Small Business Data Backup — Singapore & Asia A service by Managed IT Asia
ManagedBackup.Asia We Manage Small Business Backup
Incident Response Published May 2026 By the Managed Backup Asia team

Ransomware Recovery Playbook for Singapore SMBs

Ransomware turns a normal Tuesday into a crisis. The outcome depends on what was prepared before the attack — backup, isolation, documentation, contacts — not on what people do in the panic of the moment. This playbook outlines what to do in the first hour, the first day, and the first week, and how to be in a position where the answers exist.

This article is operational guidance, not legal advice. Engage a Singapore-qualified lawyer if you are handling a real incident.

The first hour: contain

The first hour is about stopping the spread. Speed matters more than diagnosis at this stage.

  1. Disconnect, do not power off. Pull affected devices off the network. Do not shut them down — some forensic evidence is in memory.
  2. Isolate the network. Disable Wi-Fi, unplug suspicious VLANs, segregate critical infrastructure. Stop sync clients (OneDrive, Drive, Dropbox) so they do not propagate encryption to the cloud.
  3. Protect backups. Disconnect any backup destinations that may still be online. Make sure the backup destinations that hold the off-site / immutable copy are not reachable from compromised devices.
  4. Notify internally. Owner / management, IT support, MSP. Establish a single point of contact for the incident.
  5. Engage your MSP / specialist. If you have a managed IT or managed backup provider, they should be on the call within the first hour.
  6. Start a timeline log. Note when you first noticed, what you saw, what you did. This matters for insurance, regulators, and forensics.

The first day: assess and notify

Once spread is contained, focus shifts to scope, communication, and recovery planning.

  1. Scope the impact. Which devices are affected. Which servers. Which file shares. Which cloud services (M365, Workspace). What data is encrypted, what is exfiltrated. Do not assume; verify.
  2. Confirm backups. Are backup destinations clean? When was the most recent successful backup before the incident? Where is the off-site copy?
  3. Engage Cyber Security Agency of Singapore (CSA). CSA's SingCERT operates an incident response hotline and can provide guidance. Reporting is part of being a responsible operator.
  4. Engage legal counsel. Singapore-qualified lawyer to advise on PDPA notification timelines and contractual obligations to customers.
  5. Notify cyber insurance, if applicable. Most policies require prompt notification.
  6. Plan customer communication. If customer data is affected, customer communication is required — legally and reputationally. Coordinate with legal.
  7. Decide on the recovery strategy. Restore from clean backup is the default path if backups are intact. Decryption tools sometimes exist for older variants but are not reliable. Paying the ransom is a decision with its own risks (see below).

The first week: recover and learn

  1. Rebuild clean. Affected systems should be rebuilt, not just decrypted. The attacker had access — assume nothing is trustworthy until rebuilt.
  2. Restore from backup. Verified-clean backups restored to rebuilt systems. Verify the restored data is usable before declaring recovery.
  3. Reset every credential. Every admin password, every service account, every API key. The attacker had access; assume credentials are compromised.
  4. Rotate sensitive secrets. Certificates, encryption keys, SSO secrets, application secrets.
  5. Forensics. Even a basic forensic investigation can identify the entry vector and confirm the spread is contained.
  6. Document. What happened. What you did. What worked. What did not. Lessons for the future.
  7. Strengthen. Address the entry vector. Improve segmentation. Improve backup isolation. Improve detection.

What to have in place before

The recovery outcome depends almost entirely on what was prepared before the attack:

  • Immutable, off-site backups across every data source — workstations, server, NAS, M365, Google Workspace. See our 3-2-1 backup rule guide.
  • Monitored backup jobs. Backups that silently failed three months before the incident are not a recovery option. See our managed backup solutions.
  • Recent verification. The backup that has never been tested is a hope, not a control.
  • Documented recovery procedure. Written down, current, accessible.
  • Network segmentation so a compromised workstation cannot reach every other system.
  • Multi-factor authentication on every administrative account, including backup admin accounts.
  • An incident contact list — MSP, legal counsel, cyber insurer, CSA SingCERT.

Should you pay the ransom?

Singapore agencies generally discourage paying ransoms. The reasons are practical, not just principled:

  • Payment funds further attacks — including against you again.
  • Decryption tools provided by attackers are often unreliable, slow, or partial.
  • Payment marks you as a paying target. Repeat-attack rates are high.
  • There may be sanctions exposure depending on the attacker group.
  • Recovery from clean backup is more reliable when backups exist.

The decision is contextual, and serious incidents should involve legal counsel, cyber insurance counsel, and law enforcement input. The cleanest position is to be in a state where the question does not need to be considered — because backups are clean, isolated, recent, and verified.

Talk to a backup specialist

Managed Backup Asia operates from Singapore and supports small businesses across Asia. If you would like to discuss your data protection needs, schedule a free 30-minute exploratory call.

Frequently Asked

FAQ

An off-site backup that the attacker cannot reach. Everything else — detection, response, communications — matters, but if the backup is gone or unusable, the recovery path is gone with it.
Some policies cover ransom payment, but most increasingly do not, or impose conditions. Even where it is covered, the operational complications of paying are substantial. Coverage details should be reviewed with your insurer before an incident, not during one.
Reporting expectations depend on the data affected and the sector. PDPA breach notification rules apply where personal data is affected at scale. CSA SingCERT is the national incident response hotline. Sector regulators (MAS, IMDA, MOH) have their own requirements. Engage legal counsel early.
Recovery time depends on the scope of the incident, the volume of data to restore, and the recovery destinations. Hours to days for a contained workstation or single-server incident. Days to weeks for a tenant-wide M365 or full-server compromise. The recovery time you can credibly commit to is largely a function of the backup design.

Be Ready Before the Incident

Talk to a managed backup specialist about your ransomware readiness. We will review your backup posture and explain the gaps — no obligation.

Schedule Your Free Consult