New certification alert! Certified Junior Detection Engineer has arrived. Find out more.

How to Structure Your First 24 Hours in a Ransomware Attack

Duncan Whitley 14/10/2025
How to Structure Your First 24 Hours in a Ransomware Attack

The first 24 hours after a ransomware attack can determine how effectively your organization recovers. This guide walks through a structured hour-by-hour response plan, covering containment, negotiation preparation, first contact, and recovery. Learn how to maintain clarity, protect leverage, and minimize chaos when every decision counts.

How to Structure Your First 24 Hours in a Ransomware Attack

The first 24 hours of a ransomware attack are decisive. The way your team responds will set the tone for containment, negotiation, and recovery. In this period, clarity and structure matter more than speed alone.

Below is a practical timeline for the first day of an attack, designed to keep teams aligned and focused on the right priorities.

Hour 0–1: Incident Starts

The first step is mobilization. As soon as ransomware is detected, assigned teams should come together to establish scope and confirm the immediate risks.

Key actions include:

  • Conducting an onboarding call to align everyone in the response team.
  • Building a containment strategy to prevent further spread.
  • Assessing backups to understand what data may be recoverable.
  • Defining the incident scope at a high level.

This stage is about stabilizing the situation and preparing for the work ahead.

Hour 1–4: Preparing to Negotiate

Before contacting the threat actor, the team must be ready. Jumping in too soon risks exposing information or losing leverage.

During this window:

  • Identify who you are dealing with and confirm what data they hold.
  • Research their reputation and previous behavior in negotiations.
  • Confirm roles and responsibilities across finance, leadership, IT, and legal.
  • Set up secure internal communication channels.
  • Brief leadership on impact and strategy without assigning blame.

This preparation ensures you go into negotiations with a unified position and a clear understanding of your options.

Hour 4–12: First Contact

If negotiation is required, the next phase is about establishing secure communication and verifying the attacker’s claims.

Note: This may take longer depending on whether you assess the requirement to engage.

Teams should:

  • Confirm the communication line is secure.
  • Request “proof of life” for stolen or encrypted data.
  • Clarify the attacker’s demands but avoid offering a number first.
  • Maintain professionalism and never share sensitive internal details.

The goal here is to gather information and buy time, not to rush into a deal.

Hour 12–24+: Consolidating Negotiation and Recovery Efforts

By the end of the first day, aim to establish secure communication channels both internally and externally, while continuing to build a clearer understanding of the ransomware demands. Avoid trying to force or rush a resolution, this process often takes longer and depends heavily on the complexity of the incident. Make sure you also do the following;  

Critical steps beyond this include:

  • Align internally on negotiation parameters with leadership, legal, and finance. 
  • Validate and search for initial evidence such as proof of life or decryption samples before acting. 
  • Assess recovery readiness, including backup integrity and restoration plans. 
  • Keep stakeholders informed with clear, consistent updates. 
  • Capture early insights from communications and technical findings for later review.

While this closes the first cycle: stabilizing, negotiating, and laying the groundwork for continued work and negotiation. It’s important to note that negotiation timelines vary widely. Rushing to close can sometimes damage leverage or trust, so focus on secure, deliberate progress over speed. 

Beyond the 24-hour mark: debrief & lessons learned

In some situations you may close the negotiation within 24 hours; in reality however this takes much longer.  

Run a formal Post-Incident Review: timeline, root cause, negotiation transcript analysis, costs, and updates to playbooks and controls. Share IoCs with trusted information-sharing partners (ISAC/MISP) and update your response plans.

Dos and Don’ts

A few simple rules can help avoid costly mistakes:

Do:

  • Stay calm and patient throughout.
  • Communicate respectfully and professionally at all times.

Don’t:

  • Attempt to handle the situation alone.
  • Mention the involvement of insurance companies.

Final Thoughts

The first 24 hours of a ransomware incident are not about speed alone. They are about structure, discipline, and teamwork.
By following a clear plan, organizations can reduce chaos, protect leverage in negotiations, and position themselves for a faster recovery.

Ransomware Negotiation Playbook

Download the playbook which covers more than 24 hours, with phases including first response to recovery, with practical negotiation tactics and real-world threat intelligence.

Want Deeper Training?

If you want a structured program that teaches these workflows end-to-end (including a negotiation simulation), our Ransomware: Negotiation & Threat Intelligence course covers the skills above with hands-on labs and simulations.

About Duncan Whitley

Duncan Whitley

Part of the marketing team at SBT, Duncan mainly writes about company news and industry insights.