TL;DR: Ransomware incidents are won or lost in the first four hours. The organizations that recover quickly are the ones that built and tested their playbook before the attack. This guide provides an hour-by-hour framework covering immediate containment (hours 0-4), forensic investigation and communication (hours 4-24), and recovery operations (hours 24-72) — along with the pre-incident preparations that make the difference between a recoverable incident and an existential crisis.
The 72-Hour Response Timeline
| Phase | Timeframe | Primary Objective | Key Actions |
|---|---|---|---|
| Containment | Hours 0-4 | Stop the spread | Isolate systems, preserve evidence, activate IR team |
| Investigation | Hours 4-24 | Understand scope and impact | Identify variant, determine entry vector, assess data exfiltration |
| Communication | Hours 4-24 | Manage stakeholders and obligations | Notify legal, regulators, insurers, and affected parties |
| Recovery | Hours 24-72 | Restore operations safely | Validate backups, rebuild systems, restore in priority order |
| Hardening | Hours 48-72+ | Prevent recurrence | Close entry vector, reset credentials, improve monitoring |
Hours 0-4: Containment Is Everything
The first four hours after ransomware detection determine the scope of the incident. Modern ransomware operators deploy encryption in stages — initial access and persistence may have occurred days or weeks before the visible encryption event. When the encryption begins, the attacker has already established multiple persistence mechanisms, exfiltrated data for double extortion leverage, and mapped the network to identify the highest-value targets.
Containment is not optional and it is not gradual. Every minute of delay allows encryption to spread to additional file shares, database servers, and backup systems. The containment playbook must be executable by any member of the IT team — not just senior engineers — because the incident may begin at 2 AM on a Saturday.
Immediate Containment Actions
- Isolate affected systems from the network. Disconnect ethernet cables, disable WiFi adapters, but do NOT power off systems. Volatile memory contains forensic evidence — encryption keys, process information, network connections — that is permanently lost on shutdown.
- Block attacker communications at the network edge. If threat intelligence identifies C2 domains or IP addresses for the ransomware variant, block them at the firewall immediately. Consider temporarily blocking all outbound traffic from affected network segments if the C2 infrastructure is unknown.
- Disable compromised accounts. If the attacker is using compromised domain credentials (and they almost certainly are), disable those accounts and force a password reset. In severe cases, disable all accounts except those needed for incident response and re-enable them as they are verified clean.
- Isolate backup systems. If your backup infrastructure has not been encrypted, disconnect it from the network immediately. Attackers specifically target backups to eliminate the recovery option — Veeam servers, backup storage, and cloud sync agents are primary targets.
- Activate the incident response team. This includes internal IT/security, executive leadership, legal counsel, your cyber insurance carrier's incident response hotline, and any retained external IR firm. Do not wait to assess severity — activate the full team and stand down resources you don't need.
Hours 4-24: Investigation and Scoping
Once containment has stopped the active spread, the investigation phase determines what happened, how it happened, and how bad it is. This phase runs in parallel with the communication workstream — you cannot wait for complete forensic findings before beginning regulatory notifications and stakeholder communication.
Identify the Ransomware Variant
The ransom note, encrypted file extensions, and encryption behavior often identify the variant. Resources like ID Ransomware and No More Ransom can match encrypted file samples to known families. Identification matters because it determines whether a public decryptor exists (eliminating the need for payment consideration), the threat actor's known behavior pattern (some groups consistently provide working decryptors; others do not), and whether the group engages in data exfiltration for double extortion.
Determine the Entry Vector
Understanding how the attacker gained initial access is critical for two reasons: closing the entry vector prevents re-compromise during recovery, and it informs the scope of the investigation. Common initial access vectors for ransomware include phishing emails with malicious attachments or links, exploitation of internet-facing vulnerabilities (VPN appliances, RDP, Exchange, Citrix), compromised credentials from previous breaches or infostealers, and supply chain compromise through managed service providers or software vendors.
Assess Data Exfiltration
Double extortion — encrypting data AND threatening to publish stolen data — is now the norm rather than the exception. Investigate whether data was exfiltrated by reviewing firewall logs for large outbound data transfers, checking for staging directories where data may have been aggregated before exfiltration, and examining cloud storage or file transfer service logs. The data exfiltration assessment directly impacts regulatory notification obligations and the ransom payment decision framework.
The Communication Plan
Communication during a ransomware incident is a parallel workstream — not something that happens after the technical investigation is complete. Multiple audiences require different messages on different timelines, and getting this wrong creates legal liability, regulatory penalties, and reputational damage that outlasts the technical incident.
Legal counsel should be involved from hour zero. Attorney-client privilege may protect certain investigation findings from discovery in subsequent litigation. Your legal team will guide regulatory notification timelines, which vary by jurisdiction and data type — GDPR requires notification within 72 hours of becoming aware of a personal data breach, while U.S. requirements vary by state.
Cyber insurance carrier notification should happen within the first four hours. Most policies have specific notification requirements — failing to notify promptly can void coverage. The carrier's incident response panel will provide forensic, legal, and crisis communication resources, often at pre-negotiated rates that are covered by the policy.
Employee communication should be honest and measured. Employees need to know what is happening (systems are unavailable due to a security incident), what they should do (do not attempt to access affected systems, report any suspicious emails or activity), and what the recovery timeline looks like. Avoid speculation about severity or data exposure until forensic findings are available.
Hours 24-72: Recovery Operations
Recovery begins once the attack is contained, the entry vector is identified and closed, and the scope of the incident is understood. Recovery without containment leads to re-encryption — this is one of the most common and devastating mistakes organizations make under pressure.
Backup Validation
Before beginning restoration, verify that your backups are intact and uncompromised. Sophisticated ransomware operators target backup systems specifically: they may corrupt backup files, encrypt backup storage, or plant persistence mechanisms in backup images that will re-infect systems when restored. Validate backups by restoring them to an isolated environment and verifying data integrity before connecting restored systems to the production network.
Prioritized Restoration
Not all systems are equal. Restore in priority order based on business impact: identity infrastructure first (Active Directory domain controllers, authentication systems), then critical business operations, then supporting systems. Each restored system should be hardened before reconnection — patched, credentials rotated, unnecessary services disabled, and EDR agents installed or updated.
The Ransom Payment Decision Framework
The decision to pay or not pay a ransom demand should be made through a structured decision framework — not under emotional pressure at 3 AM. This framework should be developed and approved by executive leadership and legal counsel before any incident occurs.
Factors that inform the decision include: backup viability (are clean backups available and verified?), operational impact (what is the daily cost of downtime and how long will restoration take?), data exposure risk (has data been exfiltrated and what is the impact of publication?), legal and sanctions risk (is the threat actor a sanctioned entity under OFAC?), decryption reliability (does this group have a track record of providing working decryptors?), and insurance coverage (does your policy cover ransom payments and under what conditions?).
There is no universally correct answer. The FBI advises against payment because it incentivizes future attacks, but also acknowledges that each organization must make the decision based on its specific circumstances. Whatever decision is made, document the reasoning thoroughly — this documentation is critical for insurance claims, regulatory inquiries, and potential litigation.
Post-Incident Hardening
Recovery is not complete when systems are restored. The post-incident hardening phase closes the gaps that allowed the attack to succeed and establishes monitoring to detect any residual attacker presence. At minimum, this includes a full credential reset across the environment (every password, every service account, every API key), patching the vulnerability or closing the access path used for initial entry, deploying or upgrading EDR across all endpoints, implementing network segmentation to limit future lateral movement, and enhancing logging and monitoring to detect the specific TTPs used in the attack.
A post-incident penetration test — conducted 30-60 days after recovery — validates that hardening measures are effective and that no attacker persistence mechanisms remain. This test should specifically simulate the attack path used in the incident and verify that the controls implemented during hardening actually prevent it.
Building the Plan Before You Need It
Every element of this playbook should be documented, assigned to specific individuals, and tested through tabletop exercises before a real incident occurs. The worst time to figure out your communication plan is during an active ransomware event. The worst time to discover your backups don't work is when they're the only path to recovery.
Conduct tabletop exercises at least twice per year with representation from IT, security, legal, communications, and executive leadership. Test backup restoration quarterly — actually restore systems and verify data integrity, not just check that backup jobs completed successfully. Review and update the playbook whenever there are significant infrastructure changes or when new ransomware TTPs emerge that would change your response approach.
Prepare Your Organization for the Worst-Case Scenario
Lorikeet Security helps organizations build and validate their ransomware readiness through penetration testing that identifies the vulnerabilities ransomware operators exploit, and incident response planning that ensures you can execute when it matters. Do not wait until the ransom note appears.
