HD Doctor Logo

24-Hour Post-Ransomware Checklist

Direct answer

The first 24h after ransomware discovery define whether recovery will be viable. Wrong decisions in the first 6h destroy evidence, trigger reinfection, and make decryption infeasible. This time-window checklist is based on real HD Doctor playbooks.

Why the first hours matter so much

In a typical ransomware attack, the attacker has been in the network for 7-30 days before encrypting. Visible encryption is the end, not the start. In the first hours after discovery: (1) the attacker still has persistence and may react; (2) RAM evidence is being lost with each reboot; (3) the regulatory notification clock starts (72h). Window 0-6h is worth more than the following 18h.

Catastrophic mistakes in the first 24h

  1. 1.
    Power off servers. Wipes all RAM evidence. Snapshot/capture first, then power off if needed.
  2. 2.
    Negotiate directly with attacker. Without legal, insurance and technical involved, any move is harmful. Attacker may be OFAC-sanctioned, creating additional crime.
  3. 3.
    Restore backup immediately. Restore without identifying persistence reactivates the attacker. Identify variant and vector first.
  4. 4.
    Connect offline backup to infected network. Ransomware propagates via SMB. Clean backup falls with it.
  5. 5.
    Communicate publicly before legal. Premature info leak complicates regulatory notification and creates additional legal liability.

Hour-by-hour timeline

  1. 1

    0-1h: Isolation without shutdown

    Disconnect network cables and Wi-Fi from affected servers and workstations. DO NOT shut down. RAM contains critical forensic evidence (encryption keys, IoCs, beacons). Engage professional emergency response.

  2. 2

    1-3h: Forensic preservation

    Snapshot live VMs on ESXi/Hyper-V (do not delete). RAM capture via FTK Imager Lite on critical hosts. Copy vCenter, Active Directory, firewall, EDR logs before they are deleted or rotated.

  3. 3

    3-6h: Variant identification

    Identify family (LockBit, BlackCat, Akira, Cl0p, Play, Conti) by note and extension. Match against public decryptor base (Operation Cronos, Avast). Variant defines the rest of the response.

  4. 4

    6-12h: Initial communication

    Alert DPO, legal, cyber insurance. Communicate to CEO. Begin drafting regulatory notification (72h deadline). Start technical communication with affected teams.

  5. 5

    12-24h: Scope mapping and restore plan

    Complete scope inventory: which hosts encrypted, which backups available, which still healthy. Restore plan prioritized by business criticality. Executive plan approval.

FAQ

Can I wait 'just tonight' to engage response?

No. Each hour reduces recovery chance. Modern variants (Akira, BlackCat) run post-encryption routines that destroy more data each hour. Professional engagement must happen in the first hour after discovery.

Should I notify police?

Yes, in parallel with technical response. In Brazil: Federal Police (DEIC for companies) and ANPD for personal data. In US: FBI IC3.gov. Notification does not force immediate investigation but registers the incident.

How long to restore operations?

Ideal scenario (intact immutable backup + limited scope): 3-7 days. Average (no AD golden ticket): 10-20 days. Critical (AD deeply compromised): 30-60 days.

Does cyber insurance pay the ransom?

Increasingly less. 2024+ policies have OFAC-sanctioned variant exclusions. Even when paid, requires prior authorization and technical report.

Do I need to pay ransom to prevent leak?

No guarantee. Documented cases (Maximus, Shell, PwC) had data leaked even after payment. Focus on mitigation and notification to affected subjects.

Under attack right now?

Senior engineer within 6h. Documented chain of custody.

Next reads