Ransomware Response:
What to Do in the First 24 Hours
Ransomware encrypts your files and demands payment for the decryption key. The actions you take in the first 24 hours determine how much of your environment is affected, whether data was exfiltrated, and how quickly you recover.
ACTIVE INCIDENT?
Contact Tristarnex immediately at info@tristarnex.com. Do not power off affected systems and do not pay the ransom without advice.
Immediate steps — first 2 hours
Isolate affected systems immediately
Disconnect infected machines from the network — unplug ethernet cables and disable WiFi. Do not power them off. Ransomware spreads fast; isolation stops it reaching more systems. Powered-off machines lose volatile memory data needed for forensic investigation.
Identify the scope
Determine which systems are affected, which are clean, and whether the attack is still spreading. Check file servers, backups, and cloud sync services — ransomware frequently targets backup infrastructure specifically to prevent recovery.
Preserve evidence
Take photographs of ransom notes. Preserve system logs before they are overwritten. Note the time you first detected the encryption. This evidence is critical for forensic investigation and regulatory notification.
Activate your incident response plan
Notify your incident response team or contact an IR provider immediately. Establish a secure communication channel — if your email is compromised, use personal devices and phone calls.
Do not pay the ransom yet
Payment does not guarantee decryption, does not prevent data publication, and may violate sanctions regulations if the attacker group is on a government sanctions list. Get professional advice before making any payment decision.
Hours 2–12: investigation and containment
With immediate containment in place, the focus shifts to understanding what happened. A forensic investigation will determine: the initial access vector (how the attacker got in), attacker dwell time (how long they were in your environment before deploying ransomware), whether data was exfiltrated before encryption, and whether any backdoors or persistence mechanisms remain.
This investigation is critical — not just for recovery, but because UK GDPR requires you to notify the ICO within 72 hours if personal data was likely accessed or exfiltrated. Without forensic investigation, you cannot make that determination.
Hours 12–24: recovery planning
Recovery from ransomware requires a clean rebuild — not just decryption. Even if you obtain a decryption key, the attacker may have planted backdoors, modified system files, or established persistence that survives decryption. The recovery process must include:
- →Validating backups — confirming backups were not also encrypted or deleted
- →Building clean systems from verified images, not from potentially compromised snapshots
- →Restoring data from pre-infection backup points
- →Hardening the initial access vector that allowed the attack
- →Monitoring for attacker re-entry after restoration
The most common mistakes during a ransomware incident
❌ Powering off affected systems
Destroys volatile memory evidence needed to determine how the attacker got in and what they accessed.
❌ Paying the ransom immediately
Does not guarantee recovery, does not remove backdoors, and may fund further attacks. Always get professional advice first.
❌ Restoring from backups without investigation
If you restore without understanding the initial access vector, you will likely be reinfected within days.
❌ Communicating over potentially compromised channels
If the attacker has access to your email, they may be monitoring your incident response. Use out-of-band communication.
❌ Delaying regulatory notification
UK GDPR requires ICO notification within 72 hours if personal data was likely accessed. Missing this deadline adds regulatory risk to an already serious situation.
Dealing with ransomware right now?
Contact us immediately. A dedicated incident responder will be with you within minutes.
Contact us now →