Ransomware is no longer a smash-and-grab. Modern ransomware operators stay hidden in networks for days or weeks before triggering encryption, exfiltrate data, disable backups, and then trigger encryption at the worst possible time (Friday evening, long weekend, payroll run). By the time you see the ransom note, the attacker has already decided how valuable you are. What you do in the next 60 minutes decides whether the damage is hours, days, or months.

If you are a managed client: call Hexafusion on (604) 332-1500 now. Professional and Enterprise clients get 24/7 response with forensics partners already on standby and direct lines to insurance-approved vendors. All other clients get business-hours triage; after-hours we will call back as quickly as we can., and the steps below are still valid while you wait.

The Order Matters

The single most common ransomware mistake is doing things in the wrong order: shutting servers down before forensics, calling the attacker before the insurer, or restoring backups before anyone has confirmed the environment is clean. The sequence below is the order we follow for clients and recommend for anyone else.

Minutes 0 to 10

Contain, do not destroy

Isolate infected systems from the network. Pull network cables, disable switch ports, revoke Wi-Fi access at the wireless controller, or disconnect the VPN gateway. Do not power machines off. Live memory on an encrypting machine sometimes contains the decryption key and almost always contains the attacker's tools.

Block outbound traffic to unknown destinations at the firewall if you can. Encryption is often still in progress on some hosts, and exfiltration may still be running in parallel.

Minutes 10 to 20

Call your cyber insurance carrier first

Before you call a forensics firm, a lawyer, or the police, call the incident hotline on your cyber insurance policy. Nearly every Canadian cyber insurance policy issued since 2023 has a pre-approved panel of breach lawyers and forensics vendors. If you hire someone off-panel, the insurer may refuse to cover that work, and you may lose coverage for the rest of the incident too.

The insurer will typically connect you with breach counsel within an hour. Your breach lawyer then engages forensics under legal privilege. This sequence exists for a reason: it is the single biggest factor in how much of your costs the insurer will cover.

Minutes 20 to 35

Preserve evidence

Collect the ransom note file itself, a photograph of the screen, a list of hostnames affected, and firewall logs from the past 14 days. Disable log rotation if you can. Take a snapshot of your virtualisation platform (VMware or Hyper-V) if you run one; VMware and Hyper-V snapshots are often the cleanest way to preserve a dying host without powering it down.

Do not delete the note. Do not rename encrypted files. Keep a running timeline with timestamps, who did what, and when. Your breach counsel and insurer will need this timeline.

Minutes 35 to 50

Identify the strain and check for leaks

The file extension on encrypted files and the ransom note text usually identify the family (LockBit, Akira, BlackCat/ALPHV successors, Play, 8Base). ID Ransomware and the No More Ransom project both maintain free identification tools. Strain identification drives what your response actually looks like. Some strains have free decryption tools available. Many groups steal your data first, then threaten to publish it even if you pay the ransom ("double extortion").

Check the group's leak site (via breach counsel, not from a compromised machine) to see whether your organisation is already listed. If your organisation is listed, you likely have a legal duty to report the breach.

Minutes 50 to 60

Decide what to notify, not whether to pay

Paying the ransom is not a 60-minute decision. It is a legal, insurance, and business decision that comes after forensic scoping and goes through your breach lawyer. In the first hour, focus on notifications that are time-bound: the Office of the Privacy Commissioner of Canada if personal information is involved, the BC Information and Privacy Commissioner if PIPA applies, the Canadian Anti-Fraud Centre, and your sector regulator if one applies.

The Canadian Centre for Cyber Security also accepts voluntary reports at cyber.gc.ca and will share indicators back.

What Not to Do in the First 60 Minutes

  • Do not contact the attacker. Breach counsel does this, under privilege, if a decision is made to negotiate.
  • Do not restore backups yet. If the attacker still has access, a restored system will be re-encrypted within hours.
  • Do not wipe and rebuild "just one" machine. That machine is often the one that has the answers.
  • Do not post on social media or reassure customers with details you do not yet know. Public statements come after breach counsel has confirmed scope.

Backups: The Only Thing That Matters Later

Whether you recover in days or months is decided by whether your backups are offline (or immutable), whether they were tested recently, and whether the attacker had time to touch them. Almost every catastrophic ransomware recovery we have seen traces back to backups that were technically present but either online, writable by the attacker's compromised credentials, or untested. If you want to understand the difference between malware and ransomware in more detail, see our malware vs ransomware guide.

Reporting Obligations at a Glance

For BC businesses, the main thresholds to know:

  • PIPEDA (federally regulated or commercial activity across borders): breach of security safeguards involving personal information must be reported to the federal Privacy Commissioner if there is a real risk of significant harm, and records kept for 24 months. See our PIPEDA 72-hour playbook.
  • BC PIPA: notify affected individuals if a reasonable person would consider significant harm likely.
  • Sector-specific: healthcare, financial services, and regulated professions often have separate and faster obligations.
  • Contractual: many enterprise and government customer agreements require 24 or 48-hour notification regardless of the statutory threshold.
One practical note about insurance vendors: Your policy likely lists specific forensics vendors and may exclude the IT provider you already work with. This is not a slight against your IT team. It exists so the forensics work is independent of the team that runs the environment. A good IT provider will work with the insurer's forensics firm rather than compete with them.

The Day After Hour One

Hour one gets you out of triage. Hours two through twenty-four are forensic scoping, data exfiltration assessment, breach counsel strategy, and communication planning. Day two onward is rebuild, restore, and rotate every credential and certificate that touched the environment. None of that is possible if hour one was spent on the wrong things.

Rebuilding After Ransomware in Vancouver?

Hexafusion supports Vancouver and Lower Mainland businesses during and after ransomware events. We work alongside your insurance-appointed forensics firm to rebuild environments cleanly, rotate credentials, and implement the controls that stop recurrence. Request a quote and we will scope the work.

Request a Quote    Our security services

Related articles: Malware vs Ransomware for BC SMBs · Cyber Liability Insurance in BC · PIPEDA Breach Notification: 72-Hour Playbook

← Back to Blog