After A Breach
Last updated March 2026|14 min read

First 72 Hours After a Ransomware Attack: What to Do

The actions you take in the first 72 hours after a ransomware attack will determine whether your organization recovers in days or months. This is your hour-by-hour playbook.

Hour 0–1: Immediate Response

The most critical 60 minutes

DO NOT Pay Immediately

Resist the urge to pay the ransom immediately. Paying without investigation means you won't know what data was stolen, how attackers got in, or whether they left backdoors for re-entry. You need information before making any payment decisions.

DO NOT Shut Down Systems

Powering off systems destroys volatile memory that contains critical forensic evidence — active network connections, running processes, encryption keys, and attacker tools. Disconnect from the network instead.

Immediate Actions

  • Disconnect affected systems from the network

    Unplug ethernet cables and disable Wi-Fi. Do not power off. This stops lateral movement while preserving evidence.

  • Document the ransom note

    Photograph ransom screens with a phone. Note the ransomware name, payment amount, deadline, contact instructions, and any unique identifiers.

  • Activate your incident response team

    Call your IR lead, CISO, and legal counsel. If you have an IR retainer, activate it now.

  • Establish out-of-band communications

    Assume attackers can read your email and Slack. Use personal cell phones, Signal, or a separate communication channel they don't have access to.

Hours 1–4: Containment & Assessment

Stop the bleeding, assess the damage

Scope the Impact

  • Identify which systems are encrypted vs. still clean
  • Isolate network segments to prevent further spread
  • Check backup integrity — are backups accessible and unencrypted?
  • Preserve forensic evidence — create disk images before any recovery attempts

Identify & Notify

  • Identify the ransomware variant (check ransom note, file extensions, encrypted file headers)
  • Check for free decryptors at nomoreransom.org and vendor resources
  • Notify your cyber insurance carrier immediately — most policies have 24-72 hour notification windows

Hours 4–12: Investigation

Understand what happened and what's at stake

Forensic Investigation

  • Engage a forensics firm

    Your insurance carrier likely has a pre-approved panel. Use them to avoid coverage disputes later.

  • Determine initial access vector

    How did the attackers get in? Common vectors include phishing emails, exploited VPN/RDP vulnerabilities, compromised credentials, and supply chain attacks.

  • Assess data exfiltration risk

    Over 70% of ransomware attacks now involve data exfiltration before encryption (double extortion). Check for large outbound data transfers, staging directories, and cloud storage uploads in your logs.

  • Map the attack timeline

    Determine when initial compromise occurred, lateral movement began, and encryption was triggered. The average dwell time before ransomware deployment is 5-7 days.

Legal & Regulatory

  • Determine regulatory obligations based on data types involved (PII, PHI, financial data)
  • Engage legal counsel under privilege — all communications through counsel may be protected
  • Begin mapping state breach notification requirements if personal data was compromised

Hours 12–24: Strategic Decisions

Pay or don't pay — the critical decision

Payment Decision Framework

The decision to pay a ransom is complex and should involve legal counsel, insurance, law enforcement input, and a clear-eyed assessment of your alternatives. Consider these factors:

Factors favoring NOT paying

  • Viable backups exist and are verified clean
  • Free decryptor is available for the variant
  • Threat actor is on OFAC sanctions list (paying is illegal)
  • No evidence of data exfiltration

Factors favoring payment

  • No viable backups, business-critical systems down
  • Life-safety systems impacted (healthcare, infrastructure)
  • Confirmed data exfiltration with leak threat
  • Insurance covers ransom payment

If Paying

  • Engage professional ransom negotiators — they achieve 60–70% average reductions
  • Verify OFAC compliance before any payment
  • Coordinate with insurance — most cyber policies cover ransom payments
  • Test decryptor on non-critical systems first

If Not Paying

  • Begin recovery from verified clean backups immediately
  • Prioritize systems by business criticality for restoration order
  • Prepare for potential data leak if exfiltration occurred
  • Preserve encrypted systems as evidence

Notify Law Enforcement

Regardless of payment decision, report the attack to law enforcement. They may have decryption keys from prior investigations or intelligence on the threat actor group.

  • FBI IC3 — ic3.gov — file a complaint for cyber crime
  • CISA — cisa.gov/report — report ransomware incidents
  • Local FBI Field Office — for in-person coordination on major incidents

Hours 24–48: Recovery

Rebuild and restore operations

System Recovery

  • Rebuild from clean images

    Do not simply decrypt and continue using compromised systems. Rebuild from known-good images to eliminate any backdoors or persistence mechanisms.

  • Restore from verified backups

    Scan backups for malware before restoring. Verify backup dates predate the initial compromise, not just the encryption event.

  • Reset ALL credentials

    Every password, API key, service account, and certificate should be rotated. Attackers typically harvest credentials during the dwell period. Include Active Directory, cloud services, VPN, and application accounts.

  • Patch the initial access vector

    Before bringing systems back online, close the door the attackers used to get in. Apply patches, disable compromised accounts, and update firewall rules.

  • Deploy enhanced monitoring

    Increase logging and monitoring across all systems. Deploy EDR on all endpoints. Watch for indicators of compromise from the forensic investigation.

Hours 48–72: Stabilization

Verify recovery and begin notifications

Validate & Monitor

  • Validate all restored systems are functioning correctly
  • Bring systems back online gradually in priority order
  • Monitor closely for persistence mechanisms or re-infection
  • Verify data integrity after restoration

Notifications & Documentation

  • Begin breach notifications if personal data was compromised
  • Document everything for insurance claims — timeline, costs, decisions, communications
  • Prepare internal and external communications
  • Schedule post-incident review for lessons learned

Critical Mistakes to Avoid

These common errors can turn a recoverable incident into a catastrophe.

Paying Without Investigation

Paying immediately without understanding the scope means you may pay for a decryptor while attackers still have access and stolen data. Always investigate first.

Using Compromised Channels

Communicating response plans over corporate email or Slack that attackers may be monitoring. They can adjust tactics, increase demands, or accelerate data leaks.

Destroying Evidence

Wiping systems, rebooting servers, or running antivirus before forensic imaging destroys critical evidence needed for investigation, insurance claims, and legal proceedings.

Assuming Backups Are Clean

Attackers often compromise backups before deploying ransomware. Always verify backup integrity and scan for malware before restoring. Check that backup dates predate initial access.

Missing Insurance Window

Most cyber insurance policies require notification within 24–72 hours. Missing this window can void your coverage entirely — potentially millions of dollars in lost benefits.

Going It Alone

Attempting to handle a ransomware incident without experienced IR professionals, legal counsel, and negotiation experts. The cost of expert help is a fraction of the cost of mistakes.

Under Ransomware Attack Right Now?

Every minute counts. Our incident response team has handled hundreds of ransomware incidents and is available 24/7/365 with a 1-hour response time.

Emergency Ransomware ResponseFull Response Checklist