A Ransomware Playbook for New Zealand SMBs (That Actually Fits on One Page)

Most ransomware advice is written for organisations with a Chief Information Security Officer and a 24/7 SOC. New Zealand's economy is overwhelmingly small and medium-sized businesses where the IT manager is also the operations manager and possibly also the owner. This playbook is written for them. It assumes you do not have a runbook, you do not have a retainer with a forensics firm, and you are reading this on the morning that something looks very wrong.

Hour one: contain, do not panic

The single biggest mistake in the first hour is to start deleting things. Do not wipe affected machines, do not reformat servers, and do not delete suspicious emails — they are evidence. Do disconnect affected systems from the network (unplug the cable, disable Wi-Fi) to stop lateral movement. Do not power them off if you can avoid it; volatile memory contains evidence that is lost on shutdown. Identify the scope by checking other servers, file shares, and backup systems for the same encrypted-file extension or ransom note. Take photographs of any ransom notes on screens with your phone.

Hour one to four: assemble the right people

You need four roles, even if one person plays several: a decision-maker (usually the owner or CEO), a technical lead, a communications lead, and a scribe keeping a written timeline. Call your cyber-insurance broker before you call anyone else — most policies require notification within 24-72 hours and will appoint a panel incident-response firm whose costs are covered. Call your bank if you suspect any financial systems are involved. Do not yet email staff or customers; wait until you understand enough to say something true and useful.

Day one: forensics before remediation

Resist the urge to restore from backup immediately. If you restore before understanding the initial access vector, you will be re-encrypted within days. A competent IR provider will pull memory images, disk images of representative affected hosts, and relevant logs (firewall, EDR, Microsoft 365 audit, VPN), then identify the entry point — typically a phished credential, an unpatched edge device, or an exposed RDP service. Only once that is closed does restoration begin.

Should you pay?

The official New Zealand government position, echoed by CERT NZ and the National Cyber Security Centre, is to discourage ransom payments. Payment funds the criminal ecosystem, does not guarantee data return, and may breach sanctions if the threat actor is on a designated list. That said, the decision is the business's to make, and it should be made with legal counsel, your insurer, and a qualified ransom-negotiation firm — never by direct contact with the attacker. In our experience, organisations with tested offline backups almost never pay; organisations without them often feel they have no choice. The lesson is in the preparation, not the payment.

Privacy Act notifications

If personal information has been accessed or exfiltrated and the breach is likely to cause serious harm, you have an obligation under the Privacy Act 2020 to notify the Office of the Privacy Commissioner and affected individuals as soon as practicable. Ransomware incidents almost always involve exfiltration in 2026 — assume data is gone until proven otherwise. See our companion piece on Privacy Act breach notification for the detail.

Day two to seven: rebuild, don't restore

Where possible, rebuild critical systems from known-good images rather than restoring potentially compromised state. Rotate every credential — service accounts, API keys, certificates, and shared secrets — not just user passwords. Force a global password reset and revoke all active sessions. Re-enrol MFA tokens. Audit Microsoft 365 mail-forwarding rules, OAuth consents, and inbox rules; these are common persistence mechanisms left behind by attackers.

Week two onwards: the lessons

Run a written post-incident review within two weeks while memories are fresh. The output is not a blame document; it is a list of changes — to technology, processes, and supplier relationships — with owners and dates. The most common findings we see in NZ SMB incidents: missing or reused MFA, an unpatched VPN appliance or firewall, no offline backups, and no one looking at security alerts that had in fact been firing for weeks. None of these are expensive to fix; they are simply easy to defer when nothing has gone wrong yet.

Build the relationship before you need it

A 30-minute introductory call with an incident-response provider before anything has happened is worth more than any policy document. You will know who to call, they will know your environment well enough to move fast, and the first invoice will not include a panic premium. Haumaru offers no-cost IR readiness calls for New Zealand businesses; reach us at contact@haumaru.ltd or +64 22 423 0494.