Follow us :
Xen Bilişim
TR
Get a Quote
Data Security

The First 72 Hours of a Ransomware Attack: An SME Response Plan

5 min read
Ransomware incident response and crisis management concept — Xen Bilişim Data Security

The moment the ransom note appears on screen, two separate 72-hour clocks start ticking at once. One is the attacker’s pressure clock: “pay by this time or the price goes up and we leak your data.” The other is your legal clock. If the incident involves a personal data breach, you have 72 hours from the moment you become aware of it to notify KVKK — Türkiye’s data protection authority. Those first three days largely decide whether this becomes a permanent disaster or a manageable outage.

We have covered the prevention side elsewhere. This piece is about what happens after the bad thing has already happened.

The first hour: isolation, not panic

The reflexive first mistake is almost always the same — powering off the affected machine. Don’t. Shutting it down can destroy forensic evidence that lives only in memory, such as the encryption key and traces of the attack.

Instead, cut the device off the network. Pull the cable, kill the Wi-Fi, but leave the power on. The goal is to stop the ransomware from spreading laterally to other servers and shares within seconds. At the same time:

  • Suspend shared network folders and any syncing cloud directories
  • Terminate active VPN and remote desktop sessions
  • Isolate the backup system from the network — it is almost certainly the attacker’s next target

At this stage you still have no answer to “how much data is gone,” and you don’t need one. The only job of the first hour is to stop the spread.

Who do you notify, and when?

Just as important as the technical response is telling the right people in the right window. For an SME in Türkiye the notification map looks like this:

WhoWhenWhy
Senior management / ownerImmediately (first hour)They hold decision authority; communications should come from them
KVKK (data authority)On a personal data breach, within 72 hoursThe Board defines “shortest time” as 72 hours
Affected individualsAs soon as reasonably possibleCustomer, employee, supplier data leaks concern them too
USOM / sector CERTAs soon as possibleNational response coordination and threat intelligence
Cyber insurerPer policy window (often 24–72 hours)Late notice can reduce your cover

KVKK’s 72-hour threshold rests on a 2019 Board decision, and the clock starts from the moment you become aware of the breach — not from when the attack occurred. (USOM is Türkiye’s national cyber incident response center; KVKK is the equivalent of a national data protection authority.) A 25 December 2025 Board decision also reorganized how long breach notices stay published on the authority’s website; if you document that you notified affected individuals, the publication period can be shortened. In other words, taking the notification process seriously serves both legal compliance and reputation management.

Failing to notify, or notifying late, can cost far more than the ransom itself. KVKK administrative fines rise noticeably for delayed or missing breach notifications.

Should you pay the ransom?

Short answer: no, at least not as a first reaction. A few hard truths:

  • A significant share of those who pay never recover all their data; the decryptor is often incomplete or buggy.
  • Paying marks you as a “paying victim.” The odds of the same group — or another — coming back within months go up.
  • If data was exfiltrated, payment does not guarantee deletion. All you hold is a criminal’s word.
  • Some threat actors appear on sanctions lists, in which case payment creates a separate legal risk.

Paying is not an IT decision; it is a business decision made jointly by legal and senior management. And don’t make it before you know whether you can restore from a clean backup.

Recovery: a clean backup is everything

This is where the bill for your pre-attack preparation comes due. If you have an immutable or offline backup, the game changes entirely — you leave the negotiating table and move to your restore plan. That is why incident response is really won not on the day of the attack, but months earlier when the backup architecture is built. We detailed that architecture in our immutable backup guide.

Keep the order right during recovery: clean, freshly rebuilt systems first, data second. Restore a backup onto a compromised environment and re-encryption through a still-open backdoor is only a matter of time.

After the crisis: close the same door

When systems come back up, the job isn’t done. Returning to production without finding and closing the path the attacker used is an invitation for a second wave. Typical entry points are exposed RDP ports, unpatched servers and stolen passwords. So the minimum post-incident list:

  1. Reset all administrator and service account passwords
  2. Enforce MFA on every internet-facing account
  3. Close missing security patches — our patch management guide systematizes this
  4. Segment the network so the next incident’s spread stays contained
  5. Write the lesson learned into a documented response plan

Frequently Asked Questions

If we pay, are we guaranteed to get our data back? No, there is no guarantee. Some who pay never receive a decryptor, and some who do can’t fully recover their data. Payment can be the start of a new risk rather than a solution.

Do I have to report every ransomware attack to KVKK? The duty depends on whether the incident is a personal data breach. If personal data was encrypted, exfiltrated or rendered inaccessible, a breach exists and the 72-hour notification applies. If only operational systems were hit, it’s assessed differently — clarify the distinction with a specialist.

Does cyber insurance cover the ransom payment? It depends on the policy. Some cover ransom and negotiation costs, others only recovery and legal process. But nearly all require the incident to be reported within a set window; late notice can reduce your cover.

Being ready for a ransomware scenario is possible through decisions made today, not on the day of the attack. Let’s review your current backup, identity and response setup together and build an incident response plan tailored to your business. Get in touch — so that what you do in the first 72 hours is written down in a tested plan.

Sources

Share this post
Türkçe oku

Related Posts