Ransomware doesn’t announce itself politely. One moment systems are fine; the next, files are encrypted, a ransom note is on the screen, and the phones start ringing. What you do in the next hour matters more than almost anything you’ll do in the following month.

What should you do in the first 60 minutes of a ransomware attack?

Isolate, preserve, and activate — in that order. Disconnect affected systems from the network, preserve the evidence instead of destroying it, and open the written plan you prepared in advance. The single biggest predictor of a good outcome is whether those decisions were made before the attack, not improvised during it.

How do you know it’s actually ransomware?

The obvious signal is a ransom note, but earlier signs include files renamed with unusual extensions, applications failing to open documents, backup jobs suddenly failing, and antivirus alerts firing in clusters. Treat any of these as an incident until proven otherwise. Assuming it’s a glitch and rebooting is how a contained problem becomes a network-wide one.

Should you shut everything down?

No — isolate instead. Unplug the network cable and disable Wi-Fi on affected machines, but leave them powered on. A hard shutdown destroys the volatile memory that forensic investigators use to identify the ransomware strain, the entry point, and whether data was stolen before encryption. That information determines your legal and insurance obligations.

Pro tip

Pre-label the network drops and switch ports for your critical systems. When someone has to physically isolate a server under pressure, a labeled cable is the difference between 30 seconds and 30 minutes.

Who do you call first?

Your incident-response contact and your cyber insurance carrier — not the attacker. Most cyber policies require you to notify the carrier’s breach hotline promptly, and they provide the forensics, legal, and negotiation resources you shouldn’t be sourcing at 9 a.m. on the worst day of your year.

Internal incident lead (named in your plan)
Your MSP or dedicated incident-response firm
Cyber insurance carrier’s 24/7 breach hotline
Legal counsel with breach experience

What should you never do?

Never negotiate or pay before counsel and your insurer are involved — it can violate sanctions law and void your coverage. Never restore from backup before you’ve confirmed the backup is clean and the attacker is out, or you’ll simply reinfect. And never assume you can quietly handle it internally; ransomware is increasingly a data-theft event with disclosure obligations attached.

Would your first 60 minutes hold up?

The Ransomware Reality Check scores your readiness across 20 categories — including incident response — in 15 minutes.

Free Reality Check

The organizations that walk away from ransomware with their business intact almost never got lucky. They decided, in advance, exactly what the first hour would look like — and then they practiced it. As CISA’s #StopRansomware guidance and NIST SP 800-61 both emphasize, preparation is the control that makes every other control work.