Files won’t open. Weird extensions everywhere. A ransom note on the desktop like it owns the place. Maybe your staff starts messaging you at the same time. “My screen is locked.” “Everything is slow.” “Is this a prank?”
It’s not a prank.
The first hour matters because ransomware spreads fast and it also because this is when people accidentally make it worse. Clicking around. Rebooting random servers. Paying too early. Deleting evidence.
So here’s a practical, calm plan. You do not need to be a security expert to follow it.
The goal of the first hour
In the first 60 minutes, your job is to:
- Stop the bleeding (contain spread)
- Preserve proof (so you can recover and investigate)
- Start a clean recovery path (without tipping into chaos)
Think of ransomware like a kitchen fire. You don’t start redecorating the house. You close doors, cut the gas, get everyone out, and call the right help.
Minute 0 to 10: Confirm, contain, and slow everything down
1) Assume it’s real, fast
If you see a ransom note or mass file encryption, assume compromise.
Do not waste time debating if it’s a “glitch.”
2) Isolate affected machines immediately
Unplug the network cable or turn off WiFi. If it’s a server, disconnect it from the network at the switch or virtual network level.
Analogy: This is like closing watertight doors on a sinking ship. You’re trying to keep the flooding from reaching other rooms.
Do this for:
- Any computer showing ransom notes or encrypted files
- Any machine acting strange (sudden slowness, unknown processes, repeated reboots)
If you have an IT team, assign someone to isolate systems while someone else coordinates.
3) Stop shared access, fast
If you can, temporarily disable:
- File shares
- Remote desktop access
- VPN access (for now)
Analogy: If thieves got into a building through a side door, you stop leaving all doors unlocked while you figure it out.
4) Do not shut everything off blindly
This is where people panic and make a mess.
Powering off can destroy volatile evidence and break recovery options. If a machine is actively encrypting, isolation usually beats a hard shutdown. If it’s a critical server and encryption is still running, your IT lead may decide to shut it down. But don’t do random restarts.
Analogy: Don’t bulldoze the crime scene because you want it to look “clean.”
Minute 10 to 20: Start a written incident log (yes, actually)
Open a notes doc on a clean device (not one you suspect is infected) and log:
- Time you first noticed symptoms
- Which machines/users reported issues
- Screenshots of ransom notes (photo from phone is fine)
- File extensions changed (example:
.locked,.xyz) - Any suspicious emails reported that day
- Any admin actions taken (disabled accounts, unplugged servers, etc.)
Analogy: This is like writing down license plate numbers after a hit and run. Later, when adrenaline drops, you will forget details.
Also, pick one person to be the “scribe.” Too many cooks means missing facts.
Minute 20 to 35: Secure identity and cut off the attacker’s keys
Ransomware operators usually want more than encrypted files. They want control.
5) Reset passwords, but in the right order
Start with:
- Domain admin / global admin accounts
- Email admin accounts
- Backup system accounts
- VPN accounts
But do it from a known clean computer, ideally one not joined to the domain yet.
Analogy: If someone stole your house keys, you don’t just change the bedroom lock. You change the front door lock first.
If you use Microsoft 365 or Google Workspace, immediately:
- Force sign-out of all sessions
- Reset admin passwords
- Review forwarding rules (attackers love hiding rules that auto forward mail)
6) Enable MFA everywhere you can
MFA (multi factor authentication) is like needing both a key and a door code. Even if the attacker has a password, MFA slows them down.
Turn it on for:
- VPN
- Admin panels
- Remote access tools
If MFA is already enabled, verify there is no “new device enrollment” you don’t recognize.
7) Disable suspicious accounts and tokens
If you see logins from strange locations or new admin accounts, disable them.
Analogy: If you find an unknown “employee badge” that opens every door, you deactivate it immediately.
Minute 35 to 45: Protect backups before you touch recovery
Backups are the line between a terrible week and a business ending disaster.
8) Immediately isolate backups
If your backups are connected to the network, ransomware may try to encrypt them too.
- Disconnect backup storage from the network if possible
- Pause backup jobs temporarily
- Do not “test restore” on infected machines
Analogy: Backups are your spare oxygen tank. Don’t leave it in the burning room.
9) Identify your last known good backup
You’re looking for a restore point before the attacker got in, not just before encryption started.
If you have backup logs, note:
- Last successful backup date
- Where it’s stored
- Whether it’s immutable/offline (best case)
Immutable means “can’t be changed,” like a sealed jar. Even if someone gets in, they cannot rewrite what’s inside.
Minute 45 to 60: Call the right people and set the rules
10) Contact your incident response help
If you have:
- A managed security provider (MSSP)
- Cyber insurance breach hotline
- An incident response firm Call them now.
If you don’t, still call:
- Your IT security consultant
- A reputable incident response company
- Your legal counsel (especially if you handle sensitive data)
Analogy: You call the fire department, not your cousin who once watched a plumbing video.
11) Decide who can communicate externally
Pick one spokesperson. Tell staff:
- Do not email customers about this yet
- Do not post on social media
- Do not “ask the attacker questions” from personal accounts
Set up a clean communication channel. If email might be compromised, use phone, Signal, or a separate out of band system.
Analogy: In a storm, you need one weather radio, not 40 people shouting forecasts.
12) Preserve evidence, don’t “clean”
Do not run random antivirus scans that delete things. Do not wipe machines yet. Do not rename encrypted files.
If you can, capture:
- A copy of the ransom note
- A few encrypted files
- System logs (your IT team can do this)
Analogy: If you scrub the scene, you make it harder to identify the intruder and sometimes harder to recover.
What you should NOT do in the first hour
These are common mistakes.
- Do not pay immediately. Paying is a business decision with legal and practical risks. Also, some victims pay and still do not get working decryptors.
- Do not keep “trying things” on the infected network. Random tools can spread damage.
- Do not trust the attacker’s timeline. “Pay in 24 hours” is pressure, not truth.
- Do not assume it’s only encryption. Many attacks include data theft first.
Analogy for data theft: Imagine someone photocopied your filing cabinet before setting it on fire.
A quick first hour checklist (copy this)
- Isolate infected machines (pull network, disable WiFi)
- Pause VPN/remote access if needed
- Start incident log (time, systems, screenshots)
- Reset admin passwords from a clean device
- Force sign-out sessions, review email forwarding rules
- Turn on MFA for critical accounts
- Isolate backups and confirm last known good backup
- Call cyber insurance / incident response / legal
- Set internal comms rules and one spokesperson
- Preserve evidence, do not wipe or “clean”
After the first hour, what comes next (briefly)
Once the bleeding is slowed, the next phase is:
- Figure out initial entry point (phishing, exposed RDP, stolen VPN creds, unpatched software)
- Determine scope (which systems, what data)
- Decide restore strategy (rebuild from clean images, restore from offline backups)
- Handle legal notifications if data was stolen
- Hardening so it doesn’t happen again
But that’s hour two and beyond.
For now, if you’re in it. breathe. Contain first. Write things down. Protect backups. Call the right help.
That’s how you keep a bad day from becoming a full collapse.
FAQs (Frequently Asked Questions)
What should I do immediately after discovering a ransomware attack?
Assume the ransomware attack is real and act fast. Immediately isolate affected machines by unplugging network cables or turning off WiFi to contain the spread. Avoid rebooting or shutting down systems blindly, as this can destroy volatile evidence and complicate recovery.
Why is it important to start an incident log during a ransomware attack?
Starting a written incident log on a clean device helps document critical details such as the time symptoms were first noticed, affected machines, screenshots of ransom notes, file extensions changed, suspicious emails, and any admin actions taken. This log serves as essential evidence for investigation and recovery efforts.
How do I secure identities and prevent attackers from maintaining control during a ransomware incident?
Reset passwords for domain admin, email admin, backup system, and VPN accounts from a known clean computer in the correct order. Enable multi-factor authentication (MFA) on all critical systems like email, VPN, admin panels, and remote access tools. Also, disable any suspicious accounts or tokens that show unauthorized activity.
What steps should be taken to protect backups during a ransomware attack?
Immediately isolate backup storage from the network and pause backup jobs temporarily to prevent encryption of backups. Identify your last known good backup—one made before the attacker gained access—and verify if it is immutable or offline to ensure safe recovery options.
When should I contact external help during a ransomware incident?
Within the first hour of detecting ransomware, contact your managed security provider (MSSP), cyber insurance breach hotline, incident response firm, IT security consultant, or legal counsel. Promptly involving experts ensures coordinated response and mitigates further damage.
Why is it risky to reboot or power off infected machines during a ransomware attack?
Rebooting or shutting down machines randomly can destroy volatile evidence crucial for investigation and may break recovery options. Instead, isolate systems while they are running if possible; only shut down critical servers with active encryption under expert guidance to avoid worsening the situation.
