What Happens the Hour After a Ransomware Attack (A Real Playbook)

What You Are Actually Dealing With

Ransomware is not a single event. By the time you see the ransom note, the attackers have already been in your environment for days or weeks. The Colonial Pipeline attack in May 2021 involved a compromised VPN credential. The ransomware deployment was the final step of an intrusion that likely began much earlier. The attackers had already mapped the network, identified critical systems, and staged their payload before pulling the trigger. MGM Resorts in September 2023 was similar: the initial access came through a 10-minute social engineering call to the IT help desk, and ALPHV/BlackCat had already exfiltrated data before the encryption phase began.

This context matters because your first 60 minutes need to account for two simultaneous problems: stopping the spread of active encryption and beginning to understand the scope of what was already compromised before you noticed. These require different actions and different mindsets.

Minutes 0 to 15: Contain Before You Investigate

The first instinct is usually to start investigating, to understand what happened, which files are encrypted, which systems are affected. Resist this. Contain first.

Isolate affected systems from the network immediately. This means pulling network cables or disabling switch ports, not just shutting systems down. If you power down an infected system before isolating it, you may lose volatile memory that contains decryption keys or attacker tooling. If the system is still running and you can safely isolate it at the network layer first, do that. Active ransomware propagates over the network using SMB, RDP, and shared credentials. Every minute of network connectivity is more encryption.

Disable VPN and remote access services at the perimeter. If the attacker still has active sessions, cutting network access to affected internal systems is not enough if they can re-enter through a remote access gateway. Kill the VPN concentrator, disable Citrix, take down RDP exposure at the firewall. This will disrupt legitimate remote workers. Do it anyway.

Alert your security operations center or incident response retainer immediately. If you do not have either, call your cyber insurance carrier. Most policies include access to a panel IR firm as part of the coverage. Do not try to run a major ransomware incident without experienced help.

Minutes 15 to 30: Preserve Evidence Before You Remediate

This is where most organizations damage their own investigation. Under pressure to restore systems, responders start wiping and reimaging machines before forensic images are taken. You lose your ability to understand the attack chain, identify the initial access vector, and confirm whether data was exfiltrated.

Take memory dumps of affected systems that are still running. Tools like WinPMEM or Magnet RAM Capture can do this without shutting down the machine. Memory contains process lists, network connections, encryption keys, and attacker tooling that disappears the moment the system reboots. This is critical forensic evidence.

Preserve disk images of affected systems before any remediation. Use forensically sound methods: write-blockers if you are imaging physical hardware, snapshots if you are in a virtualized or cloud environment. Keep copies of the ransom note and any files created by the attacker, including any scripts, batch files, or executables you find in unexpected locations.

Pull firewall and authentication logs immediately and archive them to an isolated system. Attackers sometimes delete or manipulate logs to cover their tracks. Your log retention policy and whether logs ship to an external SIEM determine how much history you have to work with. If you have a SIEM, confirm it is not on a system that was encrypted.

Minutes 30 to 60: Assess Scope and Initiate Recovery Planning

By 30 minutes in, you should have initial containment in place and evidence preservation underway. Now you need a damage assessment. Which systems are encrypted? Which appear unaffected? Is the domain controller compromised? If it is, your entire Active Directory infrastructure is suspect and recovery becomes significantly more complex.

Check your backup systems. Are they intact? Are they isolated from the production network, or were they on domain-joined systems that were also encrypted? This is the single most consequential question for your recovery timeline. Attackers routinely target backup infrastructure specifically because they know it is your path to recovery without paying. If your backups are clean and recent, you are looking at days to recover. If backups were also encrypted, you are in a much harder position.

Notify legal counsel and your CISO or executive team. Ransomware incidents involving personal data may trigger mandatory breach notification obligations under GDPR, HIPAA, state breach notification laws, or SEC disclosure rules if you are a public company. The 72-hour GDPR notification window starts running immediately. You need legal involved from the first hour.

Should You Pay the Ransom?

This is the question everyone wants a simple answer to. There is not one, but there are honest considerations.

The case for not paying: payment funds criminal organizations, encourages future attacks against you and others, does not guarantee full recovery (decryptors are often slow, buggy, and incomplete), and does not prevent the attacker from selling or publishing exfiltrated data regardless of payment. The FBI's official position is that organizations should not pay. OFAC sanctions rules mean that paying certain groups (including some RaaS operators) can expose you to regulatory liability.

The case for paying: sometimes it is cheaper than the recovery alternative, particularly for small organizations without good backups. Colonial Pipeline paid $4.4 million. The DOJ subsequently recovered $2.3 million of it, which is unusual. MGM chose not to pay and reported losses exceeding $100 million from the incident. Caesars, hit by the same group around the same time, reportedly paid approximately $15 million. Whether Caesars or MGM made the better decision financially is genuinely unclear.

The honest analysis: if you have clean backups and a tested recovery procedure, you almost certainly should not pay. If you have no backups or your backups were also encrypted, the calculus shifts. If the data exfiltrated is genuinely sensitive and publication would be catastrophic, that adds another variable. Run this analysis with legal counsel and your IR firm, not under a 48-hour deadline in the middle of an incident. The time to decide your payment philosophy is before the attack, not during it.

How Preparation and Automation Change the Equation

The organizations that recover fastest from ransomware share specific characteristics. They have network segmentation that limits blast radius. They have immutable backups stored in a location the ransomware cannot reach: an offline tape library, an air-gapped cloud storage account, or a separate backup environment with different credentials. They have a tested incident response plan with named roles and pre-authorized decisions. And they have detection capabilities that catch attacker activity during the dwell period before encryption starts.

Automated detection is the most impactful investment you can make for ransomware specifically. The average dwell time before ransomware deployment is around 9 days. That is 9 days during which an EDR solution with behavioral detection, or a network monitoring platform watching for lateral movement, could have flagged anomalous activity. Colonial Pipeline could have caught the intrusion before the ransomware deployed. The tools to do this existed in 2021.

Backup strategy is equally critical. The 3-2-1 rule remains the baseline: 3 copies of data, on 2 different media types, with 1 copy offsite. For ransomware specifically, add immutability: at least one copy should be write-once or stored in a location that cannot be accessed with your production credentials. If your backup target is a domain-joined Windows server with the same admin credentials as your production environment, it will be encrypted alongside everything else.

Build the Playbook Before You Need It

Document your incident response plan now. Identify who makes the call to isolate systems and who has the authority to shut down production services. Pre-negotiate your IR retainer before an incident. Know your cyber insurance policy: what is covered, what the reporting requirements are, and which IR firms are on the approved panel. Run a tabletop exercise at least once a year that specifically simulates a ransomware scenario with your executive team in the room.

The first 60 minutes of a ransomware incident are not the time to make decisions for the first time. Every decision you can make in advance, every pre-authorized action, every pre-staged tool, reduces the chaos and confusion that attackers rely on. The organizations that recover well are not necessarily the ones with the biggest security budgets. They are the ones that prepared.