Ransomware Response: What to Do in the First 60 Minutes

Minute 0–5: Confirm and Classify

The first few minutes are about confirming what you're dealing with and activating your response structure. Not every suspicious alert is ransomware, and false positives waste precious time if you escalate prematurely.

• Verify the detection — Confirm ransomware indicators: encrypted files with unusual extensions, ransom notes on desktops, mass file rename activity in monitoring tools
• Identify affected systems — Use your EDR console, SIEM, or network monitoring to determine how many endpoints show encryption activity
• Classify the scope — Is this a single workstation, a department, or enterprise-wide? Scope determines your containment strategy

Minute 5–10: Activate IR Team

Once you've confirmed ransomware activity, activate your incident response team immediately. Every minute of delay is a minute the attacker uses to encrypt more systems.

• Page the IR team — Use your on-call rotation. Don't send emails — the email system may be compromised
• Assign roles — Incident Commander, Technical Lead, Communications Lead, Scribe. If you have an IR plan, follow it
• Establish a command channel — Set up a dedicated communication channel outside your corporate infrastructure (Signal, out-of-band phone bridge, etc.)

Minute 10–15: Initial Intelligence

Gather enough intelligence to make informed containment decisions in the next phase.

• Identify the ransomware variant — Ransom notes, encrypted file extensions, and process names can help identify the specific strain. Tools like ID Ransomware can assist
• Check for data exfiltration indicators — Many modern ransomware groups exfiltrate data before encrypting. Check for unusual outbound data transfers in network logs
• Assess backup status — Determine whether your backups are intact, offline, or potentially compromised. Attackers routinely target backup systems first

Minute 15–20: Network Containment

Network-level containment is typically the fastest way to stop lateral spread.

• Isolate affected network segments — Use firewall rules or network switches to cut off affected VLANs from the rest of the network
• Block known C2 communications — If you've identified command-and-control infrastructure, block those IPs and domains at the perimeter immediately
• Disable compromised accounts — If you've identified the attacker's access accounts, disable them in Active Directory. Consider resetting the krbtgt account if domain compromise is suspected

Minute 20–25: Endpoint Containment

Network isolation alone isn't enough. You need endpoint-level containment to stop encryption on individual systems.

• Use EDR to isolate endpoints — Most EDR platforms support network isolation that keeps the endpoint reachable by the EDR console while cutting off all other network access
• Do NOT power off systems — This is a critical mistake. Powering off destroys volatile memory, active network connections, and running process data that is essential for forensics
• If no EDR is available — Disconnect network cables (don't power off). For wireless-only devices, disable Wi-Fi adapters

Minute 25–30: Assess Containment Effectiveness

• Monitor for new encryption activity — Are new systems still being affected after containment actions?
• Verify critical system status — Check domain controllers, backup servers, and other Tier 0 assets
• Decide on external support — If the scope exceeds your team's capacity, this is the time to engage external IR support. Don't wait until hour four

Minute 30–40: Evidence Preservation

Every action you take (or fail to take) in this window affects your ability to investigate the breach, meet regulatory requirements, and potentially pursue legal action.

• Capture volatile data first — Memory dumps from key systems (especially domain controllers and the initial infection point). Use tools like winpmem or your EDR's memory capture capability
• Collect critical logs — Security event logs, Sysmon logs, PowerShell logs, and EDR telemetry. These may be targets for deletion by the attacker. See our Windows forensic artifacts guide for a complete collection checklist
• Create forensic images — Prioritize imaging the initial infection point and any systems with indicators of attacker activity
• Preserve ransom notes and encrypted samples — These contain strain identification and potentially decryption information

Minute 40–50: Stakeholder Communication

At this point, your Communications Lead should activate the notification process.

• Brief executive leadership — Provide scope, current status, and expected next steps. Avoid speculation about attribution or total impact
• Engage legal counsel — Breach notification requirements vary by jurisdiction and data type. Legal needs to assess regulatory obligations early
• Notify your cyber insurance carrier — Most policies have notification windows. Late notification can affect coverage
• Prepare holding statements — Draft internal and external communications. Do not disclose technical details publicly at this stage

Minute 50–60: Plan the Next Phase

• Establish investigation priorities — Initial access vector, lateral movement timeline, data exfiltration scope
• Resource planning — Do you need additional IR capacity? Forensic specialists? Legal support?
• Set a briefing cadence — Establish regular update intervals for leadership (every 2–4 hours in the first 24 hours)
• Document everything — Ensure your Scribe has captured every decision, action, and observation. This documentation is critical for the post-incident review and potential legal proceedings