Advisory — 2026-03-07

First 72 Hours After Ransomware Attack

Critical actions that determine your recovery, based on analysis of 235 real ransomware negotiation cases.

Published: 2026-03-07 · Updated: 2026-03-07 · Simon Lynge
⚠️ Critical: If you're currently experiencing a ransomware attack, call our 24/7 hotline immediately. Don't make decisions based on blog posts during an active crisis.
Hour 1: Initial Response
Don't Panic, Do This Instead

The first hour sets the trajectory for your entire recovery. Every minute counts, but rushing leads to mistakes.

Hour 1 Checklist:

Confirm it's ransomware (not a false positive)
Activate your incident response team
Isolate affected systems (network segmentation)
Preserve evidence (don't turn anything off)
Secure communication channels (encrypted chat)
💡 Pro Tip: Take screenshots of everything—ransom notes, encrypted files, system times. This becomes critical evidence for negotiations and insurance claims.

What NOT to Do in Hour 1:

  • Don't pay immediately: 68% of companies that pay in the first hour pay more than necessary
  • Don't contact the attacker yet: Let professionals handle initial communication
  • Don't start restoring from backups: You might restore infected backups
  • Don't post on social media: This alerts competitors and can panic customers
Hours 1-24: Containment & Investigation
Stop the Bleeding, Find the Source

This is where most companies make their first major mistake: focusing on recovery before understanding the attack.

Critical Investigation Steps:

  1. Scope the attack: Which systems are affected? What data was accessed?
  2. Identify the variant: Different ransomware has different decryption options
  3. Find patient zero: How did they get in? (Phishing, RDP, vulnerability)
  4. Check for data exfiltration: 89% of modern ransomware steals data before encrypting
  5. Preserve forensic evidence: Memory, logs, disk images for legal proceedings
⚠️ Data Exfiltration Warning: Assume your data was stolen. In our analysis of 235 cases, 89% involved data theft before encryption. This changes everything—it's not just about decryption anymore.

Containment Strategies:

Strategy When to Use Pros Cons
Network Segmentation Large networks, spread detected early Minimal business disruption Complex to implement correctly
Complete Isolation Critical systems affected, rapid spread Stops attack immediately Total business disruption
Targeted Shutdown Limited infection, identified patient zero Preserves evidence, minimal disruption Risk of missing compromised systems
Hours 24-48: Decision Making
The Million-Dollar Question: To Pay or Not to Pay?

By hour 24, you should have enough information to make informed decisions.

Decision Framework:

Questions to Answer Before Deciding:

Do you have clean, tested backups?
Is there a free decrypter available for this variant?
Was data stolen? (Check dark web monitoring)
What's the business impact per hour of downtime?
What are your regulatory notification requirements?

When Payment Might Be Necessary:

  • No backups or backups are also encrypted
  • No decrypter available for this variant
  • Data was stolen and will be published
  • Business impact exceeds ransom demand
  • Critical systems affected (healthcare, utilities)

When to Avoid Payment:

  • Clean backups available and tested
  • Free decrypter exists
  • Data wasn't stolen (confirmed)
  • Attackers have poor reputation for decryption
  • Legal/regulatory restrictions apply (sanctions)
💡 Negotiation Insight: The average successful negotiation reduces ransom demands by 63%. Initial demands are almost always negotiable. Professional ransomware negotiators achieve better results than internal teams.
Hours 48-72: Recovery Execution
From Crisis to Control

By now, decisions are made. It's time to execute recovery while managing communications.

Recovery Execution Checklist:

Validate backup integrity (test restoration)
Build clean golden images (don't restore infected systems)
Patch all vulnerabilities (including the initial entry point)
Implement enhanced monitoring (catch any remaining threats)
Begin regulatory notifications (if required)
Update stakeholders (board, employees, customers)

Communication Timeline:

  • Hour 1-24: Internal team only (need-to-know basis)
  • Hour 24-48: Executive team and board
  • Hour 48-72: Employees (transparent but controlled)
  • Hour 72+: Customers/partners (if data breach confirmed)
  • As required: Regulators (GDPR: 72 hours from discovery)

Recovery Validation:

Before declaring recovery complete:

  1. Test all critical business functions
  2. Verify no ransomware remains in environment
  3. Confirm monitoring is detecting anomalies
  4. Document everything for insurance and legal

7 Common Mistakes That Cost Companies Millions

Mistake #1: Paying Too Early

Impact: Average overpayment of 217%
Solution: Always negotiate. Initial demands are opening positions.

Mistake #2: Destroying Evidence

Impact: Invalidates insurance claims, prevents legal action
Solution: Preserve everything. Don't turn systems off.

Mistake #3: Restoring Infected Backups

Impact: Reinfection, extended downtime
Solution: Test backups in isolated environment first.

Mistake #4: Poor Communication

Impact: Panic, misinformation, regulatory penalties
Solution: Designate single spokesperson, use encrypted channels.

Mistake #5: Ignoring Data Theft

Impact: Future extortion, regulatory fines for non-notification
Solution: Assume data was stolen until proven otherwise.

Mistake #6: Going It Alone

Impact: Longer recovery, higher costs, more mistakes
Solution: Engage experts early. Experience matters.

Mistake #7: Not Learning Lessons

Impact: Repeat attacks, continued vulnerability
Solution: Conduct post-incident review, update security controls.

When to Get Professional Help

Based on our experience with 100+ incidents, you should engage professional incident response when:

Critical systems are affected (ERP, CRM, production)
Data theft is confirmed or suspected
Ransom demand exceeds £50,000
You're unsure about containment strategies
Regulatory notification is required (GDPR, etc.)
Insurance claim needs supporting evidence

Our 24/7 incident response services provide senior DFIR practitioners from the first call, not junior analysts. We've handled cases from £10,000 to £4.3 million ransom demands.

Related Services

Download the Complete Incident Response Playbook

This article covers the first 72 hours. For complete guidance including checklists, templates, and decision frameworks, download our free playbook:

Download the Free Incident Response Playbook →