The first sixty minutes of a ransomware incident define everything that follows.

I’ve responded to ransomware incidents across manufacturing, BFSI, healthcare, and government. I’ve watched teams make decisions in the first hour that determined whether the recovery took three days or three weeks — and whether the ransom was ever a consideration or never an option.

Here’s what I’ve learned about those first sixty minutes. It might save you a very long night.

Minute 0-5: You Realise It’s Not a False Positive

The alert comes in. Files are being renamed to .locked, .encrypted, or something similarly obvious. The EDR is screaming. The SIEM is lighting up. The user who was working on that spreadsheet is now staring at a ransom note.

The first impulse is panic. The second — and this is the one that causes the most damage — is to start clicking around, logging into random consoles, and trying to “see what’s happening.”

Stop. Do not browse the network from an uninfected machine that has administrative privileges. I’ve watched incident commanders accidentally spread the ransomware by logging into a domain controller from a compromised workstation segment. The ransomware was already on that segment. The admin’s credential cache was harvested within seconds of authentication.

Instead: verify the alert from a trusted, isolated admin workstation. Confirm with your EDR/SIEM that this is a genuine ransomware event, not a false positive from a security test or a script gone wrong.

Minute 5-15: Containment — The Decision That Costs or Saves You

This is the most critical window. Every minute the ransomware stays connected to the network, it encrypts more shares, compromises more credentials, and spreads laterally.

The orthodox playbook says: pull the plug on the affected segment. Not politely. Not with a change request. Pull the switch port, disable the VLAN, block the communication at the firewall.

But it’s not that simple. What if the affected segment runs your production line? Your ERP system? Your hospital’s patient management system?

This is where knowing your network architecture pays off. If you’ve already segmented your network (see Day 6 on zero trust), you can contain a single segment without taking down the entire business. If you haven’t segmented, you’re choosing between letting the ransomware spread or taking down the whole network — and neither option is good.

The containment decision I’ve seen work:

  • At the FortiGate, block all traffic from the affected VLAN to any other VLAN
  • Keep internet access for the affected VLAN (sometimes the ransomware needs C2 to proceed — blocking C2 can freeze the encryption process)
  • Isolate the affected endpoint by disabling its switch port
  • If domain controller compromise is suspected: disable the domain admin account and change the KRBTGT password

Minute 15-30: Triage — What’s Actually Encrypted?

Now you need to understand the scope. Don’t guess — verify.

  • Check your backup system first. Is it reachable? Are the backups intact? This determines whether you’ll ever consider paying a ransom. If your backups are good and offline (the immutable, air-gapped kind), you have options. If your backups were on the same network and got encrypted too, you’re in a very different situation.
  • Check the ransomware variant. Your EDR or a sample analysis can often identify the ransomware family. Some variants have known decryption tools (NoMoreRansom project). Some are lockers that don’t actually exfiltrate data. Some are double-extortion — they’ve already sent your data to their servers and will leak it if you don’t pay.
  • Check for data exfiltration. Look at your firewall logs for large outbound data transfers from the affected segment in the hours before the encryption started. If data was exfiltrated, you have a DPDP Act reporting obligation within 72 hours.

Minute 30-45: Communication — Who Needs to Know

Silence is the enemy at this stage. A structured communication cascade prevents chaos:

  • CEO/MD: “We have a cybersecurity incident affecting [scope]. Our team is containing it. We expect to have an update in 60 minutes. Current assessment: [critical/moderate/minor].”
  • Legal counsel: Brief them on the situation, especially if data exfiltration is confirmed. DPDP Act breach notification clock is ticking.
  • IT team: Clear instructions on who does what. One incident commander. No freelancing.
  • PR/comms (if applicable): Prepare a holding statement. Don’t send it yet — but have it ready.
  • Insurance: Notify your cyber insurance provider. Many policies require notification within 24 hours of discovery. They’ll also have a panel of incident response firms on retainer.

I’ve seen companies lose hours because nobody knew who was authorised to make containment decisions. Pre-agree on an incident commander before the incident happens.

Minute 45-60: Engage the Cavalry

By now you should have:

  • Containment in place ✅
  • Scope assessment underway ✅
  • Backup integrity confirmed (or confirmed missing) ✅
  • Ransomware variant identified (or sample isolated for analysis) ✅
  • Leadership briefed ✅

If you don’t have in-house incident response capability, this is when you bring in the experts. A good IR team can accelerate recovery by days — sometimes weeks — because they’ve seen your specific ransomware variant before and know the fastest recovery path.

If you do have in-house capability: start the recovery plan. Restore from clean backups to isolated infrastructure. Don’t restore to the same network — the attacker may still have persistence mechanisms that survived the encryption event.

The Pattern I’ve Seen Repeat

After responding to dozens of ransomware incidents, here’s the pattern that separates 3-day recoveries from 3-week ordeals:

  • Good outcomes: Segmented network, immutable backups, documented IR plan, trained team. Incident contained in under 30 minutes. Recovery from backup in 24-72 hours. No ransom paid. No data leaked.
  • Bad outcomes: Flat network, backups on same domain, no IR plan, heroics instead of process. Incident spreads to entire organisation. Recovery takes 2-6 weeks. Ransom paid (often unsuccessfully — only 26% of organisations that pay get all their data back according to Sophos 2024). Data leaked on dark web. Regulatory fines follow.

The difference isn’t luck. It’s preparation. And it’s entirely within your control — before the first alert comes in.

Sanjay Seth has responded to ransomware incidents across Indian enterprises since 2001. He’s the CEO of P J Networks and architect of the PrahiX Ora unified NOC/SOC/SOAR platform.