Back to Intelligence

Ransomware Attack Response: The First 24 Hours

SA
Security Arsenal Team
February 19, 2026
4 min read

Ransomware Attack Response: The First 24 Hours

Ransomware moves fast. Modern operators can encrypt an entire domain in under 45 minutes once they initiate deployment. By the time most organizations realize what is happening, the encryption is already complete and the ransom note is on every screen.

This guide covers what to do in the first 24 hours — the window that determines whether you recover in days, or spend months rebuilding.

Hour 0–1: Contain First, Investigate Later

The single most common mistake organizations make is trying to investigate before containing. Every minute of investigation delay is a minute of continued encryption spread.

Immediate actions (within 15 minutes of detection):

  1. Isolate affected systems — Disconnect encrypted or actively encrypting machines from the network. Physically unplug network cables if remote isolation fails. Do NOT power off (this may destroy forensic artifacts and prevent recovery of in-memory encryption keys in some ransomware families).

  2. Disable compromised accounts — If you know which accounts were used for lateral movement, disable them immediately. Do not just reset passwords — disable entirely until forensics confirms scope.

  3. Take backups offline — If your backup systems are still accessible, take them offline NOW. Ransomware operators specifically target backup systems. A 2023 Sophos study found 93% of ransomware attacks targeted backup repositories.

  4. Preserve network access for response — Do not take down your entire network. You need communication and coordination capability. Isolate segments, not everything.

  5. Activate your incident response team — If you have an IR retainer, call the hotline immediately. If not, call +1-972-999-9900 for emergency response.

Hour 1–4: Scope the Incident

Once initial containment is in place, begin scoping:

Questions to answer:

  • What is the ransomware family? (Check the ransom note, file extension, and ID Ransomware tool)
  • When was the initial intrusion? (Not when encryption started — when did the attacker first get in?)
  • What accounts and systems were compromised?
  • Was data exfiltrated before encryption? (Check DNS logs, proxy logs, firewall outbound traffic)
  • Are backups intact?

Evidence to preserve:

  • Memory dumps of affected systems (before any reboot)
  • Windows Event Logs (Security, System, PowerShell)
  • EDR telemetry from your endpoint platform
  • Network flow data and firewall logs for the 7 days preceding the incident
  • Authentication logs (Active Directory, Azure AD, VPN)

Hour 4–12: Parallel Workstreams

By hour 4 you should have containment in place and a preliminary scope. Now run these workstreams in parallel:

Workstream A: Forensics

IR analysts (internal or external) begin root cause analysis — identifying patient zero, attack path, and data exposure.

Workstream B: Recovery planning

IT begins assessing which systems can be restored from clean backups, which need rebuild, and in what order (prioritize critical business operations).

Workstream C: Legal and notification

Engage legal counsel. Determine whether breach notification obligations apply (HIPAA 72-hour notification requirement, state breach laws, SEC if public company).

Workstream D: Communications

Prepare internal communications, customer communications if applicable, and media holding statement. Do NOT communicate publicly before legal counsel review.

Hour 12–24: Controlled Restoration

Do not restore from backup until you have confirmed:

  1. The root cause (initial access vector) has been closed
  2. All attacker tooling and persistence mechanisms have been identified and removed
  3. Backups are confirmed clean (scan them before restoring)

Restoring to a still-compromised environment results in re-encryption — the most common failure mode in ransomware recovery.

The Retainer Advantage

Organizations with an IR retainer in place recover 3–4x faster than those engaging a firm during the incident, according to Coveware data. Why? Onboarding, NDAs, and scoping negotiations take 12–24 hours during an active incident. A retainer eliminates that.

Security Arsenal's Incident Response Retainer includes pre-onboarded access, a 2-hour response SLA, and dedicated forensics capacity reserved for retainer clients.

Related Resources

ransomwareincident-responseforensicsbreach-responserecovery

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action