It's 2 AM on a Tuesday. Your phone rings. Your IT manager is panicking — files across the network are being encrypted, servers are inaccessible, and a ransom note demands $2 million in Bitcoin within 72 hours.
What you do in the next 24 hours will determine whether your business survives this attack or becomes another statistic. Ransomware attacks have surged 13% year-over-year, with the average ransom demand now exceeding $1.5 million and total recovery costs averaging $2.73 million.
DO NOT immediately shut down all systems, wipe infected machines, or pay the ransom without expert guidance. These reactive decisions often destroy forensic evidence and worsen the situation.
Ransomware by the Numbers
Hour 0-1: Initial Detection & Containment
1. Confirm the Attack is Real
Before sounding alarms, verify this is actually ransomware:
- Look for ransom notes on desktops or in folders (usually .txt, .html files)
- Check for file extensions changed (.locked, .encrypted, .crypto, random extensions)
- Verify files cannot be opened — corrupted appearance
- Notice unusual system behavior (high CPU, slow performance, popup windows)
2. ISOLATE — Don't Power Off
The single most important first action: isolate infected systems from the network.
- Disconnect network cables from infected machines
- Disable Wi-Fi adapters
- Segment your network — block infected subnets at firewalls
- Disable shared drives and remove network access
Shutting down loses critical volatile memory (RAM) evidence including encryption keys that might recover your data. Disconnect from network instead — keep machines powered ON.
3. Activate Your Incident Response Team
- CISO/IT Director — Technical lead
- CEO/Owner — Decision authority
- Legal Counsel — Notification obligations
- Communications Lead — Internal/external messaging
- HR Director — Employee coordination
- External IR Firm — Get them on the line immediately
Hour 1-4: Assessment & Expert Engagement
4. Call Cyber Insurance Carrier
If you have cyber insurance, call your carrier first before any major decisions. Why this matters:
- They likely require their approved vendors for IR, negotiation, forensics
- Using unauthorized vendors can void your coverage
- They have 24/7 hotlines with experienced breach coaches
- Pre-approved ransom payment processes if needed
5. Engage Professional Incident Response
Unless you have a deeply experienced internal team, get expert help immediately:
- Incident response firm for containment, forensics, recovery
- Breach coach attorney for legal strategy and privilege protection
- Ransomware negotiator (if payment becomes necessary)
- Public relations firm for high-profile incidents
6. Initial Scope Assessment
Begin understanding the attack's scope:
- How many systems are encrypted?
- What data was potentially accessed or exfiltrated?
- Are backups intact or also encrypted?
- What's the ransomware variant? (Conti, LockBit, BlackCat, etc.)
- How did the attackers get in? (phishing, RDP, vulnerability)
7. Preserve Evidence
Critical for forensics, insurance claims, and law enforcement:
- Screenshot ransom notes and any communications
- Document timeline of detection and observations
- Preserve logs (firewall, AV, EDR, server logs)
- Image affected systems for forensic analysis
- Save sample encrypted files for decryption attempts
Hour 4-12: Notifications & Stabilization
8. Notify Law Enforcement
Report to authorities — this is increasingly required and beneficial:
- FBI: Submit at IC3.gov or call local field office
- CISA: Report at cisa.gov/report (required for critical infrastructure)
- Secret Service: Has cyber fraud task forces nationwide
- State Attorney General: Per state breach laws
The FBI may have decryption keys from previous takedowns. CISA provides technical guidance. Reports help build cases against threat actors. Cooperation is required for many regulatory exemptions.
9. Assess Regulatory Notification Obligations
Depending on data accessed, you may have strict notification deadlines:
- HIPAA: 60 days if PHI involved (see HIPAA guide)
- State breach laws: Varies — California requires "expedient" notice
- GDPR: 72 hours if EU residents affected
- SEC: Material incidents within 4 business days for public companies
- Industry-specific: NY DFS (72 hours), FERPA, GLBA
10. Internal Communications
Communicate carefully but transparently with employees:
- Initial announcement: "We're experiencing a cybersecurity incident"
- Do NOT detail the attack technically or speculate
- Provide clear guidance: Don't touch systems, don't discuss externally
- Use out-of-band communication (personal email, phone, Signal)
- Designate single spokesperson for all questions
11. Customer & Stakeholder Communications
Plan communications carefully — premature or wrong messaging causes lasting damage:
- Don't disclose until you have facts
- Coordinate with legal on all external statements
- Prepare for media inquiries with prepared statements
- Update customers on service availability without technical details
- Plan formal breach notifications for affected individuals
Hour 12-24: Strategic Decisions & Recovery Planning
12. The Ransom Decision
Should you pay the ransom? This is one of the hardest decisions in business. Consider:
Arguments Against Paying
- No guarantee of decryption (only 65% receive working keys)
- Funds criminal organizations and terror groups
- Marks you as a willing payer — high repeat attack risk
- Potential OFAC sanctions violations if paying sanctioned groups
- Data may be leaked anyway in double-extortion attacks
Arguments For Paying
- Faster recovery than rebuilding from scratch
- Business survival when no backups exist
- Patient safety in healthcare contexts
- Insurance covers the payment
- Prevents data leak in extortion-only attacks
Paying ransom to sanctioned threat actors can result in massive fines, even if you didn't know they were sanctioned. Always engage a ransomware negotiator who can verify the threat actor.
13. Backup Recovery Assessment
Determine if backups are viable:
- Verify backup integrity — are they encrypted or corrupted?
- Check air-gapped/offline backups first (most likely safe)
- Test restoration in isolated environment before mass recovery
- Determine RPO — how much data loss is acceptable?
- Estimate RTO — how long will full recovery take?
14. Develop Recovery Strategy
Build a phased recovery plan:
- Phase 1: Restore critical business functions (24-72 hours)
- Phase 2: Recover important but non-critical systems (1-2 weeks)
- Phase 3: Complete restoration and validation (2-4 weeks)
- Phase 4: Post-incident hardening (ongoing)
15. Begin Forensic Investigation
Understanding the attack is crucial for recovery and prevention:
- Identify initial access vector (phishing, RDP, vulnerability)
- Map lateral movement across the network
- Determine data exfiltration — what was stolen?
- Identify persistence mechanisms attackers may have planted
- Find all infected systems — including dormant footholds
Facing a Ransomware Attack Right Now?
Our 24/7 incident response team can be engaged within minutes to help contain the attack, preserve evidence, coordinate with law enforcement, and guide your recovery decisions.
Get Emergency IR SupportCritical Mistakes to Avoid
1. Wiping Infected Systems Too Soon
You destroy forensic evidence, decryption keys in memory, and clues about the attack scope.
2. Restoring from Compromised Backups
Many attackers compromise backups weeks before deploying ransomware. Restoring without verification reinfects you.
3. Communicating on Compromised Channels
Attackers may be monitoring your email and Teams. Use out-of-band communication exclusively during response.
4. Premature Public Disclosure
Saying too much too early creates legal exposure, contradicts later facts, and damages stakeholder trust.
5. Negotiating Without Expert Help
Inexperienced negotiation increases ransom demands, signals desperation, and may violate sanctions laws.
6. Skipping Legal Counsel
Attorney-client privilege protects forensic findings. Without legal involvement, your investigation becomes discoverable in lawsuits.
7. Forgetting About Compliance
Regulatory deadlines start ticking from discovery. Missing notification windows compounds the disaster with regulatory penalties.
Essential Contacts to Have Ready
Build this contact list before you need it:
- Incident Response Firm — 24/7 hotline number
- Cyber Insurance Carrier — Claims hotline
- Breach Coach Attorney — Legal counsel
- FBI Cyber Division — Local field office
- CISA — Federal coordination
- Public Relations Firm — Crisis communications
- Ransomware Negotiator — If payment considered
- Forensic Imaging Service — Evidence preservation
After the Crisis: Prevention is Everything
The first 24 hours are about survival. The next 24 weeks are about ensuring it never happens again:
- Immutable backups stored offline/air-gapped
- Endpoint Detection & Response (EDR) on every device
- Multi-Factor Authentication (MFA) everywhere
- Email security gateway with advanced threat protection
- Network segmentation to prevent lateral movement
- Regular vulnerability scanning and patching
- Security awareness training for all employees
- Tested incident response plan with annual tabletop exercises
- Cyber insurance with adequate coverage limits
- Zero Trust architecture implementation
The organizations that recover quickly from ransomware are those that prepared before the attack. Build your incident response plan, test it regularly, and establish relationships with IR firms before you need them at 2 AM.
Conclusion
A ransomware attack is one of the most stressful events any business can face. The pressure to make quick decisions, restore operations, and protect the company is immense. But the choices made in those first 24 hours have cascading effects for months and years.
The playbook is clear: isolate, don't shut down. Get experts, don't go it alone. Document everything. Communicate carefully. Make strategic decisions, not panic responses.
Most importantly, remember that preparation is your best defense. Every dollar spent on prevention, backup integrity, and incident response readiness saves $10 to $100 in recovery costs. The best time to prepare for a ransomware attack was yesterday. The second best time is now.