In February 2024, Change Healthcare — the largest medical claims processor in the United States — was hit by the ALPHV/BlackCat ransomware group. The attack disrupted billing systems for hospitals and pharmacies nationwide for weeks. UnitedHealth Group later confirmed the breach affected approximately 100 million individuals. If you think your organization is too small or too obscure to face something similar, I need you to reconsider. Knowing how to respond to a cyberattack is the difference between a contained incident and a catastrophic business failure.
This post is a practical, step-by-step breakdown of what your team should actually do when a cyberattack hits. Not theory. Not a compliance checklist you shove in a drawer. Real actions, in the right order, based on what I've seen work in live incident response scenarios.
The First 15 Minutes Decide Everything
Most organizations lose the battle in the first fifteen minutes. Someone notices something weird — a flood of encrypted files, a suspicious login from another country, an employee reporting they clicked a phishing link — and nobody knows who to call or what to do.
The single most damaging response I've seen is doing nothing while waiting for someone else to make a decision. The second most damaging response is panicking and pulling the plug on everything, destroying forensic evidence in the process.
Your first move: activate your incident response plan. If you don't have one, you're already behind. CISA's Incident and Vulnerability Response Playbooks are an excellent framework to build from.
Step 1: Contain the Threat — Don't Eradicate It Yet
Your instinct will be to delete the malware, wipe the machine, and move on. Resist that urge. Containment comes first, eradication comes later.
Isolate Affected Systems
Disconnect compromised machines from the network. Don't power them off — isolate them. Powering off a machine can destroy volatile memory that holds critical forensic data like active network connections, running processes, and encryption keys.
- Disable the network port or pull the Ethernet cable.
- Remove the device from Wi-Fi.
- If it's a cloud workload, revoke its network access via security groups or firewall rules.
- Disable compromised user accounts immediately, but preserve logs.
Preserve Evidence from the Start
Everything is evidence. Email headers, system logs, firewall logs, screenshots of ransom notes — document and preserve all of it. If you ever need law enforcement involvement or cyber insurance to pay out, your claim lives or dies on this evidence.
Step 2: Assess the Scope of the Breach
Once you've contained the immediate threat, you need to understand what the threat actor actually accessed. This is where most small and mid-size businesses struggle because they lack centralized logging.
Ask these questions immediately:
- Which systems were affected?
- Was any data exfiltrated, or was it just encrypted (ransomware)?
- Were credentials stolen? If so, which accounts?
- How did the attacker get in — phishing, credential theft, an unpatched vulnerability?
- Is the attacker still inside the network?
The Verizon 2024 Data Breach Investigations Report found that stolen credentials and phishing remain the top two initial access vectors in confirmed data breaches. If you don't know the entry point, start there.
What Is an Incident Response Plan?
An incident response plan is a documented, pre-approved set of procedures that tells your team exactly how to respond to a cyberattack. It names specific people, defines their roles, establishes communication protocols, and outlines technical steps for containment, eradication, and recovery. NIST's SP 800-61 Rev. 2, Computer Security Incident Handling Guide, defines four core phases: Preparation, Detection & Analysis, Containment/Eradication/Recovery, and Post-Incident Activity. Every organization — regardless of size — needs one before an incident occurs.
Step 3: Notify the Right People in the Right Order
Communication during a cyberattack is almost as critical as technical response. Get it wrong and you'll face regulatory fines, lawsuits, and shattered customer trust on top of the original damage.
Internal Notification
- Executive leadership — They need to know within the first hour. No sugarcoating.
- Legal counsel — Breach notification laws vary by state and industry. Your legal team triggers that clock.
- IT and security teams — All hands on deck. Cancel PTO if you have to.
- HR — Especially if employee data was compromised or if an insider threat is suspected.
External Notification
- Law enforcement — Report to the FBI's Internet Crime Complaint Center (IC3) at ic3.gov. For ransomware, also report to CISA.
- Cyber insurance carrier — Most policies require notification within 24-72 hours. Miss that window and your claim may be denied.
- Affected customers and partners — Follow your legal team's guidance on timing and wording.
- Regulatory bodies — HIPAA, PCI DSS, state attorney general offices, GDPR authorities — know your obligations before an incident happens.
Step 4: Eradicate the Threat and Harden Your Defenses
Only after containment and scoping should you move to eradication. This is where you remove the malware, close the vulnerability the attacker exploited, and reset compromised credentials.
Credential Resets and Multi-Factor Authentication
If the attacker used credential theft to gain access, reset every potentially compromised password. And if you aren't already enforcing multi-factor authentication across your organization, this is the moment that changes. MFA alone blocks over 99% of automated credential attacks according to Microsoft's own research.
Patch the Entry Point
Whether it was an unpatched VPN appliance, a misconfigured cloud bucket, or a successful social engineering attack against an employee, close the door the attacker walked through. Then check for other doors just like it.
Step 5: Recover Operations Methodically
Rushing recovery is how organizations get hit twice. I've personally seen a company restore from backups that were already compromised — the ransomware had been dormant in their environment for six weeks before detonating.
- Verify backup integrity before restoring anything.
- Rebuild compromised systems from known-good images.
- Monitor restored systems intensely for at least 30 days.
- Implement a zero trust approach: verify every user and device before granting access, even during recovery.
Step 6: Run a Brutally Honest Post-Incident Review
This is where most organizations fail. The crisis passes, everyone is exhausted, and leadership wants to "move forward." That's exactly how you guarantee the next attack succeeds the same way.
Within two weeks, conduct a formal post-incident review:
- What was the root cause?
- How long did it take to detect?
- Did the incident response plan work? Where did it break down?
- Were employees able to recognize and report the initial threat?
- What specific investments would have prevented or reduced the impact?
Document everything. Update your incident response plan based on real findings, not assumptions.
The $4.88M Lesson Most Organizations Learn Too Late
IBM's 2024 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.88 million. But here's the number that should keep you up at night: organizations with an incident response team and a tested plan saved an average of $2.66 million per breach compared to those without.
That gap isn't about fancy tools. It's about preparation, training, and muscle memory. Your employees are your first line of detection — especially against phishing and social engineering, which remain the starting point for the majority of attacks.
That's why investing in cybersecurity awareness training for your entire workforce is non-negotiable. When employees can recognize a suspicious email, report it quickly, and avoid clicking malicious links, your detection time drops dramatically.
And for organizations that want to go further, running regular phishing simulation exercises transforms security awareness from a once-a-year checkbox into an ongoing, measurable defense. Phishing simulations build the reflexes your team needs when a real threat actor comes knocking.
Build Your Response Capability Before You Need It
Knowing how to respond to a cyberattack isn't something you figure out during the attack. It's something you rehearse, document, and drill. Every single major breach I've studied — from Change Healthcare to the MOVEit exploitation campaign — reinforced the same lesson: organizations that prepared recovered faster and lost less.
Start with a written incident response plan. Train your team on it quarterly. Run tabletop exercises that simulate realistic scenarios. Invest in security awareness training that covers social engineering, credential theft, and ransomware tactics. Then test your employees with phishing simulations to measure real-world readiness.
The threat actors aren't waiting. Neither should you.