What Should an Organisation Do After a Ransomware Attack? The First 24 Hours
When ransomware hits, the problem is not only encrypted files. The bigger problem is confusion: should you shut systems down, restore backups, call legal, notify executives, or isolate the network?
The first 24 hours often decide whether the incident stays controlled or spreads across the organisation.
First hour: stop the spread
The first priority is containment. Any affected endpoint, server, shared drive, or suspicious system should be isolated from the network as quickly as possible.
Immediate actions:
- Isolate affected machines and servers
- Disconnect unnecessary network paths
- Protect backups from deletion or overwrite
- Preserve evidence such as ransom notes, file extensions, logs, and timestamps
- Avoid restoring systems before you understand the scope of compromise
At this stage, the goal is not to recover everything immediately. The goal is to stop ransomware from spreading further.
Hours 1–6: understand how the attack happened
Once the first containment steps are in place, the team needs to understand the attack path. Common entry points include phishing emails, leaked credentials, exposed RDP, unpatched VPNs, and compromised administrator accounts.
Key questions to answer:
- Which systems are encrypted?
- Has the attacker moved laterally?
- Were administrator accounts abused?
- Are backups still clean?
- Was data stolen before encryption?
Skipping this step can be dangerous. If you restore systems while the attacker still has access, the organisation may be reinfected.
Hours 6–24: plan recovery by business priority
Recovery should not be based on what is easiest to restore. It should be based on what the business needs first.
Priority systems may include:
- Customer-facing systems
- ERP, finance, or order processing platforms
- Identity systems such as Active Directory
- Email and communication tools
- Backup infrastructure
A safe recovery requires three conditions: clean backups, controlled root cause, and hardened systems before going back online.
What not to do after a ransomware attack
Many organisations increase damage by acting too quickly without evidence. Avoid these mistakes:
- Formatting machines before preserving evidence
- Restoring backups before confirming they are clean
- Paying ransom without risk assessment
- Resetting systems without keeping logs
- Communicating poorly and creating panic across the organisation
Ransomware response is not only an IT task. It involves executives, legal, communications, and business operations.
How SecStrike supports ransomware response
SecStrike provides Incident Response and Ransomware Crisis Response for organisations facing suspected or active ransomware incidents.
Our response approach focuses on four steps:
- Contain — isolate affected assets and protect backups
- Understand — investigate entry vector, lateral movement, and impact
- Recover — restore systems based on business priority
- Strengthen — harden systems and reduce the chance of recurrence
Ransomware does not wait until your organisation is ready. A prepared response plan can reduce impact, downtime, and uncertainty.
If your organisation needs ransomware readiness support or urgent incident response, talk to a SecStrike expert today.
