Windows 10 reached end of support—need help planning your next step? We’re Here to Help Upgrade to Windows 11

The First 72 Hours After Ransomware

A Business Playbook for Stabilizing, Communicating, and Recovering

Ransomware is often described as a “cyber incident,” but for businesses, it’s more personal than that. It can halt operations, delay payroll, lock critical files, prevent customer service, and erode stakeholder trust – fast. And while technology matters, the first 72 hours are rarely won by tools alone.

They’re won by clarity: clear roles, clear priorities, and clear communication, especially when information is incomplete.

This guide is designed for business leadership and IT teams who want a practical plan they can actually execute. No panic. No jargon. Just a roadmap for the first three days.

Why the First 72 Hours Matter So Much

In the earliest phase of a ransomware event, you’re fighting two battles at once:

  1. Stop the spread and stabilize operations, and
  2.  Make high-stakes decisions under uncertainty (restore priorities, communication, legal/insurance coordination, vendor involvement, and continuity of services).

The organizations that struggle most aren’t the ones that “did everything wrong.” They’re the ones that didn’t pre-decide who does what, what gets restored first, and how to communicate without confusion.

Hour 0-8: Stabilize and Protect the Evidence

Primary goal: Contain the incident and prevent it from getting worse.

In the first few hours, it’s tempting to “fix everything.” The better move is to slow down enough to make smart moves.

What to do:

  • Confirm the scope: What systems are down? What’s still operational? What’s unclear?
  • Isolate impacted systems: Disconnect affected endpoints/servers from the network when appropriate.
  • Preserve evidence: Logs, alerts, and system states matter for forensics, insurance, and understanding what happened.

What to avoid:

  • Don’t rush to wipe machines without a plan.
  • Don’t assume it’s only one system or one department.
  • Don’t let a dozen people “lead” at once.

Decision checkpoint: Who is the incident lead, and who is the executive decision-maker? If you can’t answer that immediately, assign it immediately.

Hour 8-24: Communicate Clearly and Set Restore Priorities

Primary goal: Reduce confusion internally and externally while prioritizing recovery.

Communication is part of the response – not an afterthought. The best response teams create a calm, consistent message that prevents rumors and protects ongoing operations.

What to do:

  • Establish a simple command structure:
    • Incident lead (coordinates response)
    • Executive decision-maker (authorizes key decisions)
    • Communications lead (staff + stakeholder updates
    • Technical lead(s) (containment and recovery)
    • Legal/insurance liaison (notifications and requirements)
  • Draft two messages early:
    • A staff message: what to do, what not to do, where updates will be posted
    • A stakeholder holding statement: acknowledging disruption (if needed), committing to updates, protecting investigation integrity
  • Define restoration priorities: Most organizations benefit from a restore sequence like:
    • Identity and access (accounts, admin control, core authentication)
    • Email and communication
    • Finance/payroll and time-sensitive operations
    • Mission-critical business systems
    • Customer service and client-facing operations
    •  Everything else
  • What to avoid:
    • Don’t restore “whatever yells the loudest.” Restore what restores service continuity.
    • Don’t communicate half-confirmed details. Communicate what you know + what you’re doing next.

Decision checkpoint: What services must be back within 24 hours to maintain operations and protect stakeholder trust?

Hour 24-72: Recover Safely and Reduce Repeat Risk

Primary goal: Restore services in a way that doesn’t reintroduce the attacker.

This is where organizations can lose time by restoring too quickly without validating backups or securing identities.

  • What to do:
    • Validate backups before mass recovery: Test one restore of a priority system. Confirm integrity before scaling.
    • Reset credentials and tighten access: Ransomware often involves stolen credentials. Assume some accounts may be compromised until proven otherwise
    • Reset privileged accounts first
    • Review admin roles and remove unnecessary access
    • Enforce stronger sign-in controls (especially for administrators)
    • Document lessons learned while it’s fresh: Create a 30-day plan that includes the top fixes that would have reduced impact. Make it small and doable.
  • What to avoid:
    • Don’t “return to normal” without hardening. That’s how repeat incidents happen.
    • Don’t skip the post-incident review because everyone’s exhausted. The review is the value.

Decision checkpoint: What are the top three changes you can implement in 30 days to reduce the chance of repeat impact?

The Fastest Way to Get Prepared: A 60-Minute Tabletop Exercise

If you do nothing else this month, schedule a one-hour tabletop with leadership + IT + communications.

Use a simple scenario: “It’s Friday at 4:30 PM. Company email is down, and files are encrypted.”

Walk through:

  • Who leads? Who decides?
  • What do we tell staff? What do we tell clients or stakeholders?
  • What gets restored first – and why?
  • What do we need from vendors and partners?
  • What would slow us down?

Most organizations come out of a tabletop with immediate improvements they can make without a new budget – just better clarity.

Get Started: Baseline Your Security Posture

If you’re not sure where to start, we can help you benchmark your Microsoft environment and turn the results into a practical 90-day action plan. Our approach is built for business realities – clear priorities, measurable progress, and less chaos.

Explore Fortify or request a Security Score Assessment

Related Posts

Scroll to Top