The 2026 Ransomware Response Playbook: The First 60 Minutes

Ransomware is no longer a smash-and-grab. Modern crews — Akira, BlackSuit, Hunters International, RansomHub — dwell for weeks before detonation, exfiltrating data first and encrypting last. By the time you see the ransom note, the attacker has already won the leverage war. Speed and discipline in the first 60 minutes are what limit the damage.

This is the sequence our on-call incident commanders run when a client calls. It assumes you already have an incident-response plan, cyber insurance, and a SOC of some kind. If you don't, the answer to 'what do we do first?' is different and starts with calling outside help.

Minute 0–5: Confirm and isolate

1. 1Confirm it's actually ransomware. Verify the file extension, ransom note, and at least one independent indicator (EDR alert, backup failure, user report). Don't trigger an incident on a single anomaly.
2. 2Identify patient zero or as close as you can get. Note the first host, the first identity affected, and the first timestamp.
3. 3Isolate by pulling network cables or disabling switch ports. Do NOT power off — memory contains decryption keys, attacker tooling, and process telemetry you'll need.
4. 4If endpoints are cloud-managed, push an EDR-level network isolation command instead of physical disconnection.

Minute 5–20: Activate the incident commander

Open the bridge line. Page the incident commander, the SOC lead, the IT operations lead, and a member of executive leadership with authority to make business-impact decisions (close the office, pause shipments, halt wires). Brief legal counsel — privilege protects the entire investigation, and any external statement made before counsel is in the loop is a future discovery problem.

Who's on the bridge

• Incident commander (single owner of the response)
• SOC / EDR engineer (technical containment lead)
• Identity engineer (AD, IdP, MFA actions)
• IT operations lead (network, backup, infra changes)
• Legal counsel (privilege, regulatory clock, comms approval)
• Executive sponsor (business-impact decisions)
• Comms lead (internal notifications, drafting only — no external statements yet)

Minute 20–40: Contain laterally

Containment is about denying the attacker movement and persistence. The exact steps depend on your environment; the principles don't.

1. 1Disable the compromised identity (or identities). Force sign-out across all sessions.
2. 2Rotate the Active Directory krbtgt account TWICE — once now, once after a replication cycle. A single rotation does not invalidate golden-ticket attacks.
3. 3Block known C2 domains and IPs at egress. Most modern crews use a small set of bulletproof hosts; your EDR or threat-intel feed has the list.
4. 4Snapshot affected systems for forensics. Preserve EDR telemetry — most platforms have rolling retention, and the data you need is the data that's about to roll off.
5. 5Disable lateral protocols where possible: RDP, SMBv1, WinRM, PsExec. Yes, it will break things. That's the point.
6. 6Sever the link between production and backup networks. The first thing modern ransomware does is encrypt or delete backups.

Minute 40–60: Notify

1. 1Cyber-insurance carrier first. Most policies require notification within hours and condition coverage on using their approved IR firm. Calling them late is how organizations lose coverage they paid for.
2. 2Law enforcement: FBI IC3 and the local FBI field office; CISA via the 24/7 hotline if you're critical infrastructure.
3. 3Regulatory clock: HIPAA breach notification (60 days), SEC Item 1.05 8-K (4 business days for material incidents at public companies), state breach laws (varies — California is 72 hours for some categories).
4. 4Internal notification: keep it to facts and operational guidance. 'Do not use email until further notice' is appropriate; 'we've been hacked by [group]' is not.
5. 5Customers and partners: only after legal approves the wording. Premature attribution and inaccurate scope are how reputational damage compounds.

What NOT to do in the first hour

• Do not pay the ransom yet. Payment is a strategic decision that comes after eradication is confirmed and recovery options are evaluated. It also has OFAC implications — paying a sanctioned entity is a federal crime.
• Do not reimage affected hosts yet. You destroy the forensic evidence needed to know whether the attacker still has access.
• Do not restore from backup yet. Restoring into a compromised environment just feeds the attacker fresh data to encrypt.
• Do not post on social media or status pages without counsel review. 'We are experiencing technical difficulties' is the right starting point.
• Do not let well-meaning IT staff 'clean it up.' Heroics in the first hour erase the timeline you'll spend the next month reconstructing.

What good preparation looks like

The teams that handle the first 60 minutes well are the ones who have rehearsed them. Specifically:

• An IR plan with named roles, a contact tree, and a printed copy in a physical binder (your wiki may be unavailable).
• Cyber insurance with a known IR firm and pre-approved hourly rates.
• Immutable, offline backups tested with a real restore in the last 90 days.
• Tabletop exercises run quarterly with executives, not just IT.
• An EDR platform with rolling telemetry retention of at least 30 days.
• A relationship with outside counsel and an IR firm established before you need them.

Where Cybrvault fits

We run 24/7 incident response for clients on retainer and respond to non-client emergencies on a best-effort basis. If you're reading this during an active incident, call the number on our contact page first and read the rest later. If you're reading it because you want to be ready, the next step is a tabletop exercise — the cheapest insurance you'll ever buy.