The decisions made in the first three days after a ransomware incident determine whether you recover in weeks or months. Most companies do not know what those decisions are until they are making them.
Hours 0–4: Contain, Do Not Eradicate
The first instinct when ransomware is detected is to shut down or reimage infected systems. This is the wrong first move if it happens before you have captured forensic evidence. Containment — isolating affected systems from the network — is the immediate priority. Eradication (cleaning or reimaging) comes after forensics, not before. If you eradicate before forensic capture, you lose the ability to understand the attack vector, the dwell time, and the scope — information that is critical for regulatory notification and insurance claims. Isolate first; call your incident response firm before you reimage anything.
Hours 4–24: Scope Assessment and Notification
The scope assessment determines how far the attacker reached before deploying ransomware. Ransomware is typically the last step of an intrusion, not the first — the attacker has often been inside the environment for days or weeks, exfiltrating data or establishing persistence. Your IR firm will analyse network traffic logs, Active Directory authentication logs, and any available EDR telemetry to establish a timeline. While this is running, notify your cyber insurance carrier, legal counsel, and — if required by regulation — begin the clock on your breach notification timeline (HIPAA: 60 days; state data breach laws: typically 30-72 hours).
Hours 24–48: Recovery Sequencing
Recovery does not mean rebuilding everything simultaneously — it means sequencing recovery to restore the most business-critical functions first. Define your Recovery Time Objectives before an incident; in the middle of one, decision-making under pressure leads to poor sequencing. The most common mistake is spending the first 48 hours on email recovery while core operational systems (ERP, CRM, production systems) remain down. Email can run on a backup provider for weeks; the system that processes orders, dispatches jobs, or manages patient records cannot.
Hours 48–72: The Ransom Question
The ransom payment question is not a technology decision — it is a legal, insurance, and business continuity decision. Paying does not guarantee decryption keys work, does not prevent the attacker from publishing exfiltrated data, and in some cases may violate OFAC sanctions if the threat actor is a sanctioned entity. Your legal counsel, cyber insurance carrier, and incident response team should all be involved before any payment decision is made. Approximately 50% of companies who pay still experience significant data loss or re-encryption.
- Contain before eradicating — forensic evidence captured before reimaging is critical for understanding scope and regulatory compliance
- Notify your cyber insurance carrier and legal counsel within the first 24 hours — breach notification clocks start immediately under some regulations
- Recovery sequencing matters — prioritise operational systems over email; define RTOs before an incident, not during one
- Ransom payment decisions require legal counsel, insurance carrier, and IR team involvement — do not make it unilaterally or under time pressure