Ransomware Response: What to Do in the First 60 Minutes

The Clock Starts When You See the Ransom Note

You open your laptop and files are renamed. Extensions changed to something you do not recognize. A text file or browser window displays a demand: pay in cryptocurrency or your data is gone forever. Maybe your server room dashboard shows systems going offline one by one. Maybe your helpdesk is flooded with calls from employees who cannot access their files.

This is a ransomware attack. What you do in the next 60 minutes determines whether this is a recoverable incident or a business-ending event. We have responded to ransomware attacks across every major industry in Canada for the past 20 years. This is the playbook we give our clients.

Minutes 0-10: Isolate Affected Systems

The first priority is stopping the spread. Ransomware moves laterally through your network, encrypting every system it can reach. Every second a compromised system stays connected is another server, another workstation, another file share encrypted.

Actions:

• Unplug Ethernet cables from affected systems. Disable WiFi adapters. Physical disconnection is faster and more reliable than software-based isolation.
• Do NOT power off affected machines. Running systems contain volatile evidence in memory: encryption keys, active network connections, malware processes and indicators of how the attacker gained access. Shutting down destroys this evidence permanently.
• If you can identify the network segment where encryption is active, isolate that segment at the switch or firewall level to contain the spread without disconnecting your entire network.
• Disable any compromised service accounts in Active Directory or your identity provider. Do not delete them. Deletion removes audit trails.
• Disconnect backup systems from the network if they are still clean. Ransomware operators specifically target backups to eliminate your recovery options. Protecting clean backups is critical.

If encryption is spreading rapidly across multiple segments, consider disconnecting your entire network from the internet at the perimeter firewall. This is a drastic step, but it stops command-and-control communication and prevents data exfiltration if the attacker is still active.

Minutes 10-20: Preserve Evidence

With the spread contained, your next priority is preserving evidence before it disappears. Logs rotate. Memory is volatile. The attacker may have set timers to delete their tracks.

Actions:

• Export all available logs immediately. Priority order: firewall logs, Active Directory authentication logs, VPN logs, endpoint detection logs, email gateway logs and cloud audit trails (AWS CloudTrail, Azure Activity Log, GCP Audit Logs).
• If your IT team has the capability, capture memory dumps of affected systems using forensic tools like WinPMem (Windows) or LiME (Linux). Memory contains the running ransomware process, encryption keys that may enable decryption and artifacts showing how the attacker moved through your network.
• Screenshot every ransom note, every unusual process, every error message. Take photos with your phone if you need to. Visual evidence helps identify the ransomware variant and determine whether a public decryption tool exists.
• Document the current time and which systems are affected. Note which systems were powered on, which were off and which were isolated. This timeline becomes critical during the forensic investigation.
• Preserve email headers and attachments from the past 72 hours. Ransomware commonly enters through phishing emails and the initial delivery email is key evidence.

Do not attempt to clean, restore or rebuild any systems at this point. Every action you take on an affected system potentially destroys evidence. The forensic investigator needs to examine the systems in their current state.

Minutes 20-35: Assess the Scope

You need to understand how bad this is. Not with perfect accuracy yet, but enough to make informed decisions about your response.

Determine:

Question	Why It Matters
Which systems are confirmed encrypted?	Defines the blast radius and recovery scope.
What data was on those systems?	Determines regulatory notification obligations.
Was data exfiltrated before encryption?	Double extortion means data theft plus encryption.
Are backups intact and offline?	Clean backups determine your recovery timeline.
What is the ransomware variant?	Some variants have known decryption tools available.
How did the attacker gain access?	Must be answered before any system goes back online.

Modern ransomware operations almost always involve data exfiltration before encryption. The attacker copies your sensitive data to their infrastructure, then encrypts your systems and threatens to publish the stolen data if you do not pay. This is double extortion. Even if you have perfect backups, the data theft creates a separate and equally serious problem.

Check for large outbound data transfers in your firewall logs from the days or weeks before the encryption event. Ransomware operators often spend days or weeks inside a network before deploying the encryption payload. The initial compromise may have occurred long before you noticed.

Minutes 35-45: Contact Your Response Team

This is not something your internal IT team can handle alone. Ransomware response requires forensic expertise, legal guidance and insurance coordination.

Contact these people in this order:

1. Forensic Investigator

Call Sherlock Forensics at 604.229.1994. We determine root cause, scope of compromise, whether data was exfiltrated and whether the attacker still has access. We can begin remote evidence collection within hours. For complex incidents, we deploy on-site anywhere in Canada.

2. Executive Leadership

Brief them on facts only. What happened, what you have done, what you do not yet know. Avoid speculation about who is responsible or how bad it might be. Facts change during an investigation and early speculation creates confusion.

3. Legal Counsel

Your legal team needs to assess notification obligations under PIPEDA and applicable provincial privacy laws. If you handle health information, financial data or data from other jurisdictions, additional notification requirements may apply. Legal counsel should be involved before any external communications.

4. Cyber Insurance Provider

Most cyber insurance policies require notification within 24 to 72 hours of discovery. Some policies require using the insurer's approved forensic and legal vendors. Check your policy terms immediately. Late notification can jeopardize your coverage at the moment you need it most.

Critical: Do not communicate about the ransomware through compromised systems. If the attacker has access to your email, they are reading your incident response communications. Use phone calls, an out-of-band messaging platform (personal cell phones, a new Signal group) or in-person conversations.

Minutes 45-55: Stakeholder Communication

Controlling the narrative is not about spin. It is about accuracy. Premature or inaccurate statements create legal liability, damage customer trust and complicate the investigation.

Internal communication:

• Brief department heads on operational impact only. They need to know which systems are down and estimated timelines for restoration. They do not need forensic details.
• Instruct all staff not to discuss the incident on social media, with customers, with media or with anyone outside the organization. One employee posting "we got hacked" on LinkedIn can trigger a news cycle before you have facts.
• Provide a central point of contact for employee questions. This prevents rumor and conflicting information.

External communication:

• Do not issue public statements until your legal counsel and forensic investigator have assessed the scope. "We are aware of a cyber incident and are working with security experts to investigate" is sufficient as an initial acknowledgment if pressed.
• Notify critical business partners and vendors who may be affected or who may have provided an attack vector. This is both a courtesy and a security measure; if the attacker entered through a vendor connection, that vendor may also be compromised.
• If customers cannot access your services, provide honest status updates without disclosing investigation details. "We are experiencing a service disruption and are working to restore operations" is appropriate.

Minutes 55-60: Regulatory Notification Assessment

Canadian organizations face specific breach notification requirements that start running from the moment you discover the incident.

PIPEDA Requirements:

Under the Personal Information Protection and Electronic Documents Act, organizations must report breaches of security safeguards involving personal information if the breach creates a "real risk of significant harm" to individuals. For ransomware incidents involving personal data, this threshold is almost always met.

You must:

• Report to the Privacy Commissioner of Canada as soon as feasible after determining that a reportable breach has occurred.
• Notify affected individuals as soon as feasible after the report to the Commissioner.
• Notify any other organization or government institution that may be able to reduce the risk of harm.
• Keep records of every breach of security safeguards for at least two years.

Provincial Requirements:

Alberta's PIPA, British Columbia's PIPA and Quebec's Law 25 each have their own breach notification requirements that may apply depending on where affected individuals reside. Quebec's Law 25 requires notification to the Commission d'acces a l'information du Quebec. If your organization operates across provinces, multiple notification obligations may apply simultaneously.

Begin documenting everything now. The regulatory investigation will ask for a timeline, a list of affected individuals, what data was involved and what steps you took to contain the breach. Documentation started in the first hour is far more accurate than documentation reconstructed weeks later.

After the First 60 Minutes: Recovery Priorities

The first hour is about containment and preservation. Everything after that is investigation, remediation and recovery. Those phases take days, weeks or months. But they all depend on getting the first 60 minutes right.

Recovery sequence:

1. Complete the forensic investigation. Do not begin restoring systems until you know how the attacker got in. If you rebuild without closing the entry point, you will be reinfected.
2. Validate backup integrity. Before restoring from backups, verify they are clean. Some ransomware operators corrupt backups weeks before deploying the encryption payload.
3. Rebuild from known-good images. Do not attempt to "clean" encrypted systems. Rebuild them from verified clean images or installations. Cleaning leaves the risk of persistence mechanisms the forensic investigation did not detect.
4. Restore in priority order. Critical business systems first. Email and communication second. Non-critical systems last. Full restoration may take weeks for complex environments.
5. Harden before reconnecting. Apply the security improvements identified in the forensic investigation before reconnecting restored systems to the network. Patch the vulnerability that was exploited. Strengthen authentication. Implement network segmentation that was missing.
6. Monitor aggressively. After restoration, monitor the environment with heightened alerting for at least 90 days. Some ransomware operators return to re-encrypt organizations that restored from backups.

The Payment Question

Every ransomware victim asks: should we pay?

The answer is almost always no, but it is never simple. Here is what 20 years of incident response has taught us:

• Payment does not guarantee decryption. Some ransomware operators provide broken decryption tools, partial keys or simply disappear after payment.
• Payment confirms you are a willing payer. Your organization goes on a list. Repeat attacks against organizations that paid are documented and increasing.
• Payment funds criminal operations. The ransomware ecosystem exists because it is profitable. Every payment enables the next attack on the next victim.
• Payment may violate sanctions. If the ransomware group is on a sanctions list, payment creates legal liability regardless of the circumstances.

However, if no backups exist, if the encrypted data is irreplaceable and if the organization faces an existential threat without recovery, payment may be considered as a last resort after consulting legal counsel, your forensic investigator and your insurance provider. This is a decision that should never be made in the first 60 minutes.

Prevention Is Cheaper Than Recovery

The average ransomware recovery costs Canadian organizations between $1.5 million and $4.5 million when you account for downtime, forensic investigation, legal fees, notification costs and reputation damage. Prevention costs a fraction of that.

Annual penetration testing identifies the vulnerabilities ransomware operators exploit: unpatched systems, weak remote access controls, misconfigured Active Directory and missing network segmentation. An assessment from Sherlock Forensics finds these gaps before an attacker does.

If you are reading this before an incident, bookmark this page and put it in your incident response plan. If you are reading this during an incident, stop reading and call 604.229.1994.