INCIDENT RESPONSE · 10 MIN
Ransomware: The First 24 Hours Survival Guide
What to do in the first 24 hours of a ransomware attack — containment, communication, decision points, and the mistakes that turn bad days into catastrophic weeks.
What should you do in the first 24 hours of a ransomware attack?
The first 24 hours of a ransomware response have four parallel priorities: (1) Contain — isolate affected hosts from the network without shutting them down, identify the entry point, stop active encryption and lateral movement; (2) Preserve — capture forensic evidence (memory, disk, logs) before any cleanup that could destroy it; (3) Assess — scope the impact (what was encrypted, what was exfiltrated, what credentials were compromised); (4) Communicate — engage IR, legal counsel, cyber insurance, and law enforcement on documented timelines, while controlling internal communications. Do not pay the ransom in the first 24 hours; do not negotiate without legal and IR guidance; do not power off systems before evidence is captured.

Ransomware: The First 24 Hours Survival Guide
If you are reading this with active encryption running, the most important thing to do is stop reading and call an incident response team. QMasters IR hotline: +972-3-XXX-XXXX. CISA: 1-844-Say-CISA. Then come back.
If you are reading this in a planning context — building a runbook, briefing leadership, scoping an IR retainer — this is the working model we use. It assumes you are not yet in crisis and have time to prepare for the moment when you are.
Why the first 24 hours decide the outcome
Ransomware response cost — financial, operational, reputational — varies by an order of magnitude based on what happens in the first 24 hours. The variables that compound that variance:
- Time to detection. Modern ransomware encrypts a typical environment in 4–6 hours. Detection at hour 1 vs hour 5 is the difference between a constrained incident and a full-environment compromise.
- Time to containment. Network-isolating the first compromised host before lateral movement extends the blast radius.
- Time to IR engagement. Teams that bring in IR within the first 4 hours recover faster, lose less data, and pay (or refuse) ransoms with cleaner decision frameworks.
- Forensic preservation discipline. Powering off systems, wiping suspected machines, or "cleaning up" before evidence capture removes information you will desperately need 72 hours later.
- Communication discipline. Internal panic, premature public disclosure, or uncoordinated regulator engagement creates secondary incidents on top of the primary one.
The four parallel priorities
The first 24 hours is not a sequence — it's four workstreams running in parallel.
Priority 1 — Contain
The goal is to stop active encryption and lateral movement without destroying evidence.
Actions in the first hour:
- Network-isolate confirmed-compromised hosts. EDR host isolation is the cleanest mechanism — keeps the host running, disconnects network access, preserves volatile evidence.
- Identify and disable compromised accounts. If credentials were used in the attack, those accounts are still compromised — disable, don't just reset.
- Block known-bad IPs, domains, and hashes at the perimeter and EDR.
- Preserve backups by network-isolating backup infrastructure. Modern ransomware actively targets backup repositories — protect them now.
Actions in hours 1–6:
- Scope the active compromise. EDR queries for known TTPs, suspicious processes, anomalous credential use across the environment.
- Identify the entry point. Was it phishing, an exploited vulnerability, a compromised RDP, a third-party access path? Without knowing entry, you can't be sure containment is complete.
- Stop attacker persistence. Scheduled tasks, services, registry runs, GPO modifications — the obvious persistence mechanisms checked first.
What not to do:
- Do not power off compromised systems. You destroy volatile memory, attacker tooling, encryption keys.
- Do not reimage compromised systems before forensic capture. You lose investigation data permanently.
- Do not "clean up" — running antivirus scans, deleting suspicious files — before IR has captured the system state.
Priority 2 — Preserve
Evidence preservation is what makes investigation, attribution, decision-making, insurance, and legal action possible.
What to capture, in the first 6 hours:
- Memory dumps of compromised systems (before isolation if possible, immediately after if not)
- Disk images or VMware snapshots of compromised systems
- EDR telemetry export covering the incident window
- SIEM event export covering the incident window
- Network traffic captures (NetFlow at minimum, full PCAP on critical segments if available)
- Email evidence if email-borne (raw .eml, not just rendered messages)
- Any ransom notes, attacker communications, payment instructions — captured intact
Chain of custody. Document who captured what, when, with what tool, and where the evidence is stored. If this becomes a legal matter, chain of custody decides whether your evidence is admissible.
Priority 3 — Assess
Scope the impact. The honest version of this is harder than it sounds, because the attacker had time you didn't see.
Questions to answer in 24 hours:
- What was encrypted? File servers, endpoints, databases, backup repositories. Inventory by criticality.
- What was exfiltrated? Modern ransomware is double-extortion — data stolen before encryption. Look for outbound transfers in the days/weeks before encryption. The attacker probably has more than the encrypted set.
- What credentials were compromised? Service accounts, admin accounts, potentially federated identities. Plan a credential reset campaign before it can be weaponized further.
- What persistence was established? Even after containment, persistence mechanisms (scheduled tasks, services, modified binaries, registry entries, malicious accounts) must be hunted down.
- What was the dwell time? How long did the attacker have access before the encryption event? This determines the scope of "what else might be compromised."
Priority 4 — Communicate
Communication is where good IR plans become real.
Internal in the first 4 hours:
- CISO → CIO → CEO/COO (depending on org structure) — immediate notification of confirmed incident
- Legal counsel — engaged as part of the incident, providing privilege over investigation work product
- IT leadership — coordination on containment and recovery
- Communications/PR lead — briefed on hold, no external comms yet
External in the first 12 hours:
- IR firm engaged (if not on retainer)
- Cyber insurance carrier notified per policy timeline (some require notification within 24–72 hours; missing this can void coverage)
- Law enforcement engagement (FBI in the US, NCSC in the UK, INCD in Israel) — their involvement does not preclude business decisions and can be valuable
External in the first 24 hours, conditionally:
- Regulators — if regulated industry (healthcare, finance, critical infrastructure), notification clocks may have started; consult counsel
- Affected third parties — customers, partners, suppliers whose data may be affected (counsel-led)
- Media and public communications — only if necessary, only counsel-coordinated, never improvised
→ See QMasters Incident Response services
Decisions you will be pressured to make too fast
Ransomware operators design their playbook to compress decision time. Resist.
"Should we pay?"
Not in the first 24 hours. The right time to evaluate ransom payment is after:
- IR has scoped the encryption and exfiltration
- Backups have been validated as recoverable or confirmed unrecoverable
- Legal counsel has assessed regulatory and sanctions implications (paying certain sanctioned actors is illegal)
- Cyber insurance has weighed in on coverage
- Negotiation specialists (if engaged) have established communication with the actor
These steps take days, not hours. The attacker's countdown timer is psychological pressure, not a real deadline.
"Should we go public?"
Not in the first 24 hours unless required by regulation. Premature disclosure compounds incidents:
- Customers panic and react before you have facts
- Media coverage attracts attention from other actors and opportunistic phishing
- Partners terminate access before assessment is complete
- Stock markets react to incomplete information
Communications must be counsel-led, fact-driven, and coordinated. Same-day public statements are almost always a mistake.
"Should we restore from backup right now?"
Not before:
- The compromise is contained (or you risk re-encrypting your restored systems)
- Backup integrity is validated (modern ransomware infiltrates backups before encryption)
- Persistence is removed (or restored systems will be re-compromised on first boot)
The instinct to restore quickly is right; the timing has to be after, not during, containment.
What an IR retainer changes
The single most leveraged investment in ransomware preparedness is an incident response retainer with documented response SLA. It changes:
- Time to engagement. Pre-paid hours, contracted SLA, no procurement delay during crisis.
- Familiarity with environment. Retainer relationships include periodic readiness work — runbook reviews, tabletop exercises, environment walkthroughs. The IR team isn't starting cold.
- Crisis decision support. The IR firm has been here before, has the playbook, and helps you make the multi-stakeholder decisions described above.
QMasters provides IR retainer services as part of MCSS or as a standalone engagement. 24/7 IR hotline access included.
To go deeper, visit QMasters, see how our incident response retainer fits in, or read more on careers at QMasters.
Frequently asked questions
Should I shut down all systems if hit by ransomware?
No. Use network isolation, not power-off. Powering off destroys evidence and complicates recovery.
Should I pay the ransom?
Not in the first 24 hours, and not without IR, legal, and insurance involved. The decision has many inputs and is rarely as time-pressured as the attacker claims.
When should I call incident response?
Within the first hour of confirmed ransomware activity. Time-to-IR is the strongest predictor of recovery cost.
Does QMasters offer ransomware IR?
Yes — 24/7 IR hotline, dedicated IR engineers, integration with our 16-analyst SOC for enrichment and visibility. Available as a retainer or as emergency engagement.
---
Don't wait for the incident.
Engage QMasters for an IR retainer. Pre-paid hours, defined SLA, runbook reviews, tabletop exercises, and 24/7 hotline access. The work you do before the incident decides the cost of the incident. Request an IR retainer →
FAQ
Frequently asked questions.
No. Powering off systems destroys volatile evidence (memory, encryption keys, attacker tooling) and complicates recovery. The correct action is network isolation — keep systems running but disconnect them from the network so encryption and lateral movement stop without losing forensic state. EDR-based host isolation is the cleanest way to do this.
Not in the first 24 hours, and not without legal counsel, cyber insurance, and IR guidance involved. Many factors affect the decision: backup viability, data exfiltration scope, regulatory and sanctions implications, attacker reputation. The decision is multi-stakeholder and rarely time-pressured in the way attackers want you to believe.
Within the first hour of confirmed ransomware activity. Time-to-IR-engagement is the strongest predictor of recovery cost. If you have an IR retainer, this is what it's for; if you don't, find one immediately. QMasters offers 24/7 IR hotline access.
ABOUT THE AUTHOR
Practitioners from the QMasters Security Operations Center. We run 24/7 monitoring, detection engineering, and incident response for organisations across regulated industries — and write here from the offense and defense work in front of us.