First 24 hours
Isolate, don't wipe. Preserve encrypted samples and ransom notes for attribution. Notify your cyber insurer immediately — most policies require notification within 24-72 hours to remain valid. Engage legal counsel; do not communicate with the threat actor yet.
The decision to pay
NCSC and law enforcement position: do not pay. Legal position: paying certain sanctioned actors is a criminal offence under UK sanctions law (OFSI). Practical position: some businesses pay anyway. If payment is considered, it must go through a licensed negotiator with sanctions screening on the wallet — never direct.
Rebuild, don't restore
Restoring backups into a compromised environment reinfects them within days. The correct sequence is: build a clean forensic environment, restore data into it, validate integrity, then rejoin only after credentials, keys and Golden Ticket-style AD compromises are fully rotated and verified.