Most organizations have thought about ransomware in the abstract. Very few have thought through what the response actually looks like hour by hour. The ones who have are the ones who recover. The ones who haven't are the ones you read about in breach disclosure notices.
Hour Zero: The Discovery
Ransomware rarely announces itself the moment it executes. By the time users see the ransom note, the malware has typically been active in the environment for hours, days, or - in sophisticated attacks - weeks. During that dwell time, attackers have mapped your network, identified your backup systems, exfiltrated sensitive data, and positioned the encryption payload on as many systems as possible.
The moment of discovery is almost always chaotic. Files are inaccessible. Systems are unresponsive. Users are reporting errors simultaneously. Your immediate priority is containment, not recovery - because recovery on a still-infected network accomplishes nothing.
The First Four Hours: Containment
The first objective is to stop the spread. This means:
- Network isolation: Disconnecting affected systems from the network to prevent further lateral movement. In a segmented network, this is targeted. In a flat network, it may mean taking everything offline.
- Identifying patient zero: Determining which system was the initial infection vector - typically a phishing email, a compromised VPN credential, or an unpatched vulnerability on an internet-facing system.
- Assessing backup integrity: Determining whether your backups are intact and unaffected. If the attacker found and encrypted or deleted your backups before triggering the payload, your options just became significantly more limited.
- Preserving forensic evidence: Taking disk images of affected systems before beginning remediation. This is required for any insurance claim or law enforcement involvement.
Hours Four Through Twenty-Four: Assessment and Decision
Once containment is in place, you face the most consequential decision of the incident: pay the ransom or recover from backup.
The calculus depends on several factors: the integrity and recency of your backups, the sensitivity of any data that was exfiltrated, your cyber insurance policy terms, whether the attacking group has a history of actually providing working decryption keys, and how long recovery from backup will take versus the business impact of extended downtime.
Law enforcement and most security professionals advise against paying. The reasoning is sound: payment funds criminal organizations, does not guarantee a working decryption key, does not address exfiltrated data, and marks you as a target willing to pay.
The exfiltration problem: Modern ransomware groups operate a double extortion model - they encrypt your data and they steal it. Even if you recover from backup successfully, they may publish or sell your data if you don't pay. This is why data classification and access control matter as a preventive measure: attackers can only exfiltrate what they can reach.
The Recovery Phase
Recovery from backup is not a simple restore operation. It requires rebuilding from a known-clean baseline - because restoring from a backup that was taken after the attacker gained access may restore the malware along with your data. Recovery typically involves:
- Rebuilding affected systems from a clean OS baseline or from a backup predating the compromise
- Restoring data from the most recent clean backup point
- Closing the initial access vector before reconnecting anything to the network
- Resetting all credentials across the environment, as attacker dwell time means credential theft is assumed
- Prioritizing systems in business-critical order and bringing the environment up in staged phases
After Recovery: The Work That Matters
The period after a ransomware incident is the most important window for improving your posture - because the organization's willingness to invest in prevention is at its peak. The post-incident work includes a root cause analysis of the initial access vector, a review of detection gaps (why wasn't this caught earlier), and a prioritized remediation plan addressing the vulnerabilities that made the attack possible.
Organizations that skip this work get hit again. The groups operating ransomware campaigns are organized, persistent, and will return to a target that was previously viable.
SummitCore helps organizations prepare for ransomware scenarios before they occur - with proper backup architecture, network segmentation, EDR deployment, and incident response planning. Talk to us before you need to.