Modern ransomware does two things: encrypts files and exfiltrates data. Your job in the first 24 hours is to contain the spread, preserve evidence, and bring in the right people.
First 30 minutes — contain
- Isolate the affected systems from the network. Do not power off.
- Disconnect shared drives and backup targets.
- Tell staff: stop using IT.
First hour — call
- Your IT supplier.
- Your cyber insurer. Most policies require notification within hours.
- The incident-response retainer, if you have one.
- NCSC if it's a serious incident.
First few hours — document
- Photograph the ransom note and encrypted file extensions.
- Record who noticed what, when.
- Identify the scope.
First 24 hours — decide
- Identify clean, recent backups.
- Get legal advice on data exfiltration, ICO notification.
- Draft — do not send — customer and staff communications.
- If personal data was accessed: notify the ICO within 72 hours.
Common mistakes
- Restoring over the still-compromised network.
- Paying without advice.
- Not notifying the insurer in time — voids cover.
- Ignoring exfiltration risk.