Ransomware Recovery: The First 60 Minutes

The ransom note appears on a screen. File extensions have changed to something unrecognizable. Systems that worked five minutes ago are now inaccessible. For most businesses, this is the moment when panic takes over and decisions get made emotionally rather than strategically. The actions taken in the next sixty minutes will determine whether recovery takes days or months, whether data is preserved or permanently lost, and whether the business maintains its legal and regulatory standing or compounds the damage through missteps.

Minute Zero: Confirm and Contain

The first priority is confirming that what you are seeing is actually ransomware and not a software glitch or false alarm. Ransom notes, mass file encryption, and locked screens are unambiguous indicators. Once confirmed, containment begins immediately. The goal is to stop the ransomware from spreading to systems it has not yet reached, not to clean up the systems already affected.

Disconnect affected machines from the network by pulling Ethernet cables and disabling WiFi. Do not power them off. Shutting down an encrypted system can destroy forensic evidence stored in volatile memory and may corrupt partially encrypted files that might otherwise be recoverable. Disable network file shares at the server level to stop lateral spread through mapped drives. If your backup systems are network-accessible, disconnect them immediately because modern ransomware specifically targets backup repositories, shadow copies, and recovery partitions. The Cybersecurity and Infrastructure Security Agency maintains a dedicated ransomware response resource that reinforces this sequence: isolate first, investigate second, remediate third.

Minutes Five Through Fifteen: Assess the Blast Radius

With affected systems isolated, the next step is understanding how far the attack has spread. Check shared drives, cloud storage sync folders, backup systems, and any other resources the compromised machines had access to. Ransomware follows permissions, so a machine with access to a shared file server has likely encrypted everything on that server that the user account could reach.

Document what you find as you go. Note which systems are affected, which appear clean, and which are uncertain. This inventory becomes the foundation for every recovery decision that follows. It also becomes critical evidence if you need to file an insurance claim or report the incident to regulators. The FBI Internet Crime Complaint Center recommends filing a report regardless of whether you intend to pay the ransom, as the information helps law enforcement track threat actors and may assist in recovering funds or obtaining existing decryption keys from prior arrests.

Minutes Fifteen Through Thirty: Activate Your Response Team

Ransomware response is not a solo activity. By the fifteen-minute mark, your incident response team should be assembled or at minimum notified. This includes IT leadership, a managed security provider or incident response firm if you have a retainer, legal counsel, executive leadership, and your cyber insurance carrier. Each plays a distinct role that cannot be deferred.

IT leadership directs the technical containment and recovery. Legal counsel advises on notification obligations, evidence preservation, and whether communicating with the attacker creates legal exposure. Most cyber insurance policies have specific notification windows and pre-approved panels of response firms, forensic investigators, and attorneys. Failing to notify your carrier promptly can jeopardize coverage for an incident that may cost hundreds of thousands of dollars. Executive leadership makes the business decisions that technical staff should not make alone, including whether to pay a ransom, when to notify customers, and how to communicate publicly. The Department of Justice strongly advises against paying ransoms but acknowledges that each organization must make that decision based on its specific circumstances.

Minutes Thirty Through Forty-Five: Evaluate Your Backup Position

The single most important factor in ransomware recovery is whether your backups survived. Sophisticated ransomware operators specifically target backup systems because they know that intact backups eliminate the victim’s incentive to pay. Check your backup infrastructure carefully before assuming it is clean.

Verify that backup storage was not accessible from compromised systems. Check backup logs for any unusual access or deletion activity in the hours or days before the attack became visible. If you use cloud-based backups, verify that sync processes did not replicate encrypted files over your good copies. Immutable backups, those stored in a format that cannot be modified or deleted for a defined retention period, are the gold standard because they are immune to ransomware encryption even if the attacker gains administrative access to the backup platform. The National Institute of Standards and Technology includes backup integrity verification as a core recovery function in its cybersecurity framework, recognizing that untested or unprotected backups provide false confidence that collapses exactly when it matters most.

Minutes Forty-Five Through Sixty: Prioritize and Plan

Not all systems are equally urgent. The final fifteen minutes of the first hour should be spent building a recovery priority list based on business impact rather than technical convenience. Systems that directly generate revenue, serve customers, or maintain safety come first. Internal tools, development environments, and administrative systems come later.

This prioritization exercise reveals something many businesses discover only during a crisis: they have never formally defined which systems are critical. A business that restores its email server before its billing system because email is more visible has made a decision that may cost more in lost revenue than the ransomware itself. If viable backups exist, plan the restoration sequence starting with the highest-priority services. If backups are compromised, the situation is materially different and recovery will involve rebuilding from installation media, cloud snapshots, or clean images rather than simple restoration. Reset credentials for every account in the environment, starting with privileged and service accounts, before bringing any system back online.

What Not to Do in the First Hour

Several common reactions in the first sixty minutes actively make the situation worse. Do not attempt to negotiate with the attacker without legal counsel present. Ransom communications can create legal obligations and may be used against the organization in subsequent litigation or regulatory proceedings. Do not wipe and reinstall affected systems before forensic evidence is preserved. Memory dumps, event logs, and network traffic captures can reveal the full scope of the attack and may be required by insurers or regulators.

Do not assume the attack is over because the ransom note has appeared. Many ransomware operators maintain persistent access to the network and will re-encrypt systems if they detect recovery activity before they have been fully evicted. Do not announce the incident publicly until legal counsel has reviewed the communication. Depending on the data involved, you may have notification obligations under state breach notification laws, HIPAA, or contractual requirements, and getting the language wrong in an early public statement can create liability that outlasts the technical recovery.

Building the Plan Before You Need It

Every recommendation in this article is dramatically easier to execute when it has been documented, rehearsed, and assigned to specific people before an incident occurs. An incident response plan that lives in a shared drive and has never been tested provides almost no advantage over having no plan at all. The organizations that recover fastest from ransomware are those that have practiced their response through tabletop exercises, validated their backups with actual test restorations, and confirmed that every person on the response team knows their role without needing to look it up.

The Federal Trade Commission publishes ransomware guidance for businesses that provides a practical starting framework. At minimum, preparation should include an incident response playbook with specific ransomware procedures, an up-to-date contact list for internal and external response resources, immutable backup infrastructure tested monthly, network segmentation that limits lateral movement, and endpoint detection tools that can isolate compromised machines automatically. The framework is most valuable not as a document to file away but as a script to rehearse quarterly so that when the first sixty minutes arrive, the team executes from preparation rather than panic.

The Hour That Defines the Recovery

Ransomware attacks are not prevented in the first sixty minutes. They are survived in the first sixty minutes. The difference between a business that recovers in days with minimal data loss and one that spends weeks rebuilding from scratch almost always traces back to what happened in that initial hour. Containment speed, backup integrity, team coordination, and recovery prioritization are the four factors that determine the outcome, and all four are decided before most businesses have finished processing the shock of the attack itself.

Ransomware preparedness is not optional for businesses that depend on their data. Contact We Solve Problems to build an incident response plan that your team can execute under pressure, validate your backup strategy against modern ransomware tactics, and ensure that the first sixty minutes of an attack lead to recovery rather than catastrophe.