The first 72 hours of a ransomware incident set the trajectory of the entire recovery. Companies that act with discipline in the first 24 hours typically recover in weeks. Companies that act in panic recover in months — if at all.
Hour 0–4: Containment
Isolate, do not power off. Powering off destroys forensic evidence; isolating preserves it.
Activate the incident response plan. If the plan lives in a SharePoint that the encrypted environment hosts, that is a different problem.
Engage external incident response counsel before talking to anyone outside the response team. Privilege matters.
Notify executive leadership and legal. Do not notify employees yet.
Hour 4–24: Scoping
Determine the entry vector. Phishing, exposed RDP, vulnerable VPN, compromised supply chain.
Determine the blast radius. Which systems are encrypted, which are at risk, which are clean.
Determine the data exfiltration position. Modern ransomware exfiltrates before encrypting — assume data left the building until proven otherwise.
Begin parallel work streams: recovery from backups, negotiation posture, regulatory notification timing, comms strategy.
Hour 24–72: Decisions
Pay or not pay. This is a business decision, not a technical decision. Make it with full information.
Public disclosure. Get ahead of the news cycle if possible.
Customer and regulator notification. Timeline is jurisdiction-specific and often shorter than people expect.
Begin recovery from clean backups in a new, isolated environment. Do not restore into the contaminated network.
After 72 hours
Lessons-learned must be honest. The board will want a narrative; the security function needs the truth.
Architectural changes are now possible that were impossible last week. Use the moment.
This piece is part of the Cylentrix Research Office series. For the deeper reference architecture and engagement model behind it, request a confidential briefing.