The first three days after a ransomware incident are the difference between a manageable recovery and a business-ending event. Here's the sequence we use.
Before you do anything else
Stop. Breathe. Don't panic-click. Most of the catastrophic outcomes from a ransomware event come from decisions made in the first 30 minutes — usually by a well-meaning IT person trying to make the problem go away. Slow down.
If you're reading this in the middle of an active incident, skip ahead to the checklist. We can be reached at [email protected].
Hour 0–4: Contain
- Disconnect, don't power off. Pulling network cables (or disabling WiFi) stops lateral movement and outbound communication. Powering off destroys volatile memory that is often essential for forensic investigation. Disconnect first; preserve power.
- Isolate by segment, not by device. If you don't know exactly how far it spread, assume it's everywhere. Cut whole VLANs.
- Identify the strain if possible. The ransom note usually identifies it. Knowing the strain tells you about known TTPs (tactics, techniques, procedures), known decryptors (rare but they exist), and known data-exfiltration patterns.
- Preserve evidence. Don't reimage, don't wipe, don't "just see if it works" by rebooting. The compromised systems are evidence — for your insurer, for law enforcement, and for your own root-cause analysis.
Hour 4–24: Assess
- Call your cyber insurer. They have a process. Many require you to use approved IR (incident response) firms. Not calling them can void coverage.
- Engage legal counsel. Ransomware now usually involves data exfiltration as well as encryption. That has notification requirements that vary by state, industry, and the type of data involved.
- Inventory the damage. What's encrypted? What was exfiltrated (check egress traffic logs)? What's still clean? What can you confirm is backed up offline?
- Decide on communication. Internal first (employees need to know what to do). Then customer-facing if business operations are disrupted. Then regulator/notification if required. Coordinate with legal.
- Do NOT pay yet. Even if you ultimately decide to pay, paying in hour 6 is almost always premature. Recovery from backups is often faster than decryption, and the decryptors don't always work.
Day 1–3: Recover
- Verify backups are clean and isolated. Many ransomware variants specifically target backup systems. Verify your backups are intact, immutable, and from a date before the initial compromise.
- Rebuild in a clean environment. Don't restore into the same infrastructure that was compromised. Stand up clean Active Directory, clean DNS, clean network segments — then restore data into them.
- Reset all credentials. Every password, every service account, every API key, every certificate that might have been on a compromised system. Yes, all of them.
- Hunt for persistence. Ransomware operators typically maintain persistence for weeks before detonating. Restoring without finding their backdoors gets you re-encrypted in three weeks.
- Document everything. Timeline, decisions, actions, costs. This is your evidence for insurance, for regulators, and for your own future planning.
What we wish every business did before an incident
- Immutable, off-network backups. Not just "cloud" — backups that cannot be deleted or encrypted by any compromise of your production environment.
- Tested restore. Every backup is Schrödinger's restore until you've actually performed one.
- Incident response runbook. Written down. Approved. Distributed. Not in the head of one person who is on vacation.
- Out-of-band communication. If your email and Teams are encrypted, how do you talk to each other? Have an answer before you need it.
- Cyber insurance with adequate coverage. Read the exclusions. Update the policy when the business changes.
We do incident response engagements as well as proactive preparation. More on cybersecurity services here.
Need help with this in your business? Contact CCRAMM Technical Services — we respond to inquiries within one business day.