When ransomware detonates on your network, the first 60 minutes determine whether you contain an incident or live through a catastrophe. Most organizations treat ransomware as an IT problem. It is not. It is a crisis management event that simultaneously demands technical precision, legal judgment, financial decisions, and communications discipline — all under extreme pressure, often at 2 a.m.
This playbook provides a structured, hour-by-hour guide for security teams responding to an active ransomware incident. It is built on real incident response engagements across financial services, healthcare, and professional services organizations in the NYC metro area.
Hour 0-1: Detection and Initial Containment
The moment you suspect ransomware — whether from an EDR alert, a user reporting encrypted files, or a ransom note on a shared drive — start a written timeline immediately. Every action, every decision, every phone call with a timestamp. This documentation is simultaneously your incident log, your legal record, and your insurance claim.
Confirm Before You Contain
Spend the first 15 minutes confirming you have ransomware, not a false alarm. Look for: ransom notes (README.txt, DECRYPT_FILES.html), file extension changes (.locked, .encrypted, or attacker-branded extensions like .ryuk), event log entries showing mass file modification, EDR telemetry showing vssadmin delete shadows execution (shadow copy deletion is a near-universal ransomware behavior).
Critically, identify whether encryption is still actively running. If so, the next 30 minutes are containment, not investigation.
Network Isolation Decisions
Isolating affected systems is intuitive but requires careful judgment. Pulling the network cable or disabling the NIC on an actively encrypting host stops lateral spread — but some ransomware variants have kill switches triggered by network disconnection, accelerating encryption or triggering data destruction payloads. The safer approach where possible is firewall-based isolation: create ACL rules blocking the affected subnet from communicating with the rest of the network without physically disconnecting the host.
Do not reboot affected systems under any circumstances. Rebooting destroys volatile memory contents — running process lists, network connections, encryption keys potentially resident in RAM — that are your most valuable forensic artifacts.
Hour 1-4: Preserve Evidence, Notify Stakeholders
Forensic Preservation Before Anything Else
If you have forensic capability in-house or an IR retainer on call, initiate memory acquisition immediately on affected systems before any other action. Tools like Magnet RAM Capture or WinPmem can image live RAM to an external drive in minutes. This preserves encryption keys (some older ransomware variants left keys in memory), process trees showing the attacker's execution chain, and network socket state showing active C2 connections.
Preserve logs from your SIEM, Windows Event Logs (especially Security, System, and Application), firewall logs, and DNS query logs before they age out or are overwritten. Export them to write-once storage or an isolated collection system.
Stakeholder Notification Protocol
Within the first two hours, the following people need to be notified — in this order:
- CEO / Executive leadership: One concise briefing covering what is known, what is being done, and what decisions are needed from them. Avoid technical jargon. Focus on business impact.
- General Counsel / Outside counsel: Legal counsel should be engaged immediately to establish attorney-client privilege over the investigation. Communications through counsel may receive legal protection in subsequent litigation or regulatory proceedings.
- Cyber insurance carrier: Cyber policies impose notice conditions — most require you to report a covered incident "as soon as practicable" after discovery, and treat prompt notice as a condition of coverage. Missing the reporting window your specific policy defines can jeopardize a claim, so confirm your insurer's notice clause and timeline before an incident occurs. Your carrier may also have panel IR firms with pre-negotiated rates that you are required to use.
- CFO: Especially if wire transfers or financial systems are involved, or if ransom payment is a possibility requiring pre-authorization.
Hour 4-24: Scope the Incident
Finding Patient Zero
Ransomware does not materialize from nothing. Across Mandiant and Sophos incident-response data, ransomware now typically reaches deployment within days of initial access (Mandiant M-Trends 2025; Sophos Active Adversary Report 2025). During that window, the attacker was moving laterally, stealing credentials, exfiltrating data, and identifying your backup infrastructure to destroy it before triggering encryption.
Tracing patient zero requires examining: phishing email delivery logs (Exchange message trace, Google Workspace audit logs), VPN authentication logs for anomalous logins, RDP exposure (check for direct internet-facing RDP on port 3389 — this is the most common initial access vector), and software deployment logs if a supply chain compromise is suspected.
Assess Exfiltration
Modern ransomware groups operate a double-extortion model: they exfiltrate data before encrypting, then threaten to publish it on a leak site if the ransom is not paid. Assume exfiltration occurred. Look for DNS exfiltration, large outbound transfers in firewall logs, and the presence of tools like Rclone, WinSCP, or MEGAsync in process execution logs — these are commonly used by ransomware affiliates to exfiltrate data to cloud storage.
Engage Your IR Retainer
If you do not have in-house forensic capability, engage your IR retainer now. An experienced IR team brings forensic tooling, threat intelligence on the specific ransomware variant, and negotiation experience. They will conduct a more thorough investigation than your internal team under pressure while you focus on business continuity.
If no retainer exists, contact the FBI's Internet Crime Complaint Center (IC3) at ic3.gov. The FBI Cyber Division has active intelligence on ransomware groups, may have decryption keys for some variants (they do not always publicize key possession), and can assist with negotiation intelligence. Reporting is not the same as demanding FBI intervention — it is optional and the FBI will not publish your incident.
Day 2-7: Recovery Decision Framework
The Pay vs. Restore Decision
This is the hardest decision in ransomware response, and there is no universally correct answer. The three paths are: restore from backup, pay the ransom, or use a third-party decryptor (rarely available).
Restore from backup is preferable when: backups are confirmed intact and isolated (the attacker did not destroy them), restoration time is acceptable for business continuity, and there is no double-extortion data exposure threat requiring negotiation.
Ransom payment may be necessary when: no viable backups exist, patient care or critical operations are at immediate risk, or the cost of reconstruction exceeds the ransom. If you pay, be aware that decryptors provided by ransomware groups are often slow, buggy, and incomplete. Paying does not guarantee full recovery and does not guarantee the attacker will delete exfiltrated data.
Legal Constraints on Payment: OFAC Sanctions
Before authorizing any payment, legal counsel must confirm the ransomware group is not on the OFAC Specially Designated Nationals (SDN) list. Paying a sanctioned entity — including ransomware groups with designated members — is a violation of U.S. sanctions law regardless of whether you knew about the sanctions designation. The Treasury's OFAC has issued advisories specifically on ransomware payments. Violations carry civil penalties even for unknowing payments. Your IR firm or legal counsel should conduct a sanctions check before any payment is considered.
Communication Templates and Post-Incident Lessons
Internal Communication Template
Keep internal communications factual, brief, and status-oriented. A sample structure: "We are currently responding to a security incident affecting [specific systems]. IT and security teams are actively working to contain the issue and restore operations. We will provide updates every [2/4] hours. Until further notice, please [specific user instructions such as: do not use VPN, do not open email attachments, do not access shared drives on the affected network]. Contact [incident hotline] with questions."
Post-Incident Lessons
Every ransomware incident reveals the same gaps: no tested offline backup strategy, excessive lateral movement enabled by flat network architecture, RDP or VPN exposed directly to the internet, privileged accounts without MFA, and no IR plan that anyone had actually read. The post-incident review should be mandatory, blameless, and produce a prioritized remediation roadmap with owner assignments and deadlines.
Organizations that treat ransomware recovery as a technical cleanup — restoring systems without remediating the architectural weaknesses that enabled the intrusion — leave the same attack path open, and threat actors who retain access or rediscover that path frequently strike again. Recovery is not complete until the root cause is closed, not just the symptom.