--- title: "Ransomware: First 24 Hours Playbook" description: "A practical first 24 hours ransomware playbook: how to contain the attack, preserve critical evidence, validate backups, coordinate with counsel and leadership, and keep business-critical operations running while recovery begins." url: "https://www.attainium.net/cyber-incident-hub/first-24-hours-ransomware" date: "2026-06-03T23:54:18+00:00" language: "en-US" --- # Ransomware: First 24 Hours **Use this Playbook when you observe:** sudden file encryption, ransom notes appearing, unusual mass file renames, EDR/AV alerts, outbound exfiltration spikes, or stolen SSO tokens. ![Ransomware Attack - Your files are encrypted](https://www.attainium.net/images/blog/Cybersecurity_Incident_Ransomware.jpg) --- ## First 24 Hours Timeline ### T+0–15 minutes - Isolate affected hosts/segments; pause risky integrations; switch to out-of-band comms. - Preserve snapshots and volatile data (memory, open connections); begin incident timeline log. ### T+15–60 minutes - Confirm encryption + potential data theft scope. - Engage breach counsel; consider sanctions screening and law enforcement notification triggers. - Export M365/AWS/GWS audit logs; secure admin accounts; rotate keys/tokens. ### T+1–4 hours - Prepare initial internal/exec briefing; draft a customer advisory (hold until facts are verified). - Validate backup integrity and immutability; perform test restore in a sterile environment. - Coordinate with insurers, IR partners, and vendors as needed. ### T+4–24 hours - Map regulator/contract triggers for data breach notifications. - Decide on negotiation stance (document via counsel). - Plan recovery approach: clean restore vs. staged recovery. - Schedule next executive brief; confirm communication cadence. --- ## Do / Don’t - **Do:** Contain safely, snapshot before recovery, involve counsel, validate backups, log decisions. - **Don’t:** Delete evidence, pay ransom without sanctions review, communicate over compromised channels, rush restores. --- ## Evidence to Preserve - Ransom notes and attacker comms artifacts. - System and security logs (auth, EDR, firewall, SIEM). - Snapshots of encrypted systems and impacted file shares. - Proof of outbound data transfers (exfiltration evidence). --- ## Communications Stub *Internal (executive/staff):* “We have detected a ransomware incident and are containing affected systems. No immediate action is required from staff at this time; updates will follow.” *External (holding statement):* “We are investigating a cybersecurity incident that may involve ransomware. At this time we are containing the issue and assessing impact. We will provide further information as facts are confirmed.” --- ## Metrics & Decision Gates - Containment achieved? (No new encryption in X hours). - Backup restore validated? (Sterile test successful). - Data theft confirmed or suspected? (triggers notification obligations). - Law enforcement notified? (if applicable). - Executive briefing complete? (yes/no). --- ## Related First 24 Hours Playbooks Use these coordinated playbooks to manage the first 24 hours across common cyber incidents: - [Cyber Incident Hub: First 24 Hours Overview](https://www.attainium.net/resources-articles/first-24-hours-cyber-incident-checklist) - [Ransomware: First 24 Hours](https://www.attainium.net/resources-articles/cyber-incident-hub/first-24-hours-ransomware) - [Business Email Compromise (BEC): First 24 Hours](https://www.attainium.net/resources-articles/cyber-incident-hub/first-24-hours-bec) - [Data Theft / Privacy: First 24 Hours](https://www.attainium.net/resources-articles/cyber-incident-hub/first-24-hours-data-theft) --- ## Ransomware Incident FAQs **What should we do first when ransomware is detected?** - The first priority is safe containment: isolate affected hosts, stop active encryption, preserve evidence, and secure communications. Do not reboot, restore, or wipe systems yet—this can destroy forensic evidence needed for containment and recovery decisions. **Should we shut down infected systems immediately?** - Not always. Hard shutdowns can destroy memory evidence and complicate forensics. Whenever possible, isolate systems from the network first (switch port disable, VLAN quarantine, VM isolation) and then follow forensics guidance on shutdown vs. snapshot. **How do we know whether data was exfiltrated before encryption?** - Check outbound traffic logs, cloud access logs, EDR telemetry, and identity events for large transfers, unusual protocols, or access from attacker infrastructure. Many ransomware events now involve data theft, so assume exfiltration until proven otherwise. **Should we contact law enforcement during a ransomware attack?** - Yes—especially if extortion, threats, or sensitive data theft are involved. However, legal counsel or breach counsel should coordinate the timing, messaging, and documentation to ensure privilege and compliance with regulatory obligations. **Do cyber insurers need to be notified during the first 24 hours?** - Most cyber insurance policies require notification as soon as a material incident is suspected. Early notice helps preserve coverage and gives you access to insurer-approved forensics, legal counsel, and negotiation resources. **Is paying a ransom ever recommended?** - Paying is always a business decision and often a last resort. Consider legal restrictions, data backups, operational impact, attacker reliability, and insurer guidance. Breach counsel should always advise before any negotiation or payment discussion. **How do we decide between clean restore and in-place recovery?** - Clean restore is safer but slower; in-place recovery may be faster but risks leaving persistence mechanisms behind. The choice depends on the intrusion depth, presence of backdoors, backup integrity, and operational urgency. **How can we prepare before a ransomware incident happens?** - Maintain offline/immutable backups, enforce MFA, patch high-risk systems, monitor for suspicious authentication patterns, test restoration timelines, and run ransomware tabletop exercises. These measures drastically reduce downtime and impact. --- Let’s discuss your next step in Cyber Resilience or Business Continuity. **What would you like to discuss?** Business Continuity Planning Cyber Incident Response Tabletop Exercises Something else Message ## Schema ```json { "@context": "https://schema.org", "@type": "BreadcrumbList", "itemListElement": [ { "@type": "ListItem", "position": 1, "name": "Home", "item": "https://www.attainium.net" }, { "@type": "ListItem", "position": 2, "name": "Resources", "item": "https://www.attainium.net/resources-articles/" }, { "@type": "ListItem", "position": 3, "name": "Cyber Incident Hub", "item": "https://www.attainium.net/resources-articles/cyber-incident-hub/" }, { "@type": "ListItem", "position": 4, "name": "Ransomware: First 24 Hours Playbook", "item": "https://www.attainium.net/cyber-incident-hub/first-24-hours-ransomware.md" } ] } ``` ```json { "@context": "https://schema.org", "@type": "Article", "mainEntityOfPage": { "@type": "WebPage", "@id": "https://www.attainium.net/cyber-incident-hub/first-24-hours-ransomware.md" }, "headline": "Ransomware: First 24 Hours Playbook", "description": "A practical first 24 hours ransomware playbook: how to contain the attack, preserve critical evidence, validate backups, coordinate with counsel and leadership, and keep business-critical operations running while recovery begins.", "image": { "@type": "ImageObject", "url": "https://www.attainium.net/images/blog/Cybersecurity_Incident_Ransomware.jpg" }, "publisher": { "@type": "Organization", "name": "Attainium Corp", "logo": { "@type": "ImageObject", "url": "https://www.attainium.net/images/attainium-640x260.jpg" } }, "author": { "@type": "Person", "name": "Bob Mellinger", "url": "https://www.attainium.net/about-us/bob-mellinger" }, "datePublished": "2025-10-03T10:30:39-07:00", "dateCreated": "2025-10-03T10:27:08-07:00", "dateModified": "2025-11-18T13:44:40-07:00" } ```