What to Do in the First 72 Hours of a Ransomware Attack
A ransomware attack can disrupt operations within minutes, but the first 72 hours are critical to controlling impact and accelerating recovery. Having a structured response plan supported by experienced partners can help businesses contain the threat, assess exposure and move forward with confidence.
Hours 0–24: Confirm the Incident and Contain the Threat
The initial response focuses on quickly validating the incident and limiting further damage.
Key Actions
- Confirm ransomware activity and identify affected systems
- Isolate impacted systems from the network to prevent further spread
- Notify your cyber insurance carrier
- Engage incident response counsel and forensic specialists
- Establish immediate communication protocols
Initial Priorities
- Identify impacted systems and business disruptions
- Begin containment and stabilization efforts
- Determine need for external recovery support
Key Executive Decision
- Approve engagement of incident response, legal and forensic partners
Hours 24–36: Assess Scope, Impact and Exposure
Once the incident is contained, focus shifts to understanding the full scope and potential exposure.
Key Actions
- Begin forensic investigation to determine entry point and affected systems
- Assess whether data exfiltration has occurred
- Evaluate backup integrity and restoration options
- Deploy security controls before reconnecting systems
- Initiate business impact analysis
- Evaluate regulatory and contractual notification requirements
Operational Focus
- Preserve evidence while progressing recovery
- Identify critical service disruptions and customer impact
- Align internal communications and stakeholder awareness
Key Executive Decision
- Evaluate strategy for potential decryption and assess information at risk
Hours 36–48: Align Strategy and Plan Recovery
At this stage, organizations begin shifting from assessment to coordinated recovery.
Key Actions
- Assess ransomware strain and threat actor behavior
- Enhance monitoring to detect persistence or lateral movement
- Develop a prioritized system restoration plan
- Reset credentials and strengthen security controls
- Initiate or manage threat actor communications through counsel
- Notify appropriate law enforcement agencies
Planning Focus
- Analyze potential downtime and operational impact
- Review legal and regulatory exposure
- Refine internal and external communication plans
Key Executive Decision
- Approve phased restoration strategy
- Determine approach to threat actor engagement, if applicable
Hours 48–72: Restore Operations and Manage Risk
The focus turns to stabilizing operations, validating recovery and managing compliance and communications.
Key Actions
- Begin phased restoration of priority systems
- Continuously validate systems to prevent reinfection
- Finalize regulatory notification timelines
- Implement coordinated internal and external messaging
- Establish cadence for ongoing oversight and reporting
By Hour 72, Organizations Should Have
- A stable environment and defined recovery strategy
- Initial understanding of legal and regulatory obligations
- A unified communication approach for stakeholders
Why the First 72 Hours Matter
A structured response during the first 72 hours can significantly reduce operational disruption, financial impact and long-term reputational risk. Coordinated engagement with experienced claims, legal and forensic professionals helps businesses navigate complex decisions with greater clarity and control.
