Ransomware Response: The First 24 Hours

The first 24 hours of a ransomware incident determine whether you spend the next month recovering or the next year in litigation. This hour-by-hour guide is based on real incidents and 150+ ransomware tabletop scenarios.

Ransomware is no longer just an encryption problem. Modern double-extortion operators exfiltrate data first, encrypt second, and publish third. That changes the response timeline, the regulatory exposure, and the negotiation dynamics. This guide walks through the first 24 hours with that reality in mind. For the overarching framework, see our 2026 Incident Response Playbook.

Hour 0 to Hour 1: Confirm and Contain the Bleeding

Hour 1 to Hour 6: Notify, Scope, and Preserve Options

Hour 1: Notify your cyber insurer

Almost every cyber policy requires first notice within 24–72 hours of "awareness of a potential claim." Miss that window and coverage may be denied. The insurer will usually require you to use their panel DFIR firm and breach counsel — know this before you call your own retainer.

Hour 2: Engage outside counsel for privilege

All forensic work should flow through outside counsel to maximize attorney-client privilege over the investigation. This is not optional if you expect litigation, and with ransomware you should expect litigation.

Hour 3–4: Scope the blast radius

Answer four questions, in writing:

1. How many hosts are encrypted? How many are infected but not yet encrypted?
2. Is there evidence of data exfiltration? (Look for large outbound transfers, rclone, mega.io, file-sharing DNS.)
3. Are backups intact? Are they online and therefore at risk?
4. Is identity (AD, Okta, Entra) compromised?

Hour 5–6: Isolate backups, rotate credentials

If backups are online and reachable from compromised hosts, assume they are about to be destroyed. Isolate them now. Simultaneously begin credential rotation for privileged accounts, service accounts, and any account seen on a compromised host.

Hour 6 to Hour 12: Decisions That Cost Money

The payment decision

The ransom payment decision is legal, not technical. The playbook should make the following explicit:

• OFAC sanctions risk. Paying a sanctioned entity — even through a negotiator — can be an OFAC violation. See the OFAC advisory on ransomware payments.
• Tax deductibility is unclear. Treat payments as non-deductible until told otherwise.
• Insurance sub-limits. Most policies cap ransom payments well below policy limits.
• Decryptor reliability. Even when paid, decryptors from some families corrupt 10–30% of files.

The decision is made by the Executive Sponsor with input from Legal, the CFO, and the insurer — never by the technical team alone.

The public statement decision

If you are a public company, the clock on SEC Item 1.05 disclosure is running. See SEC 96-Hour Cyber Breach Notification. If you have EU data subjects, GDPR's 72-hour clock is running — see GDPR 72-Hour Breach Notification.

Hour 12 to Hour 24: Stabilize and Plan Recovery

By hour 12 containment should be holding. By hour 24 you should have:

• A written scope of compromise, updated continuously
• A named negotiator (panel firm) engaged, whether or not you intend to pay
• Regulatory notification drafts in legal review
• A recovery sequencing plan that starts with identity
• Internal and customer communications drafted, approved, and queued
• A board briefing scheduled for hour 36–48

The Mistakes That Make It Worse

1. Rebooting to "fix it." Destroys memory forensics and sometimes keys.
2. Connecting a clean laptop to the infected network. Now you have two infected laptops.
3. Deleting the ransom note. It is evidence and sometimes contains the decryption identifier.
4. Public statement before legal review. Gifts plaintiff's counsel their opening argument.
5. Restoring from online backups before isolating them. Guarantees re-encryption.
6. Declaring "we're back" before identity is clean. See the golden ticket case in our IR playbook.