Skip to main content
TechSlayers
Best Practices

Ransomware Response: What to Do in the First 24 Hours

When ransomware strikes, every minute counts. This practical guide covers the critical steps to take in the first 24 hours to contain damage and begin recovery.

10 min readBy Phillip Williams
ransomwareincident responsedisaster recoverycybersecuritybusiness continuity

The first sign is rarely a ransom note. It is a help desk ticket. A file that will not open. A shared drive that suddenly looks “corrupted.” Then the ransom demand appears and the room gets quiet.

What happens in the first 24 hours determines whether this becomes a contained incident or a prolonged business failure. The goal is simple: stop the spread, preserve evidence, scope impact, and begin recovery in a way that does not reintroduce the attacker.

This guide is practical, not exhaustive. If you have cyber insurance, legal counsel, or a retained incident response partner, involve them early. For external references, CISA’s ransomware resources are a good starting point: StopRansomware.gov.

Hour 0 to 1: confirm and start containment

The clock starts when you suspect ransomware. Your first objective is to confirm the symptoms and stop further spread.

  • Confirm indicators: ransom notes, widespread file extension changes, encryption symptoms on multiple systems, disabled security tools, unusual admin activity.
  • Document immediately: screenshots, filenames, timestamps, and initial observations.
  • Activate the incident response team: IT, security, leadership, legal, and communications.

Hour 1 to 4: isolate systems and preserve evidence

Containment is about reducing blast radius. Evidence preservation is about enabling investigation, insurance, and recovery decisions.

  • Isolate affected systems: remove them from the network. Avoid actions that destroy forensic evidence unless you are coordinating with IR and forensics.
  • Control privileged access: consider disabling compromised accounts and limiting admin logins to known clean systems.
  • Preserve logs and artifacts: firewall, proxy, identity, endpoint, and server logs. Capture the ransom note content exactly.

Hour 4 to 8: scope impact and communicate

Once spread is slowed, you need a clearer picture. Which systems are impacted? Are backups intact? Is there any sign of data exfiltration?

  • Scope encryption: affected servers, endpoints, identity systems, and critical applications.
  • Assess business impact: what services are down and what must resume first.
  • Communicate internally: give staff clear instructions and a single path for questions. Avoid speculation.

External notification depends on your context. If you have cyber insurance, notify early. If personal information is involved, you may have regulatory obligations. Coordinate messaging with legal and leadership.

Hour 8 to 16: recovery planning (do not rebuild into the same compromise)

Recovery decisions are where incidents get expensive. The temptation is to “restore quickly.” The risk is restoring into an environment where the attacker still has access.

Most organizations choose one of these paths:

  1. Restore from clean backups: validate that backups are not encrypted and that recovery points are usable.
  2. Rebuild from scratch: if backups are compromised or unusable, rebuild core systems and accept some loss.
  3. Consider ransom decisions carefully: consult legal counsel and your insurer. Payment does not guarantee recovery and can introduce legal and operational risk.

Hour 16 to 24: begin phased recovery and monitor

Recovery should be phased and validated. Bring back monitoring and security controls early so you can detect persistence and reinfection attempts.

  1. Core infrastructure: identity, DNS, core networking dependencies.
  2. Security tooling: visibility first, then production workloads.
  3. Critical applications: restore based on business priority and dependency order.
  4. User access: endpoints and shared drives once core systems are stable and monitored.

As systems return, monitor closely. Attackers often maintain persistence. Validate integrity, watch for unusual admin activity, and keep documenting decisions and timelines.

After 24 hours: investigation, notifications, and prevention

The crisis may stabilize after the first day, but the work continues: forensics, required notifications, stakeholder communications, and a plan to prevent recurrence.

If you suspect ransomware activity or need rapid scoping, start with Compromise Assessment. To reduce dwell time and improve early detection, explore Managed Threat Detection. For continuous validation between incidents, Senthrex delivered through Red Team Suite helps you test posture as it changes.

Suspect ransomware activity?

Compromise Assessment helps confirm exposure, scope impact, and the next steps for containment and recovery.

Explore Compromise Assessment

Written by

Phillip Williams

Phillip Williams

Co-Founder & CTO

Phillip Williams is a Google Hall of Fame hacker and veteran security engineer. He has discovered critical vulnerabilities across global platforms and holds multiple patents in streaming and microservice infrastructure. He has founded and scaled several cybersecurity startups and built systems that protect millions of users worldwide. At TechSlayers, he leads architecture and product innovation, designing technology that makes isolation fast, invisible, and secure.