First: take a breath. Panic leads to the decisions that turn a recoverable incident into a catastrophic one — wiping systems before forensics, notifying clients before you know the scope, or paying a ransom before exploring recovery options. The steps below are designed for the first 48 hours, in order, regardless of what type of incident you're facing.
If ransomware is actively encrypting files right now, your first action is to physically disconnect affected systems from the network — pull ethernet cables, turn off Wi-Fi. Do NOT shut the machines down. Then skip to Step 3. Speed of containment is critical when encryption is in progress.
Hour 0–4: Detect and Contain
Document Before You Touch Anything
Take photos of any visible indicators — ransom notes, unusual file extensions, error messages, suspicious emails. Write down timestamps of when you noticed each anomaly and who first detected it. This documentation is critical for your IR team, your insurer, and potentially law enforcement.
Identify Affected vs. Clean Systems
Walk through your environment and determine which systems appear impacted and which appear unaffected. Flag your domain controllers, file servers, backup systems, and any cloud-connected machines separately — these require specific attention in triage. Do not attempt cleanup on any system yet.
Isolate — Without Shutting Down
Disconnect affected systems from the network by disabling network interfaces or pulling cables. Do not shut the machines down — live memory contains volatile forensic evidence that disappears on reboot. Cloud environments (M365, SharePoint) may need to have affected accounts disabled rather than full tenant isolation.
Hour 4–12: Make the Right Calls
Call Your Cyber Insurance Carrier
This call comes before you engage any vendor independently. Most cyber insurance policies require that you notify the carrier before incurring covered IR costs. The carrier will typically assign or approve an IR firm from their panel. Engaging an IR firm before this call may result in those costs being uncovered.
Engage Legal Counsel
Breach notification obligations may begin running from the moment of discovery — not from when the investigation is complete. You need counsel who understands your state's notification requirements and your industry's specific obligations. Attorney-client privilege can also protect your IR communications if litigation follows.
Engage an Incident Response Firm
If you don't have an existing retainer, this is when you engage. Provide the IR team with your documentation from Step 1, your system inventory, your backup status, and any indicators you've collected. Their first job is forensic triage — determining the scope of compromise, the initial access vector, and whether the attacker still has active access anywhere in the environment.
Hour 12–48: Scope and Stabilize
Assess Your Backups — Carefully
Before any recovery begins, verify that your backups are clean. Ransomware groups routinely encrypt or delete backups before deploying their main payload. Test backup integrity on an isolated system. If cloud backups exist, confirm they weren't synced with encrypted files. Your backup status is the single most important factor in determining recovery time and cost.
Determine Notification Scope
Work with your IR team and legal counsel to identify what data was potentially accessed or exfiltrated. This determines which clients need to be notified, under which state laws, and within what timeframes. Don't send notifications before this scope assessment is complete — notifying clients about a breach scope that later turns out to be inaccurate creates additional legal exposure.
Internal Communication — Need to Know Only
Limit internal communication about the incident to those who need to know to perform their roles. Premature or broad internal communication leads to unauthorized disclosure, social media posting, and client-facing conversations before your official communication is ready. Designate a single internal spokesperson for any staff questions.
What Not to Do
- Do not wipe and rebuild systems before forensic images are taken
- Do not pay a ransom without consulting your IR firm, legal counsel, and OFAC guidance
- Do not notify clients before scope is determined and notification content is reviewed by counsel
- Do not post on social media or respond to media inquiries without legal clearance
- Do not assume the incident is over when visible symptoms resolve — persistence mechanisms are common
The firms that navigate breaches successfully aren't the ones that never get hit. They're the ones that had a plan, made the right calls in the right order, and communicated honestly with their clients throughout the process.
Need help validating your environment? Book a consultation and Black Tower Cyber can review your exposure, identity controls, and incident readiness before attackers find the gap first.