What to Do in the First 24 Hours of a Ransomware Attack
Ransomware incidents have a rhythm. The first hour is chaos. The second hour is slightly more organized chaos. By hour four, someone has usually taken charge and the response starts to look like a process rather than a panic. The decisions made during those first few hours — before outside help arrives, before the insurance company is on the line, before anyone has a full picture of what happened — are the ones that most often determine whether the organization recovers in two weeks or two months.
Here is what good looks like in the first 24 hours, and where most organizations go wrong.
The First Hour: Contain Before You Investigate
The instinct when ransomware is discovered is to understand what happened. Where did it come from? How far has it spread? What systems are affected? These are the right questions, but they are not the first priority.
The first priority is stopping the spread. Ransomware moves laterally through networks quickly, and every minute spent investigating rather than containing gives the malware more time to encrypt additional systems. The first action should be network isolation — taking affected systems offline, segmenting portions of the network to prevent lateral movement, and cutting off the pathways the ransomware is using to propagate.
This feels counterintuitive because taking systems offline destroys potential evidence and may impact operations. Do it anyway. Evidence recovery is possible later. Stopping an actively spreading infection is time-critical in a way that forensic investigation is not.
Do not restart affected systems. Do not attempt to decrypt files yourself. Do not pay the ransom without legal counsel involved. All three of those actions create problems that are harder to solve than the ones they are trying to fix.
The Second Hour: Notifications
While containment is happening, notifications need to start in parallel. Not public notifications — internal escalation and the contacts your organization is required to reach.
Your cyber insurance carrier should be contacted as early as possible. Most policies have notification requirements, and contacting the carrier early gives them the opportunity to activate their incident response resources, which often include legal counsel, forensic investigators, and negotiators if ransom is on the table. Delaying this notification can create coverage issues.
Legal counsel should be engaged early, before any external communication about the incident. Ransomware incidents frequently involve data exfiltration as well as encryption — attackers often steal data before deploying the ransomware payload — which means there may be regulatory notification obligations. Counsel needs to be involved before any determination is made about what happened and who needs to be told.
If you have a managed security services provider or an incident response retainer, activate it now. This is what the retainer exists for.
The First Eight Hours: Assessment
Once containment is underway and notifications are initiated, the assessment phase begins. What systems are affected? What data was potentially accessed or exfiltrated? What is the extent of the encryption? What are the business-critical systems and what is the recovery priority order?
This assessment drives the recovery sequencing. Not all systems are equal. The payroll system and the production control system are not the same priority as a marketing file server. Recovery has to be sequenced against business impact, and that sequencing needs to be decided deliberately rather than based on what is easiest to restore.
Preserve forensic evidence throughout this phase. Do not wipe and rebuild affected systems before forensic imaging is complete. The investigation that follows the incident — whether for insurance purposes, regulatory compliance, or legal proceedings — depends on evidence that exists in the state of the affected systems.
Hours Eight Through Twenty-Four: Communication and Recovery Initiation
External communication during a ransomware incident needs to be carefully managed. Customers, partners, and the public do not need real-time updates about an active incident. What they need is accurate information delivered at the right time, after counsel has reviewed it and the organization has a clear picture of what happened.
Internal communication is different. Your staff needs to know what is happening, what they should and should not do, and who is coordinating the response. Rumor and speculation in the absence of official communication creates additional problems during an already difficult situation.
Recovery initiation in the first 24 hours typically means getting the most critical systems back online from clean backups, if clean backups exist and have been verified. This is where backup strategy becomes a recovery strategy. Organizations with tested, air-gapped backups that are current are in a fundamentally different position than organizations whose backups were on the same network segment as the encrypted systems.
What Most Organizations Get Wrong
The most common mistakes in the first 24 hours are not technical. They are process failures. Waiting too long to isolate affected systems because nobody wants to take the production environment offline. Delaying insurance notification because someone thinks they can handle it internally. Attempting recovery without preserving forensic evidence. Communicating publicly before legal counsel has reviewed the communication.
All of these mistakes are understandable under pressure. All of them make the outcome worse.
The organizations that recover fastest from ransomware incidents are the ones that have practiced the response before they needed it, have the contacts they need in a form they can access when systems are down, and execute the first few hours with discipline rather than improvisation.
That is not luck. It is preparation.