Ransomware Response: The First 60 Minutes

When ransomware hits, the first 60 minutes determine whether you contain the incident or watch it spread across your entire environment. This guide covers the essential actions your team should take, in order, from the moment you detect encryption activity.

Minute 0-5: Confirm and isolate. Verify that what you're seeing is ransomware, not a false alarm. Once confirmed, immediately isolate affected systems from the network. Don't shut them down: isolate them. Powered-off systems may lose forensic evidence in volatile memory.

Minute 5-15: Activate your incident response team. If you have a CDA War Room, activate it now. If not, establish a dedicated communication channel outside your primary email system (which may be compromised). Assign roles: incident commander, technical lead, communications lead, and legal liaison.

Minute 15-30: Assess scope and containment. Determine which systems are affected, which are clean, and where the boundary is. Check backup availability and integrity. Do not attempt to decrypt or restore yet. Focus entirely on containment.

Minute 30-45: Preserve evidence and notify stakeholders. Begin forensic preservation of affected systems. Document everything with timestamps. Notify your cyber insurance carrier. Engage legal counsel before making external notifications.

Minute 45-60: Begin eradication planning. With containment confirmed and evidence preserved, begin planning the eradication phase. Identify the initial access vector, determine what needs to be rebuilt versus restored, and establish a timeline for recovery.

The most common mistake in the first hour is rushing to restore systems before understanding the scope of the compromise. Restoring from backup on a system that still has an active backdoor means you'll be dealing with the same ransomware attack again in days or weeks.