What to Do in the First Hour After a Ransomware Attack

Ransomware attacks don't announce themselves with sirens. One moment everything looks normal, and the next, files are locked, screens display demands, and your team starts calling IT in a panic. The difference between a contained incident and a business-ending catastrophe often comes down to what happens in the first 60 minutes. This guide gives you a clear, step-by-step playbook for those critical minutes — because when seconds count, you can't afford to be figuring things out as you go.

Minute Zero: Recognize the Signs

Time starts ticking the moment you notice something wrong. Ransomware doesn't always look the same, but there are common warning signs that every employee should know:

Encrypted files with strange extensions are one of the most obvious indicators. Files that once ended in .docx, .xlsx, or .pdf now carry extensions like .locked, .encrypted, or random strings of characters. Double-clicking them opens a ransom note instead of the document itself. Ransom note pop-ups may appear on screen — full-screen messages demanding payment in cryptocurrency, often with countdown timers designed to create urgency and fear.

Sudden system slowdowns can also signal an attack in progress. If multiple machines across your office start running unusually slow at the same time, it could mean ransomware is actively encrypting files in the background. Unusual network traffic — spikes in outbound data, connections to unknown IP addresses, or file-sharing activity at odd hours — may indicate the malware is communicating with command-and-control servers or spreading laterally across your network.

Perhaps the biggest red flag: multiple users reporting the same issue simultaneously. When three people call IT within ten minutes saying their files won't open, this isn't a coincidence — it's an active attack. Train your team to recognize these signs and report them immediately. Every second of delay gives the attacker more time to spread.

Minutes 1–15: Contain the Threat

Once you suspect ransomware, containment is the single most important action you can take. Your goal is to stop the spread before the infection reaches more systems, more data, and more parts of your business.

Disconnect affected machines from the network immediately. Unplug Ethernet cables and disable Wi-Fi on any machine showing signs of infection. Here is a critical detail: do NOT shut down affected computers. Shutting down destroys volatile memory (RAM) that contains evidence of how the attacker entered, what tools they used, and where they've been. This RAM data is invaluable for forensic investigation. Instead, simply disconnect from the network and leave the machine powered on.

If you have network segmentation in place, isolate the affected segment to prevent lateral movement. If you don't have segmentation, this is another reason to invest in it — it's one of the most effective defenses against ransomware spreading through your environment.

Alert your IT team or managed service provider immediately. If you work with an MSP, they have incident response playbooks ready to deploy and can begin containment actions remotely while you handle physical disconnections on-site.

A word about ransom payments: do not pay the ransom. The FBI and cybersecurity experts consistently advise against paying ransom demands. There is no guarantee the attacker will provide working decryption keys — many victims who pay never get their files back. Paying also funds criminal operations, making future attacks more likely. Focus your energy on containment and recovery instead.

Minutes 15–30: Assess the Scope

With the immediate threat contained as much as possible, shift to understanding the full scope of the attack. You need answers to several critical questions before recovery planning can begin.

Determine which systems are affected. Start with the obvious — machines showing encrypted files or ransom notes — but don't stop there. Check servers, shared drives, backup systems, and cloud services. Ransomware often targets backup infrastructure specifically to eliminate your recovery options. Verify whether your backups are intact and accessible, or if they've been encrypted or deleted as part of the attack.

Check for lateral movement. Sophisticated ransomware operators spend days or weeks inside a network before triggering encryption. They move laterally, escalate privileges, and map your environment. Determine whether the attacker accessed additional systems beyond the initially infected ones by reviewing login logs, file access patterns, and network traffic records.

Check cloud services. Microsoft 365, Google Workspace, and other cloud platforms can be compromised through stolen credentials. Review recent sign-in activity, check for unauthorized rule changes in email, and verify that cloud file shares haven't been modified or deleted.

Document everything. Take screenshots of ransom notes, error messages, and unusual system states. Record timestamps for when symptoms were first noticed, when containment actions were taken, and any other relevant events. This documentation serves multiple purposes: it supports forensic investigation, strengthens cyber insurance claims, and may be required for regulatory breach notifications.

Minutes 30–45: Activate Your Incident Response Plan

If you have a documented incident response plan, now is the time to follow it. Your plan should outline roles and responsibilities, communication protocols, escalation procedures, and specific actions for different types of security incidents. Having this plan tested and ready makes all the difference during an active attack.

If you don't have an incident response plan, this is where having a managed service provider pays off. An experienced MSP brings pre-built playbooks, forensic tools, and trained responders who have handled ransomware incidents before. They know what to look for, what evidence to preserve, and how to coordinate with law enforcement and insurance carriers.

Contact your cyber insurance carrier. Most policies require prompt notification of a claim, and the carrier will assign adjusters and possibly recommend forensic investigators. Delaying this call can complicate the claims process and potentially affect coverage.

Notify legal counsel if regulated data may be involved. If your business handles protected health information (PHI), personally identifiable information (PII), payment card data, or other regulated data types, there are specific notification requirements and timelines you need to be aware of. HIPAA, state breach notification laws, and PCI DSS each have their own rules about when and how to report a breach. Legal guidance ensures you meet these obligations correctly.

Minutes 45–60: Begin Recovery Planning

By the end of the first hour, you should have a clear picture of what happened and who's involved. Now it's time to start planning the recovery path. Recovery is not about rushing back online — it's about getting back online safely.

Identify clean backup systems. Locate backups that predate the attack and verify their integrity. The best approach uses the 3-2-1 backup rule: three copies of data, on two different media types, with one copy stored offsite or offline. If your backups are air-gapped or immutable, they're far less likely to have been touched by the ransomware.

Prioritize critical business functions. Not everything can be restored at once, so identify which systems your business needs most urgently to resume operations. For a hospital, that might be patient records and scheduling systems. For a retailer, it could be point-of-sale systems and inventory management. For a professional services firm, email and document management take priority. Work with leadership to establish this restoration order before technical work begins.

Work with your IT team to rebuild affected systems from known-good images. Rather than attempting to decrypt infected systems, the safest approach is to wipe affected machines completely and rebuild them from clean, verified images. This eliminates any chance of residual malware persisting after recovery.

Begin the digital forensics process. Understanding how the attacker entered your network is essential to preventing a repeat attack. Common entry points include phishing emails, unpatched vulnerabilities, compromised remote access credentials, and third-party vendor access. Forensic investigation identifies the root cause so you can close that door permanently.

What Comes Next

The first hour buys you time and clarity, but full recovery is a marathon, not a sprint. Here is what follows in the days and weeks ahead:

A full forensic investigation will determine the complete scope of the breach, identify all compromised accounts and systems, and document the attack timeline. System rebuilding involves wiping and reimaging all affected machines, restoring data from clean backups, and verifying that every system is free of malware before reconnecting to the network.

Enhanced security measures should be deployed as part of post-incident hardening. This includes endpoint detection and response (EDR) tools for real-time threat monitoring, multi-factor authentication across all systems, network segmentation to limit lateral movement, and improved email filtering to block phishing attempts. These aren't optional upgrades — they are the baseline defenses every business needs.

Employee training addresses the human element. Most ransomware attacks begin with a single click on a phishing link. Regular security awareness training, phishing simulations, and clear reporting procedures turn your employees from the weakest link into an active layer of defense.

If regulated data was accessed, breach notification may be required. HIPAA mandates notification within 60 days of discovering a breach affecting PHI. State laws vary, but many require notification within 30 to 45 days. Working with legal counsel ensures these notifications are handled correctly and on time.