Ransomware Just Hit: Your First-Hour Response Plan
The first hour of a ransomware attack decides everything. Here is exactly what to isolate, who to call, and what not to do, a practical 2026 response plan.
You see the ransom note on a screen, or files turning into gibberish with strange extensions. Panic is the natural response, and the wrong one. The first hour of a ransomware incident is the most important hour, because what you do in those minutes determines how much spreads, how much you can recover, and whether you keep the evidence you will need.
Quick answer
In the first hour of a ransomware attack, isolate before you investigate: disconnect affected machines from the network (pull Ethernet and disable Wi-Fi) rather than powering them off, which destroys in-memory evidence. Do not delete the ransom note or encrypted files, do not pay or contact the attacker on impulse, and report fast to CISA and the FBI (IC3), plus your cyber-insurance carrier within their deadline. Recover only from offline, known-clean backups after you are sure the attacker no longer has access.
Key takeaways
- Isolate first, investigate second. Disconnecting affected systems from the network is the single highest-leverage action to stop the spread.
- Do not power off immediately if you can isolate instead, powering down can destroy forensic evidence in memory. Unplug the network, not necessarily the machine.
- Do not pay or contact the attacker on impulse, and do not delete the ransom note, it is evidence.
- Report fast. Notify CISA and the FBI (IC3), and your cyber-insurance carrier within their deadline, which is often the first hour.
- Recover from known-clean, offline backups, and only after you are sure the attacker is out.
The first hour at a glance
Print this and keep it offline. When the screens are locked, this is the order to work in:
| Time | Action | Why it matters |
|---|---|---|
| Minute 1 | Disconnect affected systems from the network | Stops the spread without destroying evidence |
| Minutes 1 to 5 | Preserve the ransom note, files, and logs | They are evidence and may aid decryption or attribution |
| Minutes 5 to 15 | Name a decision-maker, open an out-of-band channel | Email and chat may be compromised; someone must own the response |
| Minutes 15 to 60 | Report to CISA, FBI (IC3), and your insurer | Unlocks help and meets tight notification deadlines |
| After containment | Restore from offline, known-clean backups | Recovering too early re-encrypts clean systems |
Minute one: isolate the spread
Ransomware's damage scales with how many systems it reaches. Your first move is containment.
-
Disconnect the affected device from the network. Unplug the Ethernet cable and turn off Wi-Fi. If multiple machines are hit, take the network offline at the switch or pull the internet connection entirely.
-
Do not delete anything, not the ransom note, not encrypted files, not logs. They are evidence and may aid decryption or attribution.
-
Prefer isolation over a hard shutdown. Pulling network access stops the spread while preserving volatile evidence in memory. Only power down if you cannot otherwise contain it.
-
Identify scope quickly. Note which systems show encryption or the ransom note, and which shared drives or backups they could reach.
Warning
Resist the urge to immediately power everything off. A clean shutdown can wipe in-memory evidence, including, occasionally, encryption keys, that responders could use. Disconnect from the network first; that stops the spread without destroying the evidence.
Minute five to fifteen: activate and communicate
The moment ransomware is suspected, not confirmed, start your response, even if you are a team of one.
- Name a decision-maker. Someone has to own the response and make the calls. In a small business, that is the owner or IT lead.
- Open an out-of-band channel. Email and chat may be compromised. Coordinate by phone or a separate, trusted app.
- Notify the people who need to know: leadership, IT, and legal if you have it.
- Start a timeline. Write down what you saw and when. This log matters for insurance, reporting, and recovery.
Minute fifteen to sixty: report and engage help
Reporting fast unlocks help and, for businesses, may be legally required.
- Report to CISA and the FBI. Use CISA's reporting channel and the FBI's Internet Crime Complaint Center (IC3) or your local field office. Federal responders can sometimes provide decryptors and threat intelligence, and reporting feeds disruption efforts against the gangs.
- Call your cyber-insurance carrier immediately. Most policies have tight notification deadlines, sometimes within the first hour, and the carrier will usually bring in an incident-response firm and may guide every step. Acting late can jeopardize coverage.
- Know your reporting clocks. Newer U.S. rules trend toward 72-hour incident reporting and 24-hour reporting of any ransom payment for covered organizations. The clock starts when you reasonably believe an incident occurred, so do not sit on it.
- Bring in expertise if you do not have it in-house. Ransomware response is specialized work.
Tip
Do not negotiate or pay on impulse. Payment does not guarantee a working decryptor, may fund sanctioned groups, and is a decision to make with legal counsel, your insurer, and law enforcement, not in the first panicked hour.
Recover the right way
Recovery comes after containment and only once you are confident the attacker no longer has access, otherwise you re-encrypt clean systems.
- Restore from offline, known-clean backups. This is why the 3-2-1-1-0 backup strategy matters: an offline, immutable copy is what gets you back without paying. If you have not hardened your backups, our guide on protecting backups from ransomware like Akira covers it.
- Rebuild rather than trust. Wipe and reimage compromised machines instead of assuming they are clean.
- Find the entry point before reconnecting. Ransomware often starts with a phished credential, an infostealer log, or an exposed service. Many intrusions begin with stolen browser sessions, see our guide on infostealers and session-cookie theft.
- Reset credentials and rotate secrets, and enable phishing-resistant MFA via passkeys before bringing accounts back online.
Frequently asked questions
Should I turn off the infected computer immediately?
Disconnect it from the network immediately, but avoid a hard power-off if you can isolate it instead. Powering down can destroy useful forensic evidence held in memory. Pull the network cable and disable Wi-Fi first; only shut down if isolation is not possible.
Should I pay the ransom?
Not as a reflex. Paying does not guarantee a working decryptor, may violate sanctions, and funds further attacks. CISA and the FBI discourage payment. If it is even considered, it should be a deliberate decision made with law enforcement, legal counsel, and your insurer, never in the first hour.
Who do I report ransomware to?
Report to CISA and to the FBI through IC3 (ic3.gov) or your local field office. Businesses should also notify their cyber-insurance carrier immediately and check any legal reporting obligations, which can be as tight as 72 hours for the incident and 24 hours for a payment.
How do I recover without paying?
Restore from offline, known-clean backups after you have removed the attacker and rebuilt compromised systems. This is only possible if you maintained immutable, offline backups beforehand, which is the strongest reason to set them up before you ever need them.
The bottom line
A ransomware hit feels like chaos, but the right first hour is methodical: isolate the network to stop the spread, preserve evidence rather than destroying it, activate a decision-maker on an out-of-band channel, and report to CISA, the FBI, and your insurer fast. Then, and only then, recover from clean offline backups and close the hole that let them in. Print this plan and keep it somewhere offline, because the moment you need it, your screens may be the last place you can read it.
