Ransomware Incident Response: The First 60 Minutes

The golden hour: why speed matters

In emergency medicine, the "golden hour" refers to the critical window after a traumatic injury when rapid intervention dramatically improves survival odds. Ransomware incidents follow the same principle. The actions your team takes in the first 60 minutes determine whether an incident remains contained or escalates into a catastrophic breach.

Ransomware spreads laterally. Once it encrypts files on one endpoint, it probes network shares, mapped drives, cloud sync folders, and backup repositories. Every minute of inaction widens the blast radius. A 2025 IBM study found that organizations with a tested incident response plan contained breaches 58 days faster and saved an average of USD 2.66 million compared to those without one.

The timeline below is not a theoretical framework. It is a practical, role-based playbook that any firm can follow — even without a dedicated security team. Print it. Post it in your server room. Make sure every decision-maker knows where to find it before an incident happens.

Minute 0–5: Confirm and isolate

The first five minutes are about stopping the spread. Nothing else matters yet.

Confirm the incident. Determine whether this is a true ransomware attack or a false alarm. Look for these indicators:

• Files with unfamiliar extensions (.locked, .crypt, .encrypted, or random strings)
• Ransom notes on the desktop or in affected directories (often named README.txt, DECRYPT_INSTRUCTIONS.html, or similar)
• Unusual CPU or disk activity on affected machines
• Multiple users reporting access issues simultaneously

If any two of these indicators are present, treat it as confirmed and proceed immediately.

Isolate affected systems. Disconnect infected machines from the network. This means physically unplugging the Ethernet cable and disabling Wi-Fi. Do not shut down the machines — volatile memory may contain forensic evidence (encryption keys, active processes, network connections) that is lost on power-off. If you manage a larger environment, isolate the affected network segment at the switch or firewall level.

Disable shared drives and cloud sync. If the ransomware is encrypting files on a network share or a synced folder (OneDrive, Dropbox, SharePoint), pause or disconnect the sync client and revoke write access to shared directories immediately.

Minute 5–15: Assess the scope

With the immediate spread contained, spend the next ten minutes understanding how far the damage has reached.

Identify patient zero. Determine which machine was infected first. Check email logs for phishing messages opened in the last 24 hours, browser history for suspicious downloads, and remote access logs (RDP, VPN) for unauthorized sessions. The initial infection vector tells you whether the attacker may still have active access.

Map the affected perimeter. Inventory which systems, users, and data stores are impacted:

• How many endpoints show encrypted files?
• Are any servers affected (file servers, domain controllers, email servers)?
• Have backup systems been reached? Check NAS devices, backup software dashboards, and cloud backup portals.
• Are any cloud services (Microsoft 365, Google Workspace) showing unusual activity?

Preserve evidence. Take screenshots of ransom notes, file listings, and error messages. Record the exact time each system was isolated. If your firm has security logging (SIEM, endpoint detection), export the last 48 hours of logs to an unaffected medium. This evidence is critical for forensic analysis, insurance claims, and potential law enforcement involvement.

Minute 15–30: Communicate and document

Controlled communication prevents panic and ensures the right people are making decisions.

Activate your incident response team. If you have a pre-designated team, notify them now via a channel unaffected by the attack (personal mobile phones, not corporate email or Slack if those systems may be compromised). If you don't have a formal team, assemble the following roles:

• Incident commander: A senior partner or managing director who makes final decisions
• Technical lead: Your IT manager or external IT provider
• Communications lead: Someone responsible for internal and external messaging
• Legal advisor: Internal or external counsel familiar with data breach notification obligations

Notify your cyber insurance carrier. If your firm has a cyber liability policy, call the carrier's incident hotline immediately. Most policies have strict notification windows (often 24–72 hours) and may provide access to pre-vetted forensic firms, legal counsel, and crisis communications specialists. Delaying notification can jeopardize coverage.

Do not contact the attacker. Do not respond to the ransom note, open negotiation channels, or pay any ransom at this stage. Any communication with the attacker should only occur on the advice of law enforcement or a qualified incident response firm.

Document everything. Start a dedicated incident log — a simple shared document with timestamped entries recording every action taken, every decision made, and every person involved. This log serves multiple purposes: forensic reconstruction, regulatory compliance evidence, insurance documentation, and internal post-incident review.

Minute 30–60: Begin recovery

With the situation documented and the right people engaged, shift focus to restoring operations.

Assess backup integrity. Before restoring anything, verify that your backups are clean. Ransomware operators frequently target backup systems or plant dormant payloads that activate after restoration. Check backup timestamps — if the most recent backup was created after the estimated infection time, it may be compromised. Test-restore a small subset of files to a quarantined machine before committing to a full restore.

Prioritize critical systems. Rank systems by business criticality: What does your firm need to function tomorrow morning? Typically, the priority order is: email and communications, then document management and case files, then billing and time tracking, and finally non-essential internal tools. Restore critical systems first from verified clean backups.

Reset all credentials. Assume that user credentials are compromised. Reset passwords for every account — starting with domain admin, service accounts, and any account with elevated privileges. Enable or re-verify multi-factor authentication across all systems. If the attacker gained access through compromised credentials, restoring systems without resetting passwords invites reinfection.

Engage forensic specialists if needed. For firms handling client data under regulatory obligations (FADP, GDPR), professional forensic analysis may be necessary to determine whether data was exfiltrated before encryption. Modern ransomware groups routinely steal data before encrypting it, using the threat of publication as additional leverage.

How to prevent the next attack

Once the immediate crisis is resolved, invest in the defenses that would have prevented or mitigated it:

• Implement the 3-2-1 backup rule: Three copies of data, on two different media types, with one copy stored offsite and offline.
• Deploy endpoint detection and response (EDR): Traditional antivirus is insufficient. EDR solutions detect behavioral anomalies — rapid file encryption, lateral movement, credential harvesting — that signature-based tools miss.
• Enforce multi-factor authentication everywhere: MFA blocks over 99% of credential-based attacks. No exceptions for partners, no exceptions for "internal-only" systems.
• Patch aggressively: Apply security updates within 48 hours of release for internet-facing systems. Unpatched vulnerabilities remain the most exploited initial access vector.
• Conduct tabletop exercises: Run a simulated ransomware scenario with your team at least once per year. Practice makes the real response faster and calmer.

How GWARD automates incident response

GWARD's endpoint agent is designed to compress the timeline described above from 60 minutes of manual coordination to seconds of automated response.

Detection in seconds, not hours. GWARD continuously monitors file system behavior, process execution, and network connections. When it identifies ransomware-like activity — rapid sequential file encryption, known ransomware process signatures, or anomalous write patterns — it triggers an alert within seconds of the first indicator.

Automatic isolation. When a confirmed threat is detected, GWARD can automatically isolate the affected endpoint from the network, stopping lateral movement before a human even opens the alert. The "Minute 0–5" phase described above happens without intervention.

Real-time alerts to decision-makers. GWARD sends plain-language notifications directly to the people who need to act — partners, office managers, and IT contacts. No security jargon, no log files to interpret. Each alert includes what happened, what GWARD did automatically, and what steps the recipient should take next.

Forensic-ready logging. Every event is logged with full context: timestamp, affected files, process chain, network connections, and user account. These logs are stored on European servers and are immediately available for forensic analysis, insurance claims, or regulatory reporting under the FADP.

The firms that recover fastest from ransomware are the ones that prepared before the attack. GWARD is that preparation — installed in 15 minutes, monitoring 24/7, and responding before the damage compounds.