PratikYedek
All posts
·12 dk read

First 24 hours after a ransomware attack — Step-by-step recovery

Practical playbook for the first 24 hours after a ransomware incident: isolation, KVKK breach notice, restore strategy and authority reporting.

You walk into the office in the morning and every screen shows a red banner: "All your files are encrypted. Pay 0.5 BTC or they will be deleted." Panic is unavoidable. But the order in which you act makes the difference.

⚠️ Important: This is a general guide. For serious incidents, always engage a professional incident response team.

First hour — Isolation

1. Disconnect affected machines from the network

Ransomware spreads through network shares. Turn off Wi-Fi, unplug Ethernet cables. Cloud sync agents (OneDrive, Drive) will push encrypted files to the cloud — pause sync immediately.

2. Isolate the server (if any)

If there is a local server, pull the cable but do not power it off. Powering off destroys RAM contents and forensic evidence.

3. Protect backup repositories

If a USB or NAS is connected, physically disconnect it. PratikYedek cloud backups acquire an immutable lock (3-second delay) the moment an incident is detected; even so, change the admin password right away.

Hours 2-4 — Detection and assessment

4. Which variant?

The encrypted file extension (e.g. .locked, .encrypted, .veracrypt) identifies the variant. Upload two sample files to ID Ransomware to identify it. Some variants have free decryptors (No More Ransom Project).

5. Is there data exfiltration?

Modern ransomware does not just encrypt — it copies data and extorts. Dark-web monitoring tools or analysis of the attacker's C2 server reveals exfiltration. If data was exfiltrated, the KVKK § 12/5 (Turkey's GDPR-equivalent) breach notice is triggered.

6. Classify affected data types

  • Is there personal data? (KVKK § 3)
  • Is there sensitive personal data? (§ 6: health, criminal records, biometrics)
  • Financial records? (Turkish Tax Procedure Law — VUK)
  • Contracts or KEP (registered e-mail) records?

This classification determines reporting obligations.

Hours 4-8 — Notice and legal

7. KVKK breach notice — the 72-hour rule

KVKK Board decision no. 2019/10 (24 Jan 2019):

"In the event of a data breach, the data controller must notify the Authority within 72 hours at the latest."

The online form is at https://kvkk.gov.tr/Icerik/4191/Veri-ihlal-bildirimi. Missing details may be added later, but the form must be opened within 72 hours, otherwise non-compliance applies.

8. Informing affected individuals

For serious risk (sensitive data leakage, financial data, etc.) direct notification to the data subjects is mandatory. Prefer e-mail + website notice + (when necessary) KEP registered e-mail.

9. Sector regulators

  • Healthcare: Ministry of Health, within 24 hours
  • Finance: BDDK + MASAK
  • Telecom/ISP: BTK
  • E-commerce: Ministry of Trade (ETBİS)

10. Criminal complaint

File a complaint with the Cybercrime Bureau at the Public Prosecutor's office. Attach the incident report, screenshots, and technical analysis.

Hours 8-24 — Recovery

11. Restore strategy

Never pay the ransom. The numbers:

  • 20% of those who pay never recover their data
  • Payers face a 2x higher risk of being re-targeted within 12 months
  • The KVKK Authority can treat ransom payment as "lack of adequate measures" and impose additional fines

The right path: restore from a clean backup.

Restore order

  1. Prepare clean hardware (keep the old machines for forensics)
  2. Install the operating system and updates
  3. Recover with PratikYedek using the master password — pick the most recent clean snapshot (typically 24-48 hours before the incident)
  4. Verify: spot-check 10 random files
  5. Bring services back online

Which snapshot is clean?

Ransomware usually has a dwell time (silent phase) — 21 days on average. Therefore:

  • ✅ Keep 30 daily snapshots
  • ✅ Validate snapshots with antivirus scanning
  • ✅ Suspicious file-change alerts (PratikYedek Phase 5 feature)

12. Restart checklist

  • All passwords rotated (admin + user + service accounts)
  • MFA (2FA) made mandatory
  • EDR/XDR (Endpoint Detection & Response) deployed
  • All software updated to the latest version
  • Open RDP ports closed (most common entry vector)
  • E-mail gateway phishing filter hardened
  • Employee phishing training scheduled

Following days — Learn

  • Write up the incident report: what, when, how, how long, what was lost
  • Send follow-up information to the KVKK Authority (post-72h details)
  • Review processor DPAs — was any sub-processor involved in the leak?
  • Insurance: if you have cyber insurance, open a claim

How PratikYedek supports incident response

  • ✅ Immutable snapshots — even admins cannot delete them (KVKK-aligned retention lock)
  • ✅ Automatic incident timeline (audit log)
  • ✅ Antivirus snapshot scanning (Phase 5)
  • ✅ 24/7 incident response hotline on enterprise plans

Join Early Access — Think of it as ransomware insurance. The cheapest item until you need it.

Related articles

Türkçe versiyonu: Türkçe oku →

Try PratikYedek free for 30 days

KVKK-compliant backup with end-to-end encryption. No credit card required.

Start free trial