Ransomware incidents don't start with encryption. They start with an undetected intrusion that can happen weeks or months before the actual ransom note ever appears. By the time files are locked and screens go dark, attackers have already mapped your network, exfiltrated your most sensitive data, and positioned their payload on every reachable system.
What you do in the first 24 hours after discovery is the single largest determinant of whether your firm recovers in days — or months.
The Attacker's Timeline (Before You Knew Anything Was Wrong)
A phishing email lands. A paralegal clicks a link. Credentials are harvested. The attacker now has a foothold — typically a low-privilege user account.
The attacker begins moving through the network. They're looking for domain admin credentials, file shares, backup locations, and high-value data stores.
Client files, financial records, and confidential documents are quietly copied out of the environment. This is the leverage for double extortion — pay or the data gets published.
Attackers target and delete or encrypt backups first. If you're running backups to a network share, they're already gone before the main payload deploys.
The ransomware payload executes, usually overnight or on a weekend. Files encrypt. The ransom note appears. You find out about it when someone tries to open a document.
The First 24 Hours — What You Should Do
// Hour 0–1: Contain, Don't Reboot
The instinct is to reboot and hope it goes away. Don't. Rebooting destroys volatile forensic evidence — running processes, memory artifacts, and network connections that can tell investigators exactly what happened and where the attacker still has access. Instead:
- Isolate affected systems by pulling network cables or disabling Wi-Fi — not by shutting down
- Do not attempt to remove malware or run cleanup tools yet
- Document everything visible: ransom note contents, file extensions on encrypted files, any unusual processes
- Take photos of screens before touching anything
// Hour 1–3: Scope the Incident
Your goal is to understand the blast radius before you make any recovery decisions. Contact an incident response firm (or your cyber insurance carrier if you have coverage that includes IR). While you're waiting, gather:
- A list of every system that appears affected vs. systems that appear clean
- Confirmation of whether domain controllers are impacted — this changes everything
- Status of your backups — are they online, offsite, or cloud-based? Are they accessible?
- Whether any cloud environments (M365, Google Workspace, AWS) are connected to the affected network
// Hour 3–8: Notifications and Legal
Depending on your industry and the data involved, you may have mandatory breach notification obligations. This is not optional and the clock starts at discovery, not resolution. Engage legal counsel immediately. If you handle client data — as every law firm, CPA firm, and insurance agency does — you need to assess notification requirements under:
- Connecticut Data Privacy Act (CTDPA) for CT-based firms
- State breach notification laws for every state where affected clients reside
- HIPAA if any health information was in scope
- Your cyber liability policy's reporting requirements (missing these deadlines can void coverage)
// Hour 8–24: Don't Pay Without Understanding Your Options
Ransom payment is not a recovery strategy — it is a last resort after all other options are exhausted, and even then it doesn't guarantee file recovery or data deletion. Before any payment consideration:
- Confirm backup viability — this is your primary recovery path
- Identify the ransomware variant — some have published decryptors that cost nothing
- Understand what was exfiltrated — payment does not eliminate the exfiltration threat
- Consult with OFAC-aware legal counsel — paying certain ransomware groups may be a federal violation
The most common mistake we see is firms attempting DIY recovery by wiping and rebuilding systems before any forensic investigation. Once you wipe, you lose the evidence needed to understand how the attacker got in, what they accessed, and whether they still have persistent access elsewhere. Rebuilding without answering those questions means you're rebuilding into the same compromised environment.
Having a Plan Before You Need One
Every professional services firm handling client data should have a tested Incident Response Plan — not a generic document, but one that maps to your specific systems, your data types, your regulatory obligations, and your chain of decision-making authority during a crisis.
If you don't have one, or if you've never tested it, the time to find that out is not during an active incident at 2am on a Saturday.
Need help validating your environment? Book a consultation and Black Tower Cyber can review your exposure, identity controls, and incident readiness before attackers find the gap first.