Ransomware, the first hour
Ransom notes are visible. The chain that put them there is not. The first hour is decided in the months before it. Contain, preserve, hold the line on irreversible decisions.
The first hour is about containment and preservation, not recovery. Anything irreversible can wait. Anything you do that touches an affected system is evidence either you or someone else will need later.
The first hour is also decided in the months before it. The team that contains in twenty minutes is the team that pre-decided who declares, who calls the bridge, where the runbook lives, and what an out-of-band channel actually is. The team that loses an hour to “who owns this” lost that hour at the last tabletop they did not run.
Modern ransomware operations steal first, encrypt second. Sometimes they skip the encryption entirely and go straight to extortion. Treat data theft as the assumption until you can prove otherwise. The identity plane is the other parallel front. If the attacker has admin in your IdP or cloud control plane, network isolation alone does not stop them. Check what they did with that access before you trust the identities you are about to rely on.
Hesitation is the attacker’s product working.
Most of what kills the first hour is not technical. It is people waiting for permission they already have, talking on the channel the attacker is reading, and answering questions instead of running the bridge.
Resist three pressures. The pressure to restore now, because someone senior wants the business back. The pressure to pay now, because it feels decisive. The pressure to tell everyone, because the question “what is happening” is everywhere. None of these belong in the first hour.
Contain. Preserve. Stand up the incident. The hard decisions come later, with more information.
Checklist
Stop the spread
- Network-isolate every host with confirmed ransomware indicatorsCritical
- Pause any mass-deployment, GPO, or RMM pipelines that could carry the payloadCritical
- Disable suspected compromised privileged accounts and revoke active sessionsCriticalRevoke. Disabling alone leaves tokens live.
- Verify backup systems are still online and not connected to a compromised hostCritical
- Lock down cloud admin roles. Force re-auth on every privileged identity.Critical
- Do not power off affected hosts unless safety requires itMemory is evidence. Isolate the network, leave the host running.
Identity plane status check
- Snapshot the IdP audit log and recent admin changes before they age outCritical
- Check for new admin grants, new federation trusts, and new app consents in the last 30 daysCriticalThis is where the attacker has been working while you watched the encryption.
- Treat every privileged session active during the suspect window as compromised until proven otherwiseCritical
- Pull cloud control-plane audit logs (IAM changes, role assumptions, key creation) for the windowCritical
- Identify which systems lose authentication if you cut the IdP, before you cut itCriticalBackup admin, vaults, jump hosts, build pipelines. Cutting blind can lock you out of recovery.
- Responder identities have been verified through a path that does not rely on the suspect IdPCritical
- Confirm break-glass accounts are intact and not in use by anyone other than the responder poolCriticalPull the vault or safe access log. Verify no unexpected access in the suspect window. If your break-glass has no access log, treat it as potentially touched.
Stand up the incident
- Incident commander named. Everyone else routes through them.Critical
- Communications moved to an out-of-band channelCriticalThe corporate comms channel is the one the attacker is reading. Switch to Signal or a fresh bridge.
- Legal counsel engaged
- Incident response firm engagedCritical
- Cyber insurer notified within their reporting window
- Bridge call cadence set (every 30 or 60 minutes)
- Scribe named for the bridge. Decisions and times captured in writing.Critical
Preserve
- Ransom note text, file, and any TOR addresses savedCritical
- EDR retention is confirmed and not at risk of being purged
- Snapshot or extend retention on key logs (AD, VPN, EDR, firewall, mail, cloud audit)Critical
- List of affected systems, owners, and data classes being maintained
- No one engages the attacker without counsel approvalCritical
- Assume data was stolen until proven otherwiseCriticalModern ransomware operations exfiltrate before they encrypt. Scope as a theft incident in parallel.
- Review outbound traffic for the affected window. Flag large or unusual transfers.Critical
What actually breaks
- First-hour decision authority is in the room, on the bridge, or named on the pageCriticalIf the named person is unreachable, the named backup is. Not "we will find them."
- Incident has been declared. No one is waiting for someone more senior to confirm it is real.Critical
- Arguments over "whose incident this is" are stopped fast. IC routes work, not territory.Critical
- Status cadence is decided and held. People update the bridge, not each other.
- Executives are told they will receive cadence updates, not on-demand answersCritical
- People with the knowledge to fix it are shielded from interruptionCritical
- Elapsed time since detection is visible to the bridge. Someone owns the clock.
- Hesitation is named when it happens. "We are waiting on X" is logged with a time.
Decisions to defer
- Ransom payment decision is not made in the first hourCriticalCounsel, insurer, regulator, IR firm all in the room before any decision.
- Restoration is not started until scope is understood
- External comms are pre-drafted but not released
- No response to leak-site threats or attacker customer-contact tactics without counselCritical