Ransomware Response: A Practical Playbook for the First 72 Hours

Ransomware attacks are stressful, chaotic, and expensive. The decisions you make in the first hours and days dramatically affect outcomes. This playbook provides a practical framework for the critical first 72 hours.

This is not a substitute for a comprehensive incident response plan. It is a field guide for when things go wrong and you need to act quickly.

Hour 0-1: Initial Response

Confirm and Contain

First, confirm you are actually dealing with ransomware. Ransom notes, encrypted files with strange extensions, or unusual system behavior are typical indicators. Once confirmed:

• Isolate affected systems from the network immediately
• Do not shut down systems unless actively encrypting
• Disconnect from external networks if attack is spreading
• Document what you observe: timestamps, affected systems, ransom note contents

Activate Your Team

Notify key personnel immediately:

• IT/Security leadership
• Executive leadership
• Legal counsel
• Communications/PR if you have them

Do not communicate about the incident over potentially compromised email or messaging systems. Use phone calls or out-of-band channels.

Hours 1-6: Assessment

Determine Scope

You need to understand the extent of the compromise:

• What systems are encrypted?
• What systems are still operating normally?
• Are backups affected?
• Is the attack still spreading?
• What data might have been exfiltrated?

Assess Business Impact

Understand what the organization cannot do while systems are down:

• What business operations are affected?
• What customer-facing services are down?
• What regulatory or contractual obligations are at risk?
• What is the financial impact per hour/day of downtime?

Evaluate Recovery Options

Can you recover without paying? Consider:

• Do you have clean, unaffected backups?
• When were backups last tested?
• Are there known decryptors for this ransomware variant?
• What is realistic recovery time from backups?

Hours 6-24: Decision Making

The Payment Question

Whether to pay ransom is a business decision with no universally right answer. Consider:

• Payment does not guarantee recovery—decryptors often fail or are slow
• Payment may fund criminal or hostile state activities
• Payment may invite future attacks
• Payment may violate sanctions if attackers are from certain countries
• Insurance may or may not cover ransom payments

If you are considering payment, engage professional negotiators and verify the attackers can actually provide working decryption before paying.

Notification Obligations

Most organizations have notification obligations:

• Regulatory reporting (varies by jurisdiction and industry)
• Law enforcement (recommended but often not required)
• Cyber insurance carrier (usually required within 24-48 hours)
• Customers/partners (if their data is affected)
• Board of directors

Work with legal counsel to understand your specific obligations.

Hours 24-72: Recovery and Investigation

Begin Recovery

If you have viable backups:

• Prioritize recovery of critical business systems
• Rebuild systems from known-good images, not just restore data
• Verify backups are clean before restoring
• Implement additional security controls before reconnecting

Investigate

Understanding how attackers got in prevents recurrence:

• What was the initial access vector?
• How long were attackers in the environment?
• What credentials are compromised?
• Are there backdoors that need to be removed?

If you lack forensic capability, engage professional investigators.

Communicate

Internal and external communication should be:

• Honest about what happened (within legal constraints)
• Clear about what you are doing
• Realistic about recovery timelines
• Coordinated across all channels

After Recovery: Learn and Improve

Once immediate crisis passes:

• Conduct a thorough post-incident review
• Document what worked and what did not
• Implement controls to prevent similar incidents
• Update incident response plans based on lessons learned
• Consider ongoing monitoring for attacker return