Ransomware Response Playbook: The First Hours
When a ransomware attack is live, the worst thing you can do is improvise. There is a right order to the response, and most of the damage that turns a contained incident into a company-wide disaster happens in the first hour, when people act on instinct instead of a plan.
When a ransomware attack is live, the worst thing you can do is improvise. There is a right order to the response, and most of the damage that turns a contained incident into a company-wide disaster happens in the first hour, when people act on instinct instead of a plan.
This is that plan, condensed. Run the steps in order, because skipping ahead almost always means missed evidence or reinfection.
The playbook, step by step
The single most important idea here is sequence. Containment comes before investigation, evidence comes before eradication, and clean backups are confirmed before anything is restored.
Who to notify, and when
| Who to notify | Within |
|---|---|
| SEC (material incident, US public companies) | 4 business days of a materiality determination |
| Regulators under GDPR | 72 hours |
| Law enforcement / cybercrime units | As early as possible, to get intel and possible decryptors |
Reporting is not optional, and the clock starts at detection. Knowing your deadlines in advance keeps a hard call from becoming a missed one.
[[INSIGHT: The instinct to power off an infected machine is the instinct to destroy your own evidence. Isolate it from the network instead. Volatile memory can hold the forensic trail, and sometimes the encryption keys themselves, both gone the moment you shut down.]]
See it in action: the first 60 minutes
The first hour decides how much of your environment stays clean. The scenarios below are illustrative.
- Staff debate what to do while files keep locking.
- Machines are powered off, destroying evidence.
- The whole network is hit.
- IsolateAffected segment is pulled from the network within minutes.
- PreserveDisks are imaged and memory captured before changes.
- ActivateThe team coordinates on a pre-agreed out-of-band channel.
- The first hour of containment decides how much of your environment stays clean.
- Isolate infected systems from the network, but do not power them off.
- Coordinate over an out-of-band channel, never compromised email.
- Preserve evidence before eradicating, and reset all credentials before recovering.
- Know your reporting deadlines in advance: four business days for the SEC, 72 hours under GDPR.
Frequently asked questions
What is the first thing to do in a ransomware attack?
Isolate the affected systems from the network immediately: pull cables, disable Wi-Fi, and kill VPN tunnels. The first hour of containment decides how much of your environment stays clean.
Should we shut down infected machines?
Isolate them from the network rather than powering them off. Volatile memory can hold forensic evidence and sometimes the encryption keys, which are lost on shutdown.
When do we have to report a ransomware incident?
It depends on jurisdiction. US public companies report material incidents to the SEC within four business days of a materiality determination, and GDPR requires notifying regulators within 72 hours. Set your thresholds in advance.
Why reset all credentials before recovering?
Attackers stage secondary and tertiary credentials for persistence. If even one survives, reinfection is almost guaranteed, so reset service accounts, VPN keys, and privileged accounts before reconnecting.
