In October 2025, a single statistic defines the state of cybersecurity: ransomware now drives over 50% of all cyberattacks. This isn't a distant threat; it's an active crisis, with 1,576 public ransomware victims in Q3 2025 alone. Attackers are faster and more ruthless than ever, achieving full network compromise in as little as 48 minutes. When a ransomware attack hits, your organization doesn't have days to form a committee—it has minutes to act. Panic is not a strategy. The first 60 minutes will dictate whether you recover or become another statistic.fortinet+1
This guide is an emergency protocol. It provides the clear, minute-by-minute, actionable steps you must take to survive the initial impact. We will walk you through a proven ransomware response framework designed to contain the damage, preserve critical evidence, and set the stage for a successful ransomware attack recovery. The chaos is inevitable; your response doesn't have to be.
The Critical First Hour: A Minute-by-Minute Action Plan
This timeline is designed to be printed and kept in your emergency response kit. In a real incident, there's no time to search for a plan.
Time | Critical Action | Primary Goal |
---|---|---|
0-5 Min | Isolate Patient Zero | Stop the immediate spread. |
5-15 Min | Segment the Network | Protect critical assets like backups. |
15-30 Min | Activate External Partners | Engage legal and forensic experts. |
30-45 Min | Assess Backup Viability | Determine if recovery is possible. |
45-60 Min | Establish Command & Control | Prepare for the long-haul recovery. |
Minutes 0-5: Initial Detection and Containment
The clock starts the second you see the first sign of an attack—a ransom note, an EDR alert, or a user reporting encrypted files. Your only goal in these first five minutes is to stop the bleeding.
ACTION 1: Disconnect, Don't Shut Down.
Your first instinct will be to power off the machine. Resist this urge. Shutting down destroys volatile memory (RAM), which contains priceless forensic evidence. Instead, immediately disconnect the infected device(s) from the network to stop the ransomware from spreading.
-
How to Disconnect: Unplug the Ethernet cable and disable Wi-Fi/Bluetooth. This simple action is the single most important first step in any ransomware response.
ACTION 2: Activate Your Core Response Team.
Immediately activate your pre-designated incident response team via an out-of-band communication channel (like a Signal group). This core team should be small and empowered to make decisions. It must include the Head of IT/Security, a senior executive, and Legal Counsel. This is not the time for a large meeting; it's a time for decisive action based on your CISO Incident Response Playbook.
Minutes 5-15: Network Isolation and Evidence Preservation
With the initial device isolated, your ransomware response must immediately expand to protect your most critical assets and preserve the digital crime scene.
ACTION 3: Isolate Critical Network Segments.
Assume the attacker is already moving laterally. Your IT team must act swiftly to sever connections to high-value targets. This is where a well-designed Enterprise Cybersecurity Architecture with proper segmentation pays off. The order of isolation is critical:
-
Backup Servers: Take them completely offline. Your backups are your only path to a successful ransomware attack recovery without paying.
-
Domain Controllers: Isolate them. If attackers compromise these, they own your network.
-
Critical Application Servers: Disconnect your ERP, financial systems, and core operational platforms.
ACTION 4: Preserve Everything.
Do not delete, modify, or run scans on the infected machines.
-
Photograph the Ransom Note: Use a phone to take clear pictures of any ransom notes on screen. Note the contact information and payment details, but do not make contact.
-
Secure Logs: If possible, immediately export and secure logs from firewalls, DNS servers, and EDR systems. A skilled analyst can use these logs to trace the attack's origin, a key process in Advanced SOC Analyst Threat Hunting Techniques.
Minutes 15-30: Assessment and Stakeholder Notification
Now that you've stabilized the patient, you need to understand the severity of the wound and call in the surgeons. This phase of the first 60 minutes is about triage and escalation.
ACTION 5: Perform an Initial Damage Assessment.
Your technical team needs to quickly answer three questions:
-
How far did it spread? Identify which systems are encrypted.
-
What data was impacted? Is it just user workstations or are critical databases hit?
-
Was data stolen? This is the "double extortion" question. Check firewall logs for large, unusual outbound data transfers. Data theft triggers severe legal and regulatory obligations.
ACTION 6: Notify Your External Response Partners.
You are not equipped to handle this alone. During these minutes, you must contact your pre-vetted external partners:
-
Cyber Insurance Carrier: Your policy has strict, time-sensitive notification requirements. Call them first.
-
External Legal Counsel (Breach Coach): They will guide you through legal obligations and establish attorney-client privilege.
-
Forensic and Incident Response (IR) Firm: Engage them immediately. They will take over the technical investigation and lead the ransomware attack recovery.
Minutes 30-45: Backup Assessment and Recovery Planning
Your ability to dictate terms to the attackers—rather than the other way around—depends entirely on the health of your backups.
ACTION 7: Verify Backup Integrity and Isolation.
This is the moment of truth in your ransomware response.
-
Confirm Isolation: Are your backups truly offline or immutable? Ransomware actively seeks out and encrypts connected backups.
-
Identify the Last Known-Good Backup: Determine the exact time of the last clean backup taken before the initial compromise was detected. This defines how much data you will lose (your Recovery Point Objective).
-
Test a Restore: In a completely isolated "sandbox" environment, attempt to restore a non-critical file or server. This is a crucial test to ensure your backups are not corrupted. A successful test is a massive victory in the ransomware attack recovery process.
Minutes 45-60: Command, Control, and Critical Decisions
As the first 60 minutes conclude, you need to formalize your command structure and begin framing the most difficult decision you'll face.
ACTION 8: Establish a Formal Command Structure.
Designate an Incident Commander and establish a regular communication rhythm (e.g., a status call every 30 minutes) for the core response team. All communications should flow through this central point to avoid confusion and conflicting instructions.
ACTION 9: Contact Law Enforcement.
It is highly recommended by agencies like the FBI that you report the attack. They can provide intelligence and resources. Your legal counsel will manage this communication.
ACTION 10: Frame the Ransom Payment Decision.
The decision to pay is a business decision, not a technical one. Based on the data from the first 60 minutes, your leadership team must begin weighing the cost of the ransom against the cost of downtime and rebuilding from scratch. This decision will be guided by your legal and forensic partners over the coming hours, but the framework for that decision is built now.
Post-60 Minutes: The Roadmap to Recovery
The first 60 minutes are about survival. The hours and days that follow are about methodical ransomware attack recovery. This is a marathon, not a sprint, and will be led by your engaged IR firm. It involves a full forensic investigation, systematically rebuilding every affected system, restoring data from clean backups, and hardening your defenses to prevent a recurrence. The calm, decisive actions taken in the first hour are what make this long road to recovery possible. For a complete guide to this entire process, refer to our definitive CISO Incident Response Playbook.
Ransomware Response: Quick Reference Tables
For easy access during a crisis, use these tables to guide your immediate actions.
The First 60 Minutes - Roles & Responsibilities
Time | Key Role | Critical Action |
---|---|---|
0-5 Min | First Responder (User/IT) | Disconnect affected machine(s) from the network. DO NOT SHUT DOWN. |
5-15 Min | Network/Security Team | Isolate critical network segments, especially backup servers. |
15-30 Min | Incident Commander | Notify cyber insurance, legal counsel, and forensic firm. |
30-45 Min | IT/Backup Admin | In a sandbox, test the integrity of the last known-good backup. |
45-60 Min | Leadership Team | Establish command structure and contact law enforcement (via counsel). |
To Pay or Not to Pay? Key Decision Factors
Factor | Favors NOT Paying | Favors Paying |
---|---|---|
Backups | Verified, clean, and isolated backups are available. | Backups are encrypted, corrupted, or non-existent. |
Data Exfiltration | No evidence of significant data theft was found. | Sensitive data was stolen, and the public release would be catastrophic. |
Recovery Time | Recovery from backups is estimated to be faster than obtaining/using a decryptor. | Rebuilding from scratch would take months and destroy the business. |
Legal/Insurance | Law enforcement advises against payment; insurance policy covers recovery costs. | Legal counsel advises payment may be the only viable business option. |