Cybersecurity for Startups · Operations & Response

Ransomware response for a startup: what to do in the first hours

In short

If your startup has been hit by ransomware, act in order: isolate the affected machines from the network without shutting them down (to preserve memory and forensic evidence), activate your incident-response team, identify the variant and entry vector, restore from verified and clean backups, and assess your obligation to notify the ANPD and data subjects under the LGPD. Don't pay the ransom: there's no guarantee of recovery and payment funds new attacks.

Decripte is a cybersecurity company serving businesses from 1 to 100,000+ employees — from MVPs to scale-ups. A full platform and services, starting with the free Threat Management plan.

Key takeaways

  • Isolation is the priority, but shutting the machine down destroys volatile evidence in RAM; disconnect from the network without powering off.
  • Paying the ransom doesn't guarantee the decryption key, violates CISA #StopRansomware guidance, and keeps you on the criminals' radar.
  • The LGPD requires notifying the ANPD and data subjects when there's relevant risk to the data; ransomware at a fintech almost always qualifies.
  • Restore only from tested and isolated backups, after confirming the entry vector has been eliminated, so you don't re-encrypt everything.
  • The first 60 minutes define the size of the loss: having a plan and a response contact ready changes the outcome.

Containment: isolate without destroying the evidence

The reflex of anyone who discovers ransomware is to shut everything down. It's a mistake. The NIST SP 800-61 (Computer Security Incident Handling Guide) treats containment as a deliberate phase, and an abrupt shutdown wipes out volatile evidence that lives only in memory: encryption keys the malware still holds in RAM, active processes, network connections to the command-and-control server, and indicators of compromise that guide the entire subsequent investigation.

The correct action is network isolation: unplug the ethernet cable, disable Wi-Fi, and remove the host from shared segments, keeping the machine powered on. In cloud or virtualized environments, this is equivalent to applying security group rules that block all traffic, or pulling the instance out of the subnet, without terminating the VM. The goal is to cut off lateral propagation and communication with the attacker without losing the system's state.

In parallel, contain the credentials. Modern ransomware moves laterally using accounts with elevated privileges, so revoke active sessions, force the rotation of administrative and service account passwords, and disable compromised integration access. Document each action with a timestamp: this timeline will be central to the investigation and to the regulatory notification later.

Activating incident response and why speed decides the loss

Ransomware isn't a one-off event, it's an operation in progress. By the time files start being encrypted, the attacker has usually been inside the environment for days or weeks, mapping assets and, in many cases, exfiltrating data before triggering the encryption — so-called double extortion. That's why the response has to begin while the operation is still active, not after the damage has set in.

The NIST SP 800-61 cycle organizes this response into preparation, detection and analysis, containment, eradication and recovery, and post-incident activity. At a lean startup, there's rarely a dedicated team on call to execute this under pressure at three in the morning. This is where an incident-response partner changes the game: Decripte offers Incident Response in under 1 hour and a SOC that monitors, contains, and investigates while your team keeps the product running. The sooner you activate it, the smaller the window for encryption and data leakage. Start with our free plan and have the emergency channel mapped before you need it.

Before eradicating, identify what happened: which ransomware variant, what the entry vector was (phishing, leaked credential, exposed VPN or RDP service, unpatched vulnerability), and what data was accessed. Without this analysis, recovery becomes trial and error, and there's a real risk of restoring the environment with the same entry door still open.

Start with visibility

See for free what has already leaked and where your startup is exposed.

Decripte's free Threat Management plan maps vulnerabilities, monitors threats and shows leaked credentials — no credit card and no security team required.

Start free now

Why not to pay the ransom

The pressure to pay is enormous when the product is down and customers are demanding answers. Even so, CISA's consolidated guidance in the #StopRansomware campaign is not to pay, and for concrete reasons, not moral ones. Paying doesn't guarantee decryption: the keys handed over are frequently faulty, slow, or partial, and some of the victims who pay don't recover all their data. You'd be buying a promise from a criminal.

Paying also signals to the group that your startup is a payer, which increases the chance of a second attack, funds the criminal operation and the development of new variants, and in double-extortion cases doesn't prevent the leak: many groups publish or resell the data even after receiving payment. Before considering anything, consult the No More Ransom project (nomoreransom.org), which maintains a repository of free decryption tools; for several variants a public key is already available.

There's also the legal and compliance component. Depending on the group responsible for the attack, payment may run into international sanctions, and the act of paying does not extinguish your obligations under the LGPD nor reduce your liability toward data subjects and partners. The decision to pay should always be the last resort, made with legal and incident-response counsel, never a heat-of-the-moment reaction.

Restoring from backup safely

Restoring seems like the simple part, but it's where many startups recreate the disaster. The golden rule: never restore into an environment that still contains the entry vector. If the breach that allowed the attack remains open, the ransomware re-encrypts the freshly restored data, sometimes within hours. Eradication comes before recovery, in the NIST 800-61 sequence.

Use only backups you know to be clean and intact. Backups connected to the network at the time of the attack may have been encrypted or tampered with as well, which is why immutable or offline copies matter. Before promoting any restoration to production, validate the data in an isolated environment, confirm the absence of malware artifacts, and verify file integrity. Restore in a phased manner, prioritizing the systems critical to the fintech's operation, and closely monitor each service coming back online for signs of reinfection.

Notification: LGPD, ANPD, and customers

Ransomware that affects personal data is a security incident under the LGPD. Article 48 requires the controller to notify the ANPD and the affected data subjects when the incident may cause relevant risk or harm, and the Authority advises that this communication be made within a reasonable timeframe, using short deadlines from the moment the incident is known as a reference. For a fintech, which handles financial data, most ransomware cases qualify as relevant risk.

The communication must be substantive: the nature of the affected data, the data subjects involved, the technical measures adopted to protect the data, the risks, and the mitigation measures. This is why the documentation produced during containment and analysis is so valuable, it feeds the notification. Beyond the ANPD, assess sector-specific obligations: regulated fintechs may have additional duties toward the Central Bank, plus contractual notification clauses with partners and B2B customers.

Communicating with customers is also trust management. Be transparent about what happened, what was affected, and what you're doing, without speculating before you have the facts. Silence and contradictory information erode the relationship more than the incident itself. Have a single person responsible for communication to avoid mixed messages.

Preventing the next attack

Every incident closes with the lessons-learned phase of NIST 800-61: what failed, what worked, and what changes from now on. The entry vector identified during the response points directly to the priority fix, whether closing an exposed RDP service, patching a pending vulnerability, or eliminating reused credentials.

The measures that most reduce the attack surface at startups are well known and accessible: multi-factor authentication on all administrative and remote access, the principle of least privilege on accounts, network segmentation to limit lateral movement, disciplined patch management, and continuous detection via EDR and SOC monitoring. CISA #StopRansomware brings together practical hardening guides for each of these points.

Prevention, however, isn't a one-time project, it's a continuous capability. Detection that identifies the compromise during the reconnaissance phase, before encryption, is what turns a disaster into an alert. Mapping the incident-response channel and having active monitoring before the crisis is the highest-return investment a founder can make in security.

Practical checklist

  1. 1

    1. Isolate without shutting down

    Disconnect the affected machines from the network (cable, Wi-Fi, cloud rules) while keeping them powered on, to cut propagation without destroying the volatile evidence in memory.

  2. 2

    2. Activate incident response

    Immediately call your team or response partner. Decripte responds in under 1 hour, and the SOC begins containment and investigation while your team keeps the product running.

  3. 3

    3. Contain credentials and access

    Revoke active sessions, rotate administrative and service account passwords, and disable compromised integrations to stop lateral movement.

  4. 4

    4. Analyze the variant and entry vector

    Identify which ransomware hit the environment, how it got in, and what data was accessed or exfiltrated, documenting everything with timestamps.

  5. 5

    5. Eradicate and restore from a clean backup

    Close the entry vector first; then restore from immutable, validated backups in an isolated environment, in a phased and monitored manner.

  6. 6

    6. Notify the ANPD and data subjects

    Assess the risk to personal data and notify the ANPD and the data subjects under Article 48 of the LGPD, plus sector-specific and contractual obligations.

  7. 7

    7. Review and prevent

    Conduct the post-incident analysis, fix the root cause, and implement MFA, least privilege, segmentation, patches, and continuous detection.

Frequently asked questions

Should I shut down the computers when I detect ransomware?

No. Shutting down destroys volatile evidence in RAM, such as encryption keys and active processes. Disconnect from the network to contain propagation, but keep the machines powered on until the response team collects the forensic evidence.

Does paying the ransom solve the problem?

There's no guarantee. The keys handed over may be faulty or partial, payment marks you as a payer and attracts new attacks, funds the crime, and in double extortion doesn't prevent the leak. CISA #StopRansomware recommends not paying. First consult No More Ransom, which offers free decryptors for several variants.

Am I required to notify the ANPD if my startup suffered ransomware?

If the incident affected personal data and may cause relevant risk or harm to data subjects, yes, under Article 48 of the LGPD. At fintechs, which handle financial data, most cases qualify. The communication must be made within a reasonable timeframe and describe the affected data, the risks, and the measures adopted.

Can I restore from backup right after the attack?

Don't restore before eliminating the entry vector, or the ransomware will re-encrypt the restored data. Use immutable or offline backups, validate integrity in an isolated environment, and restore in a phased manner, prioritizing critical systems and monitoring each service.

How much time do I have to react to ransomware?

The first minutes are decisive, because encryption and exfiltration continue while the attack is active. The faster the containment, the smaller the damage. That's why Decripte offers Incident Response in under 1 hour, reducing the damage window.

How do I find out how the ransomware got in?

Forensic analysis examines logs, processes, network connections, and artifacts left by the malware to reconstruct the entry vector, which is usually phishing, a leaked credential, an exposed RDP or VPN service, or an unpatched vulnerability. Identifying the root cause is what prevents reinfection.

Is my startup too small to be a ransomware target?

Growing startups and fintechs are attractive targets precisely because they have valuable data and, often, defenses still under construction. Much of the attack activity is opportunistic and automated, targeting any environment with exposed gaps, regardless of the company's size.

What does Decripte do in a ransomware scenario?

Decripte acts with Incident Response in under 1 hour and a SOC that contains the attack, investigates the entry vector, supports safe restoration, and guides the notification to the ANPD. You can start with the free plan and leave the emergency channel mapped before the crisis.

Security for startups and fintechs

From the first round to enterprise: Decripte grows with you.

A full platform and services: threat management, 24x7 SOC, incident response, pentest and compliance (LGPD, ISO, BACEN). Start free and see what has already leaked from your business.