In summary
When ransomware strikes, the very first hours determine whether your SME will recover – or not. Attacks against Belgian SMEs are soaring, and the time between intrusion and encryption has collapsed. Yet, most companies have no response plan. In a panic, they make irreversible mistakes. Here's a clear action plan for the first 4 hours, and what to prepare BEFORE.
- Do not pay in haste: payment does not guarantee recovery and marks you as a future target.
- Don't turn off infected machines: isolate them from the network, but keep them running to preserve evidence.
- An immutable and offline backup is your best — sometimes your only — way out.
- In Belgium, an incident can trigger notification obligations (GDPR, and NIS2) with strict deadlines.
- The difference between a small or medium-sized enterprise (SME) that survives and one that goes under almost always boils down to prior preparation.
Why are the first four hours decisive?
Ransomware encrypts your files and demands a ransom to unlock them. But the attack doesn't begin when the ransom message appears: at that point, the attackers are often already on your system, and the encryption is either in progress or completed.
What has changed is the speed. Where attackers used to remain in a network for weeks, they now operate in a matter of hours. Automation and AI have industrialised attacks. By the time you discover the incident, the clock is already ticking fast.
In this critical window, every decision matters. The right ones limit the damage. The wrong ones – often dictated by panic – can destroy evidence, worsen the spread, or cost you a fortune unnecessarily.
Hour 1: isolate, do not switch off
Your first instinct should be to contain the spread. Ransomware attempts to spread laterally: shared servers, connected backups, other workstations.
To do immediately
- Disconnect the affected machines from the network (cable unplugged, Wi-Fi turned off). Isolate them physically.
- Disconnect unreached backups and shared storage to protect them.
- Block remote access (VPN, RDP) that could be used as a propagation route.
Do not switch off the machines
This may seem counter-intuitive, but powering off removes valuable RAM information needed to understand the attack and sometimes for recovery. Isolate, but leave it on.
Hour 2: assess the scale and alert
Once the spread is under control, we must To understand what is being touched What posts, what servers, what data, and most importantly – are your backups intact?
Now is the time to activate your alert chain: management, your IT provider or security team, and your cyber insurer (many policies require you to inform them very early, otherwise cover may be invalid).
In Belgium, you can report the incident to the CCB via CERT.be. For entities subject to NIS2, this notification is subject to strict deadlines. Even outside of NIS2, if personal data is concerned, GDPR requires notification of the Data Protection Authority within 72 hours.
Hour 3: Preserve Evidence and Document
Too many companies, in a rush, erase or reinstall everything to «get back up and running quickly.» This is a mistake. Preserving evidence is essential for investigations, insurance, and potential legal proceedings.
- Document everything: time of discovery, symptoms, ransom message (screenshot), systems affected.
- Keep the isolated machines as they are, without cleaning them.
- Note each action taken and at what time. This timeline will be invaluable.
This rigour, difficult to maintain under stress, is part of what a pre-prepared response plan makes much simpler.
Hour 4: Decide on recovery (without panicking and paying)
Here comes the question that haunts every leader: Is there a charge?
The position of the authorities, including the CCB, is clear: Paying is strongly discouraged. First, there's no guarantee the attackers will return your data. Second, paying marks you as a «profitable» target and exposes you to further attacks. Finally, paying finances the criminal ecosystem.
The real way out is yours Backups. If you have a healthy, immutable, and disconnected backup, you can restore your environment to a point prior to the attack. A small or medium-sized enterprise (SME) with a Disaster Recovery Plan (DRP) and tested backups can be restored in a few hours or days. A small business with nothing can take weeks – or never recover.
What to prepare BEFORE
The best crisis management is the kind you don't have to improvise. The fundamentals to put in place now:
Rule 3-2-1
Three copies of the data, on two media, one of which is off-site and disconnected.
How GVISION protects and supports you
At GVISION, we help Brussels and Belgian SMEs prepare on two fronts: prevention and reaction. For prevention, we deploy immutable and tested backups, EDR/XDR protection, MFA, and awareness training. In the event of a crisis, we support incident response and restoration via a disaster recovery plan (DRP) designed for your environment.
Our approach is that of a close-knit partner who knows your infrastructure before the crisis strikes – because in those four crucial hours, it’s not the time to be getting acquainted.
Would your SME survive a ransomware attack tomorrow morning?
Enjoy our free security audit: we'll assess your exposure, the state of your backups, and your recovery capability, with a clear and no-obligation roadmap.
Request my free audit Contact usFAQ — Ransomware and SMEs
Should you pay a ransomware demand?
Should you turn off a computer infected with ransomware?
What to do first in case of an attack?
Do I need to report a ransomware attack in Belgium?
How to protect yourself effectively from ransomware
Is one backup enough to recover from ransomware?
This article is for informational purposes only and does not replace professional advice in the event of an incident. Regulatory obligations (GDPR, NIS2) vary depending on your situation. In the event of an ongoing attack, contact your IT provider immediately and, if necessary, the CCB via CERT.be.



