top of page
Search

What to Do in the First Hour of a Ransomware Attack (2026 Guide)

  • Writer: Ransom Security
    Ransom Security
  • Jun 3
  • 8 min read

When ransomware hits your network, the first 60 minutes determine whether you recover in days or weeks. The first steps in a ransomware attack are: isolate infected systems immediately, preserve evidence, lock down admin accounts, protect your backups, and call a ransomware response expert. Every minute you delay, attackers spread deeper into your environment.


Ransom Security is a US-based ransomware response firm that provides 24/7 emergency containment and recovery across all 50 states.


Why the First 60 Minutes Are Critical?

Ransomware does not wait for you to read articles. The average eCrime breakout time —  the window from initial compromise to full lateral movement across your environment — is just 48 minutes. The fastest recorded breakout happened in 51 seconds.


That means by the time most businesses realize they’ve been hit, attackers may already have pivoted from one compromised workstation to your domain controller, file servers, and backup infrastructure.


Here’s what is happening inside your network during those 60 minutes, even if your screens look normal:


  • Lateral movement: Malware or threat actors are using stolen credentials to move from machine to machine.

  • Privilege escalation: They are working to gain administrative access so they can disable your defenses.

  • Backup sabotage: Many ransomware groups specifically target and delete or encrypt backups before triggering the ransom screen.

  • Data exfiltration: In multi-extortion attacks — now the industry norm — your data is being copied to attacker-controlled servers.

The first hour is your only window to contain the damage before it becomes catastrophic. The ransomware attack first steps you take right now directly determine your recovery timeline, your recovery cost, and whether you recover at all.

Use our ransomware cost calculator to see exactly what each additional hour of dwell time costs your business in real dollars.


Step 1 — Isolate the Infected Systems Immediately

Ransomware containment starts with one principle: stop the spread. Every second an infected machine remains connected to your network is another second the malware can reach more endpoints, servers, and shared storage.


What to do right now:

  • Physically unplug the network cable on any machine displaying the ransom note, locked files, or unusual behavior. Do not rely on software-based network disconnection alone — pull the cable.

  • Disable Wi-Fi on affected devices. Turn off the wireless adapter or use the physical switch if available.

  • Segment your network switches. If you have managed switches, disable the ports connected to affected VLANs or segments. Contact your IT team or MSP immediately.

  • Isolate entire network segments if the scope is unclear. It is always faster to bring clean systems back online than to contain a fully spread attack.

  • Do not unplug shared storage, NAS devices, or servers until a professional assesses them — hasty action here can destroy forensic evidence and damage your ability to recover.


Do not simply move files off the infected machine. Do not try to “clean” the system with consumer antivirus software. Ransomware containment requires network-level isolation, not endpoint-level cleaning.


Step 2 — Do NOT Shut Down (Here’s Why)

This is counterintuitive — and it is the mistake that costs businesses thousands of extra hours of recovery time.

Why you must not shut down infected systems:


Modern ransomware variants are engineered to resume encryption upon reboot. Worse, shutting down a machine flushes volatile memory — and volatile memory contains critical forensic artifacts:


  • Active process lists showing what malware is running

  • Encryption keys that may be recoverable from RAM

  • Network connection tables showing where attackers are communicating

  • Log data that only exists in-memory


For incident response professionals, the contents of live system memory can be the difference between identifying the exact ransomware strain, its entry vector, and whether a decryptor exists — or starting from scratch.


The only exception: If a system is actively encrypting files in real time in front of you, and isolation is not immediately possible, a forced shutdown is preferable to watching your entire file server get destroyed. But isolation should always be the first attempt.


Leave the machines on. Isolate them from the network. Wait for your incident response team to perform proper forensic preservation.


Step 3 — Lock Down Admin Accounts Right Now

Most ransomware attacks — especially those involving human-operated threat actors — succeed by compromising administrative credentials. If attackers have admin access, they can:

  • Disable antivirus and endpoint detection tools

  • Create new admin accounts to maintain persistence

  • Push ransomware payloads to every machine on the domain

  • Access and delete your backups


Immediate actions to take:


  • Reset all admin and privileged account passwords from a clean, uncompromised device — ideally one that was not on the network during the attack.

  • Disable dormant and service accounts that do not need to be active during containment.

  • Revoke active sessions in Active Directory, Azure AD, or your identity provider. Force sign-out of all authenticated sessions.

  • Check for new accounts attackers may have created. Review your AD user list for any accounts created in the last 24–72 hours.

  • Disable remote access — VPNs, RDP, remote desktop gateways — immediately. If attackers got in through remote access, leaving it open is inviting them back.


Do not change passwords from a machine on the same compromised network. Use a mobile device with a separate internet connection, or a laptop that was fully offline during the attack.


Step 4 — Protect Your Backups Before Attackers Do

Your backups are the primary target of every serious ransomware group. Attackers know that businesses with clean, accessible backups will not pay ransoms — so they go for the backups first.

If your backups are on a mapped network drive, a connected NAS, or a cloud account with the same credentials as your production systems, assume they are already compromised.


Emergency backup protection steps:


  • Immediately disconnect any cloud backup accounts that share credentials with compromised systems. Change those credentials from a clean device.

  • Take your backup appliances offline from the network. If they have a management interface, access it from an isolated network.

  • Check for recent backup deletions or modifications. Many ransomware groups delete the most recent backups and leave older ones, counting on businesses not noticing until they try to restore.

  • Identify your last known clean backup date. This date becomes your recovery point. Write it down. Your insurer and legal team will need it.

  • Do not attempt a restore until the environment has been assessed and the attack vector has been identified and closed. Restoring into an active attack environment will result in immediate re-infection.


The only backups that survive sophisticated attacks are immutable backups — write-once, read-many backup storage where even admin accounts cannot delete or modify the data. If you do not have immutable backups today, this attack is your urgent wake-up call.


Step 5 — Collect Evidence (Timestamps, Screenshots, Logs)

This step feels administrative in a moment of crisis — but it is legally and financially essential. Your cyber insurance policy, your legal team, and any law enforcement involvement will all require documentation.


Evidence to collect immediately:


  • Screenshot everything. The ransom note screen, encrypted file directories, any pop-up or warning. Use your phone if necessary — do not email screenshots from a potentially compromised machine.

  • Note exact timestamps. When did you first notice the attack? What were the first symptoms? Which systems were affected and in what order?

  • Export event logs if you have the technical ability to do so safely. Windows Event Logs, firewall logs, VPN authentication logs, and email logs are critical for reconstructing the attack timeline.

  • Do not delete anything. Even files that look like malware artifacts. Incident responders need the full forensic picture.

  • Document who had access to which systems in the 48–72 hours before the attack. Initial access often comes through phishing, stolen credentials, or a compromised third-party vendor.


This evidence chain protects you from insurer disputes, supports law enforcement investigations (the FBI has recovered ransom payments in some cases), and helps your response team identify and close the attack vector faster.


Step 6 -Call a Ransomware Response Expert

This is not the time for your general IT support team — unless they specialize in ransomware incident response. The decision-making required in the first hour is highly specialized: what to preserve, what to isolate, how to assess scope, and how to begin safe recovery.


A ransomware response expert will:


  • Perform emergency triage to determine the full scope of the attack within minutes, not hours

  • Identify the ransomware strain and check known decryptor availability

  • Assess whether attackers are still active in your environment — a critical step before any recovery begins

  • Preserve forensic evidence in a legally defensible way for insurance and law enforcement

  • Communicate with your cyber insurer in the language and format they require

  • Begin safe containment and clean environment setup so recovery can start in parallel with investigation


Every hour without professional containment is an hour of additional damage. Use our ransomware cost calculator to quantify exactly what that delay costs your business.


Ransom Security provides 24/7 emergency response with no retainer required. Call 316–712–4006 now.


Common Mistakes Businesses Make in the First Hour

The first hour of a ransomware attack is also the hour of the most costly mistakes. Here are the most common errors that turn recoverable incidents into catastrophic ones:


1. Rebooting systems thinking it will stop the encryption. As covered above, this destroys forensic evidence and can trigger further encryption activity.

2. Paying the ransom immediately without consulting a response expert. There is no guarantee a decryption key will be provided, or that it will work. Many businesses pay and still cannot recover their data.

3. Wiping and rebuilding before investigation. If you rebuild before identifying the attack vector, you are rebuilding into a compromised environment. Re-infection typically follows within days.

4. Announcing the incident internally on compromised communication channels. If attackers have email access, your internal communications about the response are visible to them. Use out-of-band communications — phone calls, personal email — for all response coordination.

5. Ignoring backup integrity. Assuming backups are clean without verifying. Checking your backup integrity is one of the first things a professional response team does.

6. Not notifying legal counsel and your cyber insurer immediately. Most cyber insurance policies have notification window requirements. Missing them can invalidate your coverage.


When to Pay the Ransom (And When Not To)

This is one of the most asked questions during an active ransomware attack — and the answer is never simple.

Factors that may make ransom payment a consideration:


  • No usable backups exist, and the data is critical to business survival

  • The ransomware strain has no known decryptor

  • The cost of the ransom is significantly lower than the cost of extended downtime

  • The threat actor has a track record of providing working decryptors


Factors that strongly argue against paying:


  • Payment does not guarantee data recovery — many decryptors are buggy or incomplete

  • Payment funds further criminal activity and marks your business as a willing payer, increasing future targeting

  • In some cases, paying ransoms to sanctioned threat actors may violate US law (OFAC regulations)

  • You remain compromised — payment does not remove the threat actor from your environment

  • Multi-extortion means your data may still be published even after payment


The FBI and CISA officially recommend against paying ransoms. Ransom Security’s guidance: do not make any payment decision without first consulting with a ransomware response expert and your legal counsel. In many cases, options exist that businesses under pressure are unaware of.


Free First-Hour Ransomware Response Checklist


You should not be trying to remember these steps from memory during an active attack.

Ransom Security has built a free, interactive First-Hour Ransomware Checklist that walks your team through every containment action in the correct sequence, with clear guidance at each step.


The checklist covers:

  • Immediate isolation procedures for workstations, servers, and network segments

  • Admin account lockdown sequence

  • Backup verification and protection steps

  • Evidence collection requirements for insurance and legal

  • When and how to call for emergency professional response

  • Communication protocols for leadership, legal, and your insurer


Download and save this checklist before you need it. Post it physically in your server room. Train your IT team and office manager on the first five steps. The businesses that survive ransomware attacks with minimal damage are the ones who practiced.



Under Attack Right Now?

Do not spend another minute guessing your next move.

Call Ransom Security at 316–712–4006–24/7 emergency response, no retainer required.

Our engineers will begin triage within minutes, protect your backups before attackers do, and give your team a clear, step-by-step containment plan in the first 15 minutes of the call.



 
 
 

Recent Posts

See All

Comments

bottom of page