A ransomware attack is one of the most critical threats an organisation can face. It can bring operations to a halt, resulting in significant financial losses, and inflicting serious reputational damage. The way you react in the first 24 hours can make all the difference between containment and catastrophe. During this pivotal window, fast and informed action is essential. Not only to limit damage, but to enable recovery, and identify the root cause.
Whether you’re currently navigating an active breach or want to prepare your response plan in advance, here’s what needs to happen during those first 24 hours.
Step one: verify the attack and isolate affected systems
The moment ransomware is suspected, the priority is to confirm what’s happened. Ransomware doesn’t always announce itself with a dramatic pop-up, it may start quietly, encrypting files and spreading laterally across your network. Early warning signs include inaccessible files, failed logins, or unusual outbound traffic.
Once an attack is confirmed, isolate affected systems from the network immediately. Time is now of the essence. Ransomware attacks often seek to maximise damage by spreading across shared drives and cloud platforms. You should disconnect devices, disable Wi-Fi and VPNs, and block access at the firewall level to prevent further infection.
Having a cyber security team on standby allows for experts to provide step-by-step guidance in real time, helping you make the right moves to contain the threat without destroying forensic evidence. In high pressure moments, panic can lead to costly mistakes. Having a calm, expert-led approach ensures you stay focused and strategic.
Step two: alert internal stakeholders and assemble your response team
Ransomware response is not just an IT issue—it’s a business-wide challenge. Once containment is underway, you must inform key internal stakeholders. This includes executive leadership, legal, compliance, and communications teams. You should appoint a central response lead, ideally from your crisis management team. It will be their responsibility to coordinate efforts and make key decisions quickly.
If you’ve already established an incident response plan, now is the time to activate it.
Step three: protect your backups and avoid engaging attackers
It may be tempting to click the ransom note or initiate contact with attackers to understand their demands. This is strongly advised against. Not only does it carry legal and ethical risks, but it may compromise your recovery options or make you more vulnerable to secondary attacks.
Instead, secure all backups and logs. Identify when the attack began, which systems are affected, and what data may be at risk. Taking note of this information will be crucial for both remediation and regulatory reporting.
Partnering with an expert will significantly improve this process, by providing rapid forensic support to help assess the impact by identifying indicators of compromise (IOCs), tracing the attack vector, and determining the attacker’s dwell time. This information can help you understand if data exfiltration occurred, an increasingly common element of modern ransomware attacks.
Step four: report the incident and review legal responsibilities
Depending on your industry and location, you may have regulatory or legal requirements to report a ransomware incident. This could include notifying the Information Commissioner’s Office (ICO), your industry regulator, or affected third parties.
It is vital not to delay these conversations. By following previous steps, you should have clear documentation and technical insights which will back up your reporting. This will help the process run smoothly.
Step five: begin recovery with help from a cyber security expert
Once the ransomware is contained and systems are stabilised, it’s time to begin recovery. This involves more than just restoring files from backup. You must ensure the attacker’s access is removed, vulnerabilities are patched, and your environment is safe to bring back online.
Having a trusted partner makes all the difference at this stage. Incident response specialists will work alongside IT and cyber teams to validate clean systems, conduct a secure restoration, and put new protections in place. Your business shouldn’t just bounce back; it should come back stronger.
How timely action and skilled expertise makes a difference
The impact of a ransomware attack goes far beyond financial loss – it’s operational, reputational, and often long-lasting. The quicker and more effectively you respond, the more you reduce the long-term impact.
Cyber security firms offer several solutions to ensure organisations are ready to face ransomware. One is emergency incident response, where teams can rapidly deploy to help take control, contain the threat, and recover operations; either on-site or remotely. Another option is to hold an incident response retainer. Retainer services give you guaranteed access to expert responders when you most need them. With predefined SLAs, threat intelligence, and environment familiarity, these tools can help businesses respond faster and more effectively.
Proactive planning leads to a stronger future
The initial 24 hours of a ransomware attack can be overwhelming – but they don’t have to be. With thorough preparation and expert support, you can respond quickly, minimise the impact, and restore operations with confidence. In moments where every minute counts, experience is your strongest defence.
- Cybersecurity