handles isolation, your forensics partner answers the critical questions:

How long has the attacker been in the system?
What data was exfiltrated? (This determines notification requirements and legal exposure.)
Do we have clean backups available for recovery?
Can we restore faster than paying, or is downtime the bigger risk?

Your operating partner needs this in a decision matrix, not a narrative report. Two columns: "Restore from backup by X" vs. "Pay ransom, get decryption by Y." That's it.

Hour 4-24: Containment & Recovery Execution

Once forensics is clear, you execute one path:

Path A: Clean Recovery (Recommended when forensics shows limited dwell time and clean backups exist) - Rebuild systems from verified clean snapshots. Typically 12-48 hours for small to mid-sized environments. No ransom. No negotiation. Full transparency to your insurance broker and counsel.

Path B: Ransom Negotiation (Only if downtime cost exceeds ransom + recovery costs) - Your insurance broker handles negotiation (they've seen the pricing leverage points). You pay via escrow arrangement. Average negotiation drops initial demand by 40-60%. Restoration typically takes 24-48 hours post-payment.

Path C: Hybrid (Most common in integrated environments) - Restore critical revenue-facing systems immediately from backup. Pay targeted ransom for specific encrypted data if recovery time is higher than acceptable downtime window.

Hour 24-72: Notification, Disclosure & Lessons Learned

If data was exfiltrated, you're legally required to notify affected parties—customers, employees, regulators—within your state's timeline (typically 30-60 days). Your outside counsel owns the notification language, but your IT team owns the damage scope documentation.

Brief your insurance broker within 24 hours of detection. Delays can void coverage. Your broker will require: timeline of detection, scope of encryption, data exfiltration confirmation, and your recovery plan. This isn't a conversation—it's a filing requirement.

The Integration Advantage: Why Post-Acquisition Companies Are Targets

Attackers specifically target companies in M&A transition. Why? Because security ownership is blurry. The legacy MSP is getting fired. The new MSP is still spinning up. Network segmentation is loose. Credentials are still unified across the old and new systems. It's a 90-day window of reduced security visibility.

That's why ransomware response planning needs to start in your 30-day IT handoff plan. Before integration accelerates. Before you're in the moment.

What You Should Have Ready Before an Incident

A ransomware response decision matrix signed off by your operating partner and board. It clarifies ransom approval thresholds ($50K vs. $500K decisions aren't made during an incident).
Verified clean backups tested monthly. If you can't restore a test system in 2 hours, your backup strategy isn't operational.
Cyber insurance with incident response coverage. The insurance broker's IR team (typically Mandiant, Tanium, or CrowdStrike) becomes your forensics partner. Don't outsource IR during an incident—your insurer funds the best available.
Segregated critical systems. Revenue-facing infrastructure should be on separate networks from general office infrastructure. Segmentation buys you recovery time.
Clear escalation protocol. Who calls the board? When? What's the communication template?

Your First Move: Audit Your Readiness

You don't need a 90-page security assessment. You need a 30-minute honest conversation: Do you have clean, tested backups? Is your cyber insurance current and verified? Does your team know the isolation protocol? Can you execute recovery in 24 hours or less?

If the answer to any of those is "no," that's your Q2 project. Not because ransomware is inevitable—it's not. But because when it happens, your response determines whether it's a 12-hour problem or a 6-month deal complication.

Portfolio companies don't have time for slow incident response. Your operating partner's next board meeting depends on it.