Surviving a Ransomware Attack: The First 24 Hours of Incident Response

The first hour after discovering a ransomware attack is the one that matters most, and it is also the hour when businesses make their most damaging mistakes. Screens are locked, a ransom note is demanding payment, staff are panicking, and the instinct to do something, anything, can make the situation far worse. Rebooting the wrong machine, restoring from an infected backup, or paying before understanding the situation can each turn a recoverable incident into a catastrophe. Effective ransomware incident response is not about heroics. It is about following a calm, deliberate sequence that contains the damage, preserves your options, and gets the right people involved before irreversible decisions are made. This guide walks through the critical first 24 hours step by step, explains the mistakes that most often deepen the damage, and addresses the hard questions, including the one about whether to pay, honestly rather than with slogans.

Why the First 24 Hours Decide the Outcome

Ransomware does not usually announce itself at the moment of infection. By the time you see the ransom note, the attackers have often been inside your network for days or weeks, quietly spreading, escalating their access, and in most modern attacks, stealing data before they encrypt anything. The moment of discovery is the start of a race, but not the race most people imagine. The goal in the first 24 hours is not to defeat the attacker or to restore everything instantly. It is to stop the spread, understand the scope, protect evidence, and avoid the errors that close off your good options.

What makes this window so decisive is that several of the worst mistakes are irreversible. Evidence that is destroyed cannot be recovered. A backup that gets encrypted because it was still connected cannot be un-encrypted. A hasty public statement that turns out to be wrong cannot be unsaid. A structured response in the first day preserves the choices that a panicked response throws away, and the early detection built into layered cybersecurity solutions is often what gives a business those choices by shrinking the gap between infection and discovery.

The First 24 Hours: A Step-by-Step Response

The sequence below reflects how a sound ransomware incident response unfolds in the critical first day. The order matters, because some steps protect the value of later ones.

Hour One: Contain Without Destroying

The first priority is to stop the ransomware from spreading to systems it has not yet reached. Disconnect affected devices from the network, by unplugging the network cable or disabling wireless, and isolate the segments that appear compromised. If the spread is active and severe, disconnecting the broader network or shutting down shared connections may be justified to halt it.

There is one critical caution here that separates a good response from a damaging one. Disconnect infected machines from the network, but do not power them off. Shutting a machine down can destroy valuable forensic evidence held in memory and, with some ransomware variants, can even trigger further damage. Isolate, do not power down. This single distinction is one of the most important in the entire response.

Hours One to Three: Assess the Scope

Once the immediate spread is contained, determine how far the attack reached. Identify which systems are encrypted, which are merely affected, and which appear untouched. Look for signs of how the attackers got in and how long they were present. Critically, try to determine whether data was stolen before encryption, because modern ransomware attacks frequently exfiltrate data and threaten to publish it, a tactic known as double extortion. Whether data was taken changes your legal obligations and your response significantly.

Hours One to Four: Activate Your Response Team and Plan

Bring together the people who need to act. For a small business this includes leadership, your IT or security provider, and, for any serious incident, legal counsel and your cyber insurance carrier. If you have cyber insurance, contacting the insurer early is essential, because many policies require prompt notification and provide access to incident response specialists, and acting outside the policy's terms can jeopardize coverage. This is also the point to begin a written log of the incident: what was discovered, when, and every action taken. That record matters for insurance, for any investigation, and for later legal obligations.

Hours Four to Twelve: Notify the Right Parties

Several notifications belong in the first day. Cyber insurance, as noted, should be contacted promptly. Law enforcement should be informed; in the United States, ransomware attacks can be reported to the FBI, including through its Internet Crime Complaint Center, and the FBI may provide guidance and, occasionally, decryption assistance. Reporting does not obligate you to anything and can genuinely help. What you should not do in this window is rush to notify customers or the public before you understand the scope, because premature or inaccurate statements create problems of their own. Get the facts first, then meet your notification duties properly.

Hours Twelve to Twenty-Four: Plan Recovery, Carefully

With the situation contained and understood, turn to recovery, which means restoring from backups rather than paying if at all possible. But restoration carries its own danger: restoring from a backup that is itself infected, or restoring into a network the attacker still controls, simply restarts the disaster. Before restoring, confirm your backups are clean and that the environment is safe to restore into. This is where reliable data backup and disaster recovery proves its worth, because clean, tested, isolated backups are what let a business recover without negotiating with criminals at all. The quality of your backups, more than any other single factor, determines whether ransomware is a crisis or a costly inconvenience.

The Mistakes That Make Ransomware Worse

Most of the damage that compounds a ransomware attack comes from a short list of avoidable errors made under pressure. Knowing them in advance is itself a form of preparation.

The most common is powering off infected machines, which destroys forensic evidence that could identify the attacker, the entry point, and whether data was stolen. The second is restoring from backups without first confirming they are clean and that the network is secure, which reinfects the environment and wastes the one recovery path that mattered. A third is paying the ransom hastily, before understanding the scope or consulting experts and insurance, often under the false belief that payment guarantees a clean, fast recovery. Another frequent error is communicating carelessly, whether by making public statements before the facts are known or by discussing the incident over potentially compromised systems and email, where the attacker may be watching. Finally, many businesses fail to document the incident as it unfolds, which damages their position with insurers and investigators later. Each of these is a decision, and each can be avoided with a plan made before the crisis rather than during it.

The Hard Question: Should You Pay the Ransom?

This is the question every business in this situation asks, and it deserves an honest answer rather than a slogan. Law enforcement agencies, including the FBI, advise against paying ransoms, for sound reasons: payment funds and encourages criminal activity, it offers no guarantee that the attackers will actually restore your data, and it marks you as a business willing to pay, which can invite repeat attacks. Many organizations that pay do not get fully functional decryption in return.

At the same time, it would be dishonest to pretend the decision is always simple. A business facing permanent loss of irreplaceable data, with no viable backups, confronts a genuinely agonizing choice, and that is precisely why this decision should never be made alone or in haste. There is also a serious legal dimension: paying a ransom to a sanctioned entity or individual can itself violate the law, regardless of the circumstances, which is one more reason legal counsel and specialists must be involved before any payment is considered. The honest summary is that paying is strongly discouraged, carries real legal risk, and guarantees nothing, and that the only good position to be in is one where clean backups make the question moot. That is an argument for preparation, not for payment.

After the First 24 Hours: The Road to Recovery

The first day is about survival and stabilization. What follows is the longer work of full recovery, which typically unfolds over days to weeks rather than hours. Systems are rebuilt and restored in a prioritized order, with the most critical business functions first. The root cause, the vulnerability or compromised credential that let the attackers in, must be found and fixed before systems go back online, or the attack can simply repeat. Ongoing managed IT services are what keep that rebuilt environment monitored and maintained so a second attack does not follow the first. Once operations are stable, a thorough investigation and a candid post-incident review identify what happened and what needs to change.

That review almost always points to the same lesson: the businesses that recover well are the ones that prepared, and the strongest preparation is preventing the attack in the first place. Our companion guide on ransomware protection covers the defenses that stop most attacks before they start. Building genuine resilience is less about any single tool than about a maintained, monitored environment.

GlobeVM is a managed IT and cybersecurity firm providing managed IT services in Los Angeles and the surrounding area, with CCSP-certified expertise and practical experience helping small and mid-sized businesses prepare for, withstand, and recover from incidents like these. Because recovery depends on having clean backups, a tested response plan, and a secured environment in place before an attack, the most valuable work happens long before the ransom note appears.

If you are not confident your business could respond correctly to a ransomware attack in the critical first hours, a readiness review with a knowledgeable local partner is the most direct way to find the gaps in your plan and your backups before an attacker finds them for you.