Ransomware incidents don't wait for convenient timing — Friday afternoon and 2am are disproportionately common because attackers know weekend response times are slower. What separates a bad day from a business-ending event isn't luck; it's whether the groundwork was laid before the attack started. This is the response sequence we run when a client's environment is compromised, and the preparation that determines how it ends.
The first hour: containment before investigation
The instinct to immediately diagnose what happened is understandable and wrong. The first move is isolation — disconnecting affected systems from the network to stop lateral spread, before spending time understanding the full scope. Every minute spent investigating with the network still connected is a minute the encryption process keeps running on additional systems. We isolate first, characterize second.
Don't touch the backups yet — verify first
The next priority is confirming what's actually recoverable, and specifically confirming that the backup copies themselves haven't been compromised. This is the single biggest determinant of how the incident resolves: if backups are immutable and verified clean, recovery is a matter of hours to days. If backups were reachable from the compromised network and got encrypted or deleted along with production, recovery options collapse dramatically — which is exactly why immutable, air-gapped backup architecture is worth the investment before an incident, not during one.
Communication — internal and external
Simultaneous with technical containment, someone needs to be managing communication: what staff can and can't do during the outage, what customers or partners need to know if the incident affects them, and whether legal/compliance obligations require formal notification. This work is often underestimated in incident planning and becomes chaotic if it's improvised in the moment rather than assigned in advance.