A Newport Beach marketing firm opened Monday morning to find every file extension changed to .locked and a ransom note demanding $47,000 in Bitcoin—by the time they called their break-fix IT guy three hours later, the attackers had already exfiltrated their client database to the dark web.
That three-hour delay turned a containable incident into a business-ending crisis. Modern ransomware moves fast, and your response window is measured in minutes, not hours. This checklist walks you through exactly what to do in the first 60 minutes after discovering an attack—the period when containment is still possible and recovery options remain open.
Why the First 60 Minutes Determine Your Recovery Timeline
Businesses that contain ransomware within the first hour recover in an average of 3 days, while those who delay face a 21-day recovery timeline, because modern ransomware variants spread laterally across networks in 30-90 minutes, encrypting additional systems and exfiltrating data throughout the delay period.
In This Article
- Why the First 60 Minutes Determine Your Recovery Timeline
- Minutes 0-10: Isolate and Document Without Shutting Down
- Minutes 10-20: Activate Your Incident Response Team and Contact Authorities
- Minutes 20-40: Identify Patient Zero and Stop Lateral Spread
- Minutes 40-60: Assess Backup Integrity and Begin Recovery Planning
- Step 4: Assess Business Impact and Prioritize Systems (Minutes 25-35)
- Step 5: Engage Specialized Incident Response Resources (Minutes 35-50)
- Step 6: Develop Recovery vs. Ransom Payment Decision Matrix (Minutes 50-60)
- Post-60 Minutes: Stabilization and Recovery
- Building Your Pre-Incident Response Plan
- Lessons from the Field
How Modern Ransomware Spreads
LockBit 3.0 and BlackCat represent a generation of ransomware that doesn't just encrypt the machine where it lands. These variants immediately scan for network shares, Active Directory credentials, and cloud storage connections. Within 30 minutes of initial infection, LockBit 3.0 can compromise domain administrator accounts and begin encrypting every connected system.
The Break-Fix Blind Spot
Most break-fix IT providers operate during business hours only—typically 8 AM to 6 PM on weekdays. Ransomware operators know this. Attacks launched Friday evening or over weekends go undetected until Monday morning, giving attackers 60+ hours to encrypt systems, steal data, and cover their tracks. Businesses with 24/7 monitored IT support receive alerts within minutes of suspicious activity, regardless of the time or day.
The difference between a three-day recovery and a three-week disaster comes down to how quickly you act in that first critical hour.
Minutes 0-10: Isolate and Document Without Shutting Down
In the first 10 minutes after discovering ransomware, disconnect affected machines from network connections but do not power them off, because RAM contains forensic evidence that disappears on shutdown, and premature server reboots can destroy Volume Shadow Copies that enable file recovery without paying the ransom.
Immediate Physical Isolation Steps
- Disconnect affected machines from WiFi and unplug ethernet cables immediately.
- Leave machines powered on—do not shut down or restart.
- If the infected machine is a laptop, disable WiFi through the physical switch or airplane mode before unplugging power.
- Identify all machines displaying ransom notes or .locked file extensions.
- Check printers and network-attached devices for unusual activity.
Why You Must Not Reboot Servers
A San Diego accounting firm discovered ransomware on their file server at 7 AM. Their office manager immediately rebooted the server, thinking a restart might fix the problem. That reboot permanently deleted all Volume Shadow Copies—snapshots that could have restored 80% of encrypted files without paying the ransom or relying on backups.
Volume Shadow Copies exist in RAM and on disk, but Windows often clears them during restart as part of its recovery process. Once gone, they cannot be recovered. Keep infected systems running until your incident response team specifically instructs otherwise.
Critical Documentation Tasks
- Photograph every ransom screen: Include timestamps, Bitcoin wallet addresses, contact emails, and deadline information.
- List all affected systems: Note computer names, IP addresses, and the earliest file encryption timestamps you can find.
- Record the exact ransom message: Copy the full text including any unique identifiers or case numbers the attackers provide.
- Check file creation dates: Sort your shared drives by "Date Modified" to identify when encryption began.
How to Notify Your Team Without Compromising Communication
Do not use company email to notify IT support or executives about the attack. Ransomware often compromises email systems first, and attackers monitor company communications to understand your response. Use personal cell phones to make direct calls. If you must send written communication, use personal email addresses or SMS text messages, never corporate accounts.
The person discovering the attack should immediately contact both your IT support provider and at least one executive with spending authority. This parallel notification ensures no delay in authorizing emergency response costs.
Minutes 10-20: Activate Your Incident Response Team and Contact Authorities
Between minutes 10-20 of a ransomware incident, assemble a response team including IT support, an executive decision-maker, cyber insurance contacts, and legal counsel for regulated industries, while simultaneously filing a report with FBI IC3 or your local FBI field office to document the attack for insurance claims and potential investigation.
Your Incident Response Team Roster
- IT Support Leader: Your primary IT provider or internal IT director who understands your network architecture.
- Executive Decision-Maker: CEO, CFO, or owner with authority to approve emergency spending for forensics, recovery, or ransom payment.
- Cyber Insurance Contact: Your insurance broker or carrier's breach response hotline if you carry cyber liability coverage.
- Legal Counsel: Required for financial services firms under FINRA, healthcare organizations under HIPAA, or any business handling payment card data under PCI DSS.
Why and How to Contact the FBI Immediately
File a report with FBI IC3 at ic3.gov or call your local FBI field office within the first 20 minutes. This is a documentation step, not a rescue request. The FBI will not send agents to stop the attack in progress, but the case number you receive serves three critical purposes:
- Cyber insurance policies often require law enforcement notification within 24 hours to validate claims.
- The FBI tracks ransomware variants and may have decryption keys from previous busts.
- Federal investigators can sometimes trace cryptocurrency payments or identify attacker infrastructure.
CISA recommends immediate law enforcement contact, yet most businesses delay 24-48 hours due to fear of negative publicity or confusion about what information to provide. The reality is that your FBI report can be filed anonymously initially, and early notification often leads to faster recovery through access to federal decryption tools.
The Take Ctrl Incident Response Protocol vs. Break-Fix Chaos
| Response Element | Take Ctrl Managed Security | Break-Fix Provider |
|---|---|---|
| Response Time | Dedicated security engineer joins within 15 minutes | Voice message or ticket submission; callback when available |
| Incident Leadership | Named incident commander coordinates all vendors and decisions | Business owner coordinates between IT vendor, insurance, legal |
| Documented Playbook | Pre-built response protocols tested quarterly | Improvised response; no documented procedures |
| After-Hours Availability | 24/7/365 monitoring and response capability | Business hours only; weekend attacks wait until Monday |
Businesses working with break-fix providers face the first 20 minutes alone, making critical decisions without expert guidance during the most important window. Those with cybersecurity services including incident response protocols have a named team member leading triage before the encryption spreads.
Minutes 20-40: Identify Patient Zero and Stop Lateral Spread
Between minutes 20-40, identify the initial infection point by examining file encryption timestamps and authentication logs from the preceding 24-48 hours, then immediately disable compromised accounts, segment network VLANs, and close internet-exposed Remote Desktop Protocol connections to prevent ransomware from spreading to additional systems still unaffected.
Finding Patient Zero
Patient Zero is the initial entry point—the first compromised machine or account that let ransomware into your network. Finding it requires examining three data sources:
- File system timestamps showing the earliest encryption activity (sort network drives by "Date Modified").
- Windows Event Logs or Active Directory authentication records showing suspicious logins 24-48 hours before encryption started.
- Firewall or VPN logs showing connections from unusual IP addresses or countries.
A Los Angeles logistics company discovered their ransomware entered through a compromised VPN account belonging to a former employee whose credentials were never disabled. The account had no multi-factor authentication, and attackers logged in from an IP address in Eastern Europe three days before launching the encryption payload.
Immediate Containment Actions
- Disable compromised user accounts: Lock the accounts in Active Directory or Microsoft 365 admin center immediately, not just reset passwords.
- Segment network VLANs: If your switches support VLAN segmentation, isolate infected network segments from clean ones to prevent further spread.
- Disable Remote Desktop Protocol: If RDP is exposed to the internet (port 3389), shut it down at the firewall immediately—80% of ransomware uses RDP as an entry vector.
- Check backup system isolation: Verify that backup appliances are on separate networks and haven't been compromised or encrypted.
Businesses with network segmentation and security controls already in place can isolate infected VLANs in minutes. Those running flat networks where every device can reach every other device face exponential spread with no ability to contain it.
Why Managed Detection and Response Tools Provide Critical Visibility
Businesses with MDR services have access to SIEM logs and endpoint detection platforms that record every authentication attempt, file modification, and process execution across the network. When ransomware strikes, these logs immediately reveal Patient Zero, the attack timeline, and exactly which accounts were compromised.
Without MDR tools, your team is guessing. You're checking machines one by one, hoping to spot the pattern. Businesses relying on break-fix support have none of this visibility—their logs weren't being collected, and now the forensic trail is incomplete or missing entirely.
Minutes 40-60: Assess Backup Integrity and Begin Recovery Planning
Between minutes 40-60, verify that backup systems are online and uncorrupted by checking the timestamp of the last clean backup before encryption began and testing a sample restore of a non-critical system, because the viability of your backups determines whether you can recover without paying ransom or face total data loss.
The Critical Backup Verification Process
- Log into your backup management console and verify the backup appliance itself is responsive.
- Check the timestamp of your most recent successful backup—was it completed before ransomware encryption began?
- Review backup job logs for the past 30 days to confirm backups have been running successfully (not failing silently).
- Perform a test restore of a small, non-critical file or folder to a quarantined machine to verify data integrity.
- Document the exact recovery point objective—how many hours or days of data loss would a restore from the most recent clean backup entail?
Three Possible Backup Scenarios
- Clean isolated backups exist: Recovery is possible without ransom payment; restoration timeline depends on data volume and bandwidth.
- Backups are encrypted: Ransomware reached your backup systems; recovery requires ransom payment or accepting total data loss.
- Backups are corrupted or untested: Backup jobs were failing silently for weeks or months; discovered only now during crisis.
A San Clemente manufacturing company ran backups to a NAS device in their server room for four years. During a ransomware incident, they discovered backup jobs had been failing silently for six weeks due to a full disk—errors were logged but no one monitored the alerts. The most recent usable backup was 46 days old, making recovery impossible without severe data loss.
Immutable Backup Architecture vs. Standard NAS Devices
The architecture of your backup solution determines whether ransomware recovery is possible or whether you're negotiating with criminals. Standard network-attached storage (NAS) devices are mounted as writable network shares—if ransomware reaches them, your backups become encrypted alongside production data. Immutable backup systems use append-only protocols that prevent deletion or modification, even by administrative credentials.
| Backup Type | Ransomware Vulnerability | Recovery Success Rate |
|---|---|---|
| Standard NAS device | High (writable share) | 35-40% |
| Cloud backup only | Medium (depends on versioning) | 60-70% |
| Immutable backup + air gap | Very low | 90-95% |
| 3-2-1 backup strategy | Very low | 92-98% |
Step 4: Assess Business Impact and Prioritize Systems (Minutes 25-35)
Not all systems are equally critical to business continuity. A ransomware response must prioritize restoration based on operational impact rather than attempting to restore everything simultaneously. This prioritization directly affects communication strategy, recovery timeline, and whether you can maintain partial operations during restoration.
Critical System Classification
Create a four-tier classification system within the first 35 minutes:
- Tier 1 - Business Critical: Systems whose absence immediately stops revenue generation or creates legal/safety risks (payment processing, manufacturing control systems, patient records).
- Tier 2 - Operations Important: Systems that severely impair but don't completely halt operations (email, CRM, project management).
- Tier 3 - Productivity Tools: Systems that reduce efficiency but allow work to continue (shared drives, internal wikis, collaboration platforms).
- Tier 4 - Non-Essential: Systems with minimal immediate impact (archival data, development environments, internal reports).
A Dana Point medical practice discovered their electronic health records system encrypted but their appointment scheduling system was unaffected. By prioritizing patient safety data and rescheduling non-urgent appointments, they maintained partial operations for five days while restoring from backups, avoiding the need to turn away patients entirely.
Operational Impact Assessment Questions
- Can we legally operate without access to this system? (Regulatory compliance requirements)
- Does this system directly generate or process revenue? (E-commerce, payment processing, manufacturing)
- Are there manual workarounds that can temporarily replace this system? (Paper forms, spreadsheets, phone calls)
- What is the maximum acceptable downtime before permanent business damage occurs? (Customer defection, contract penalties)
- Does this system contain data needed to restore other systems? (Configuration databases, password vaults, documentation)
Communication and Stakeholder Management
By minute 35, you should have preliminary answers to critical stakeholder questions:
- Timeline estimate: When can partial operations resume? When will full restoration be complete?
- Customer impact: Which services are unavailable? What is the communication plan for customers?
- Financial impact: What is the estimated cost of downtime per hour? What are insurance considerations?
- Legal obligations: What breach notification requirements exist? When do they trigger?
Step 5: Engage Specialized Incident Response Resources (Minutes 35-50)
Most ransomware responses fail not from lack of technical knowledge but from attempting to manage a crisis of this complexity without specialized expertise. The economics of ransomware response favor attackers—they have repeated experience with hundreds of incidents, while your team faces this situation perhaps once in a career.
When to Engage External Incident Response
Immediate engagement is warranted when:
- Your IT team lacks ransomware-specific forensic experience
- Data exfiltration is suspected (double extortion ransomware)
- Backup systems are compromised or backups don't exist
- Regulatory breach notification requirements may apply
- Business interruption insurance includes cyber incident coverage
- Legal questions exist about ransom payment, law enforcement engagement, or liability
Critical Resources to Contact
| Resource Type | Primary Function | Engagement Timing |
|---|---|---|
| Incident Response Firm | Forensics, containment, recovery coordination | Immediately (within first hour) |
| Cyber Insurance Provider | Coverage verification, approved vendor coordination | Within 2 hours |
| Legal Counsel (Cyber Experience) | Breach notification, liability, privilege protection | Within 4 hours |
| Law Enforcement (FBI/IC3) | Threat intelligence, investigation | Within 24 hours |
| Public Relations Firm | External communication, reputation management | Before public disclosure |
A Mission Viejo law firm initially attempted to handle a ransomware response internally to save costs. After three days of unsuccessful recovery attempts, they engaged a specialized incident response firm that identified lateral movement the internal team had missed—the attacker still had access and would have re-encrypted systems immediately after restoration. The delayed engagement extended downtime from an estimated 4 days to 11 days.
Working With Cyber Insurance
If your organization maintains cyber insurance, contact your provider within the first hour. Most policies include:
- Pre-approved incident response vendors (often required for coverage)
- Business interruption coverage (requires documentation of downtime)
- Ransom payment reimbursement (controversial and increasingly limited)
- Breach notification costs and credit monitoring services
- Legal defense coverage for resulting litigation
Document everything. Insurance claims require detailed timelines, decision justifications, and cost records. Assign one person to maintain a contemporaneous incident log recording all decisions, actions, and communications with timestamps.
Step 6: Develop Recovery vs. Ransom Payment Decision Matrix (Minutes 50-60)
Within the first hour, your leadership team must make the most difficult decision: whether to pay the ransom or pursue recovery through backups and rebuilding. This decision requires a structured analysis, not an emotional reaction.
Factors to Consider
| Recovery Factor | Favors Payment | Favors Recovery |
|---|---|---|
| Backup Integrity | Backups compromised or non-existent | Clean, tested backups available |
| Recovery Timeline | Recovery would take weeks | Recovery possible within 3-5 days |
| Business Impact | Life/safety systems affected | Operations can continue in degraded state |
| Data Exfiltration | Sensitive data stolen and threatened for release | Encryption-only attack, no exfiltration |
| Financial Resources | Recovery costs exceed ransom significantly | Recovery costs reasonable and budgeted |
| Legal/Regulatory | Payment not prohibited in your sector | Sanctions prohibit payment to this group |
The Case Against Payment
Security experts and law enforcement consistently advise against ransom payment for several reasons:
- No guarantee of recovery: 46% of organizations that paid ransoms did not receive working decryption keys (Cybereason, 2022)
- Repeat targeting: Organizations that pay are 80% more likely to be attacked again within the year
- Criminal funding: Ransom payments directly fund organized crime and nation-state threat actors
- Sanctions violations: Paying sanctioned groups (like many ransomware operations) can result in significant legal penalties
- Data remains stolen: Payment only provides decryption keys—it does not delete exfiltrated data from attacker systems
A San Diego manufacturing company paid a $180,000 ransom after a REvil attack. The decryption process took 6 days (compared to estimated 4-day recovery), only 92% of files decrypted successfully, and they were attacked again 9 months later by the same group demanding $320,000.
Making the Decision
Assemble your decision-making team: executive leadership, IT director, legal counsel, cyber insurance representative, and incident response lead. Present the analysis matrix within 45 minutes of the attack being confirmed.
If you decide to pay (after exhausting all alternatives), understand the process:
- Engage a professional ransomware negotiation firm—never negotiate directly
- Request proof of decryption capability before payment
- Ensure payment does not violate OFAC sanctions through legal review
- Document the decision rationale thoroughly for insurance and potential litigation
- Plan for decryption timeline (often 3-7 days even after payment)
- Continue recovery preparation in parallel—payment does not guarantee success
Post-60 Minutes: Stabilization and Recovery
After the critical first hour, your response shifts from immediate triage to sustained recovery operations. Your incident response team should now be leading efforts with clear command structure.
Communication Protocol
Establish a regular communication cadence:
- Executive updates: Every 4 hours initially, then twice daily
- Employee communication: Initial notification within 4 hours, then daily updates
- Customer notification: If data was potentially compromised, legal counsel will advise on timing (typically 24-72 hours)
- Regulatory notification: Many jurisdictions require breach notification within 72 hours
Recovery Phases
The full recovery process typically follows this timeline:
- Days 1-3: Containment verification, forensic analysis, recovery planning
- Days 4-7: Core system restoration, limited operations resumption
- Weeks 2-4: Full system restoration, security hardening implementation
- Months 2-3: Post-incident review, security architecture improvements
Building Your Pre-Incident Response Plan
The organizations that recover most successfully from ransomware attacks are those that prepared before the incident occurred. Don't wait until you're under attack to figure out your response process.
Essential Preparations
Create an incident response playbook with pre-filled contact information, decision trees, and action checklists. Store copies offline (printed and on USB drives stored securely off-site).
Establish and test your backup strategy:
- Follow the 3-2-1 rule: 3 copies, 2 different media types, 1 off-site
- Implement immutable or air-gapped backups that ransomware cannot encrypt
- Test restoration quarterly—a backup you haven't tested is no backup at all
- Verify backup systems are not accessible from production networks
Conduct tabletop exercises simulating ransomware attacks. Include executive leadership, not just IT staff. These exercises reveal gaps in communication, authority, and process that you can fix before a real incident.
Pre-negotiate cyber insurance coverage with clear understanding of approved vendors, coverage limits, and claim processes. Review your policy annually as coverage terms are changing rapidly in the current threat landscape.
Develop relationships with incident response firms before you need them. Some firms offer retainer agreements that guarantee response availability and reduced hourly rates during incidents.
Security Hardening Priorities
Implement these controls to reduce ransomware risk:
- Multi-factor authentication on all remote access and administrative accounts
- Network segmentation separating critical systems from general corporate networks
- Endpoint detection and response (EDR) tools on all systems
- Email security with attachment sandboxing and link protection
- Privileged access management limiting administrative credential exposure
- Regular vulnerability patching with prioritization of internet-facing systems
- Application whitelisting preventing unauthorized executable execution
Lessons from the Field
A commercial real estate firm in Orange County experienced a Conti ransomware attack that encrypted 85% of their file servers. Because they had prepared, their response was effective:
- Their printed incident response plan was retrieved from the CFO's office within 10 minutes
- Network isolation occurred in 8 minutes, limiting encryption spread
- Pre-arranged incident response firm was engaged within 30 minutes
- Immutable backups stored on a separate network were verified within 2 hours
- Critical systems were operational within 48 hours
- Full restoration completed in 6 days without ransom payment