Ransomware Response Checklist

A ransomware response checklist is a sequenced set of actions an organization must execute from the moment ransomware is detected through full operational recovery. Ransomware remains the most operationally devastating cyber threat because it simultaneously encrypts systems, exfiltrates data, triggers regulatory notification obligations, and forces a pay/no-pay decision under extreme time pressure. This checklist provides the step-by-step actions for the first 72 hours, organized into five phases: immediate containment, investigation and scoping, notification and communication, recovery and restoration, and post-incident hardening. It incorporates guidance from CISA's #StopRansomware resources and the OFAC advisory on ransomware payments.

The difference between a ransomware incident that costs an organization days of downtime and one that costs weeks comes down to the first four hours. Organizations that have a rehearsed checklist and pre-authorized decisions contain faster, preserve more evidence, and make better strategic decisions about payment, notification, and recovery. Organizations that improvise lose time to arguments about authority, scramble for contact information, and make irreversible mistakes that compound throughout the response.

For the broader incident response framework that this checklist operates within, see our 2026 Incident Response Playbook and our detailed Ransomware Response: The First 24 Hours guide.

What Should You Do in the First 30 Minutes After Ransomware Is Detected?

The first 30 minutes determine the trajectory of the entire incident. Speed matters more than perfection at this stage. The priority is stopping the spread, preserving evidence, and activating the response team.

1. Determine if encryption is still active. Check EDR alerts, file modification timestamps, and user reports. If the encryptor is still running, containment speed is paramount -- skip to step 2 immediately.
2. Isolate affected systems from the network. Disconnect affected hosts at the network level (disable switch ports, revoke VPN access, isolate VLANs). Do NOT power off systems unless encryption is actively spreading and network isolation is not possible -- powering off destroys volatile memory evidence.
3. Preserve the ransom note. Photograph or screenshot the ransom note. Record the email address, cryptocurrency wallet, Tor site URL, and deadline. This information is critical for threat intelligence and potential law enforcement engagement.
4. Activate the Incident Commander. The pre-designated Incident Commander takes control of the response. If the primary IC is unavailable, the backup assumes the role. This must happen within 15 minutes of detection.
5. Establish a secure communication channel. Assume that corporate email and messaging systems may be compromised. Use a pre-established out-of-band communication channel (separate messaging platform, phone bridge, or dedicated incident channel).
6. Notify the DFIR retainer firm. Call the retainer hotline to initiate engagement. Early forensic involvement preserves evidence that is lost with every passing hour.
7. Notify outside legal counsel. Engage counsel immediately to establish attorney-client privilege over the investigation and to begin assessing notification obligations.

How Do You Scope the Blast Radius of a Ransomware Attack?

After initial containment, the investigation phase determines what was affected, how the attacker got in, and whether data was exfiltrated before encryption. This phase runs in parallel with ongoing containment and directly informs the recovery strategy.

1. Identify all encrypted systems. Use EDR telemetry, network scans, and user reports to build a complete inventory of affected hosts, servers, and cloud workloads.
2. Determine the ransomware variant. Upload the ransom note and a sample encrypted file to identification services. Knowing the variant informs whether free decryption tools exist and provides threat intelligence about the attacker group's typical behavior.
3. Identify the initial access vector. Common entry points include phishing emails, exploited VPN or RDP vulnerabilities, compromised credentials, and supply chain compromise. The DFIR team should prioritize identifying the initial access to prevent re-entry.
4. Assess data exfiltration. Modern ransomware groups routinely exfiltrate data before encrypting. Review network logs for large outbound data transfers, check for staging directories, and examine the attacker's communication for exfiltration claims.
5. Evaluate backup integrity. Determine the most recent clean backup for each critical system. Test backup restoration in an isolated environment before relying on it for recovery. Ransomware groups increasingly target backup systems.
6. Assess Active Directory compromise. If the attacker gained domain admin privileges, assume the entire AD environment is compromised. Recovery requires a full identity reset -- see the recovery phase below.

When and Who Must You Notify After a Ransomware Attack?

Notification obligations begin the moment you become aware of the incident, not when the investigation is complete. Missing notification deadlines creates legal liability that compounds the operational damage of the attack itself.

1. Cyber insurance carrier (within 24 hours). Most policies require first notice of a potential claim within 24-72 hours. Late notification can void coverage. The insurer will assign a breach coach (typically outside counsel) and may direct the DFIR engagement.
2. Law enforcement (within 24-48 hours). Report the incident to the FBI via IC3 (ic3.gov) or your local FBI field office. CISA also accepts reports. Law enforcement engagement can provide threat intelligence about the attacker group and may assist with recovery.
3. Regulators (per applicable deadlines). SEC-regulated companies: 4 business days for material incidents. GDPR: 72 hours if personal data is affected. HIPAA: 60 days. State breach laws: typically 30-60 days. Track all applicable deadlines and assign an owner for each notification.
4. Board of directors (within 24 hours for material events). The board needs to understand the scope, business impact, and strategic decisions pending (particularly the pay/no-pay decision). Provide a factual briefing, not speculation.
5. Affected individuals (per regulatory requirements). If personal data was exfiltrated, individual notification requirements apply. Work with outside counsel to determine scope, timing, and messaging. Engage a breach notification vendor if the affected population is large.
6. Customers and partners (when operational impact is visible). If the ransomware affects customer-facing services, proactive communication is preferable to reactive. Draft communications in advance and have them reviewed by legal and communications teams before release.

The regulatory notification clock starts when you become aware of the incident, not when the investigation is complete. Document the exact time of awareness in the incident log. This timestamp will be scrutinized by regulators and potentially by plaintiffs' counsel.

How Do You Make the Pay or No-Pay Decision?

The ransom payment decision is the most consequential and contentious decision in a ransomware incident. It involves technical, legal, financial, ethical, and regulatory considerations that must be evaluated together.

Factors favoring non-payment:

• Clean, recent backups are available and tested for all critical systems
• The operational impact of extended downtime is manageable
• No evidence of data exfiltration (reduces the double-extortion leverage)
• FBI and CISA guidance discourages payment as it funds criminal operations
• Payment does not guarantee decryption -- some groups provide non-functional decryptors

Factors that complicate non-payment:

• Backups are compromised, outdated, or non-existent
• Extended downtime threatens business survival (healthcare, critical infrastructure)
• Data exfiltration confirmed and publication would cause severe harm
• Cyber insurance covers ransom payment (reducing direct financial cost)

Mandatory before any payment:

• OFAC sanctions screening. The U.S. Treasury OFAC advisory warns that paying ransomware to sanctioned entities or jurisdictions can result in civil penalties. Your outside counsel and ransom negotiation firm must conduct sanctions screening before any payment.
• Insurance carrier approval. If you intend to seek reimbursement, the insurer typically must approve the payment in advance.
• Board awareness. A payment decision of this magnitude should have board-level awareness at minimum.

What Is the Correct Recovery Sequence After Ransomware?

Recovery from ransomware is not a single event -- it is a staged process with verification gates between each stage. The most dangerous mistake is restoring systems before eradication is complete, which allows the attacker to re-encrypt through persistence mechanisms that survived the initial response.

1. Reset the identity plane. If Active Directory was compromised, perform a full identity reset: reset all passwords, revoke all Kerberos tickets (krbtgt reset twice), revoke all certificates, disable all service accounts, and re-issue credentials from a clean baseline. This step is non-negotiable if the attacker achieved domain admin.
2. Rebuild core infrastructure. Restore DNS, DHCP, authentication services, and backup infrastructure from clean images or rebuild from scratch. Do not restore these from backups that may contain persistence mechanisms.
3. Restore critical business applications. Restore applications in priority order as defined in the business continuity plan. Verify each application in an isolated environment before connecting it to the production network.
4. Verify each restored system. Run EDR scans, check for known persistence mechanisms (scheduled tasks, WMI subscriptions, registry run keys, startup items), and confirm that the initial access vector has been closed before connecting restored systems to the network.
5. Implement heightened monitoring. Deploy additional monitoring rules targeting the specific TTPs observed during the incident. Maintain heightened monitoring for at least 30 days after full recovery.
6. Declare recovery complete. Recovery is complete only when all critical systems are operational, all persistence mechanisms are confirmed eradicated, heightened monitoring is in place, and the Incident Commander formally closes the incident.

Why Is Post-Incident Hardening Essential After Ransomware?

Organizations that recover from ransomware without implementing post-incident hardening face a significantly elevated risk of a second attack. Ransomware groups share or sell access to previously compromised networks, and the publicity of a successful attack attracts additional threat actors who probe for residual weaknesses.

Post-incident hardening priorities:

• Close the initial access vector permanently. If the attacker entered through an unpatched VPN, patch it. If through phishing, implement additional email security controls and user training. The specific fix depends on the root cause identified during investigation.
• Implement network segmentation. Flat networks allow ransomware to spread unconstrained. Segment critical systems, implement micro-segmentation where possible, and restrict lateral movement paths.
• Harden Active Directory. Implement tiered administration, reduce the number of domain admins, enable Protected Users security group, deploy LAPS for local administrator passwords, and implement PAM for privileged access.
• Deploy immutable backups. Ensure at least one backup copy is air-gapped or immutable (cannot be modified or deleted even with administrative credentials). Test restoration from these backups quarterly.
• Conduct an after-action review. Document the full timeline, decisions made, gaps identified, and remediation actions with owners and deadlines. See our After-Action Review template.

The CIRM framework implemented by IR-OS tracks these hardening actions as formal remediation items linked to the incident record, ensuring they are completed rather than forgotten once the immediate crisis passes. Learn more about the CIRM approach to incident management.