The first 24 hours after a ransomware attack – what should you do?

A ransomware attack is a nightmare scenario for any organization. It’s disruptive, costly, and often deeply damaging to your reputation. How you respond in the first 24 hours can make all the difference between containment and catastrophe. In those critical moments, fast and informed action is essential. Not just to mitigate harm, but to enable recovery and identify root causes.

Whether you’re facing a live breach or want to prepare your response strategy in advance, here’s what needs to happen in the vital first 24 hours.

Step one: confirm the attack and isolate systems

The moment ransomware is suspected, the priority is to confirm what’s happened. Ransomware doesn’t always announce itself with a dramatic pop-up screen. It may begin quietly, encrypting files and spreading laterally across your network. Early signs might include inaccessible files, failed logins, or unusual outbound traffic.