Ransomware Response Plan: The First 24 Hours That Define Your Next 5 Years

If your business is hit by ransomware, the first 24 hours are critical. Focus on six steps: identify, contain, eradicate, recover, communicate, and learn. Acting methodically limits damage, protects your reputation, and sets the tone for long-term resilience.

What Is Ransomware and Why You Can’t Afford to Ignore It

Ransomware is a form of cyberattack that locks or encrypts your data until a payment is demanded. The NCSC’s ransomware guidance describes it as one of the fastest-growing threats facing UK organisations and for small and mid-sized businesses, the impact can be devastating.

Every hour lost increases recovery costs, legal exposure, and reputational damage. But the most critical window is the first 24 hours. What your business does in that period will shape its recovery, and its reputation, for years to come.

Hour 0–2: Identify – Spot It Fast

The earlier you recognise an attack, the less damage it can do.

Watch for:

• Files or systems suddenly locked or renamed.
• Staff reports of unusual pop-ups, missing files, or error messages.
• Alerts from antivirus or endpoint security tools.

Act immediately:

• Log everything. Follow the NCSC’s incident management steps to ensure you capture every key detail, times, symptoms, and affected systems, in a way that supports later investigation and recovery.
• Avoid communicating about the attack via email or shared drives; use secure channels such as phone or encrypted chat.
• Preserve evidence: don’t delete suspicious files or power off systems unless advised by your IT or response partner.

Hour 2–6: Contain – Stop the Spread

The goal now is to isolate, not panic.

• Disconnect infected devices from the network and disable Wi-Fi if needed.
• Segment unaffected systems to keep operations running where possible.
• Suspend file sharing and cloud syncs until you confirm they’re clean.
• Alert your IT partner or managed service provider immediately.

Containment is about limiting lateral movement, stopping the attack from spreading to backups, shared folders, or cloud storage.

Hour 6–12: Eradicate – Eliminate the Threat

Once the attack is contained, it’s time to remove it safely.

• Involve experts early. Engage your IT support or a certified cyber response specialist.
• Secure system logs and disk images for forensic analysis, they’ll be critical for insurance and regulatory reporting.
• Do not negotiate or pay the ransom without legal or insurance advice. Payment offers no guarantee of data recovery and may breach compliance rules.

If you have cyber insurance, this is also the point to notify your insurer and follow their incident response procedures.

Hour 12–18: Recover – Get Back Online Safely

Recovery is about restoring confidence as much as systems.

• Restore from clean, verified backups only, never from unknown sources.
• Rebuild affected machines in a quarantined environment, then test them thoroughly.
• Apply security patches and updates across all devices and servers.
• Increase monitoring and alerting to spot any residual signs of compromise.

Resist the urge to rush. A staged recovery is faster, and safer, than cutting corners.

Hour 18–22: Communicate – Keep Control of the Message

How you communicate defines your reputation long after the incident.

• Appoint a response lead to handle all messaging internally and externally.
• Use clear, factual language when notifying staff, customers, insurers, and regulators.
• Avoid speculation, only share confirmed facts.
• Prepare a short holding statement in case the incident becomes public.
• Depending on the data affected, you may also need to inform the ICO under personal data breach notification rules. Clear, timely reporting can prevent additional penalties or reputational damage.

Transparency builds trust, but clarity keeps panic at bay. This is where having pre-written templates and contact lists saves precious time.

Hour 22–24: Learn – Strengthen for the Future

The final phase of response is reflection.

Once systems are stable:

• Conduct a post-incident review to identify what worked and where gaps appeared.
• Document timelines, decisions, and outcomes.
• Update your incident response plan, policies, and staff training.
• Schedule a tabletop exercise to test your revised playbook.

A crisis handled well becomes the foundation for resilience.

The 24-Hour Ransomware Response Checklist

Time	Phase	Key Actions	Outcome
0–2 hrs	Identify	Detect abnormal activity, log all details, secure communications.	Early awareness prevents spread.
2–6 hrs	Contain	Disconnect infected systems, isolate network, alert IT partner.	Stops lateral movement.
6–12 hrs	Eradicate	Engage experts, collect logs, avoid paying ransom.	Removes active threat safely.
12–18 hrs	Recover	Restore clean backups, patch systems, test integrity.	Systems back online securely.
18–22 hrs	Communicate	Inform key stakeholders, stay factual, appoint lead.	Retains trust and credibility.
22–24 hrs	Learn	Conduct review, update plans, train staff.	Builds resilience for next time.

Calm in Crisis: Why CYAN’s Approach Works

Ransomware doesn’t discriminate, but preparation makes the difference between a bad day and a lost year.

CYAN helps growing businesses build structured response plans that prioritise calm decision-making, technical containment, and clear communication.

Our role isn’t just to fix, it’s to guide and support. We translate technical chaos into practical steps, so you can protect your people, data, and reputation.

Link has been copied to the clipboard.