Hour 0-1: Contain Without Destroying Evidence
The moment ransomware is confirmed, every instinct will tell you to shut everything down. Resist the urge to wipe machines or restore from backups immediately. Your first action is network isolation: disconnect affected systems from the network but do not power them off. Powering off machines can destroy volatile memory that contains decryption keys, attacker artefacts, and forensic evidence you will need later. Disconnect the organisation from the internet if lateral movement is suspected, but preserve running system state. Activate your incident response team or contact your managed security provider. In 2025, the UK's NCSC reported that organisations with a practised IR plan reduced average breach costs by 61%. If you do not have a plan, this guide is your emergency playbook.
- Isolate affected systems from the network — do NOT power off
- Preserve volatile memory and running system state
- Activate incident response team or managed security provider
- Begin documenting everything — timestamps, actions taken, systems affected
- Do NOT attempt to negotiate with attackers in the first hours
Hours 1-6: Assess Scope and Begin Notification
Once containment is in place, assess the scope. Which systems are encrypted? Is data confirmed or suspected to have been exfiltrated? Are backups intact or have they been targeted? Modern ransomware groups — LockBit, ALPHV, Cl0p — routinely target backup infrastructure first. Check backup integrity before assuming recovery is possible. Under UK GDPR, you have 72 hours from the point of awareness to notify the ICO if personal data has been compromised and there is a risk to individuals' rights. The clock starts when you become aware, not when you finish investigating. Report to the NCSC via their online reporting tool or by calling 0300 020 0973. The NCSC can provide technical assistance and has a triage process for significant incidents. If your organisation is in a regulated sector — financial services (FCA), legal (SRA), healthcare (NHS DSPT) — sector-specific notification requirements also apply.
Hours 6-12: Forensics, Communications, and Legal
Engage digital forensics capability. If you do not have in-house forensics, your cyber insurance provider will have a panel of approved incident response firms — contact your insurer early. Forensic investigators need untampered evidence, which is why the containment phase is so critical. Draft internal and external communications. Staff need to know what has happened and what they should and should not do. Customers and partners need a proportionate notification if their data may be affected. Legal counsel should review all communications before release. Do not speculate about the attacker, the ransom amount, or the data affected in any public statement. The NCSC explicitly advises against paying ransoms, noting that payment does not guarantee data recovery and funds further criminal activity. Insurance policies increasingly exclude ransom payments or impose significant conditions.
Hours 12-24: Recovery Planning and Lessons
With containment confirmed and forensics underway, begin recovery planning. Prioritise systems by business criticality. Validate backup integrity forensically before restoring — attackers sometimes plant backdoors in backup data. Rebuild compromised systems from known-good images rather than attempting to clean infected machines. Implement enhanced monitoring on restored systems for at least 30 days, as re-compromise rates are significant. The NCSC recommends changing all credentials — not just those on affected systems — as credential harvesting is a standard pre-encryption activity. Document every action taken for regulatory reporting, insurance claims, and the post-incident review that should follow within 14 days.
Prevention: The 24 Hours That Matter Most
The best incident response is the one you never need. The organisations that weather ransomware attacks with minimal damage share common traits: endpoint detection and response on every device, anti data exfiltration technology preventing data theft even when attackers gain access, continuous attack surface management eliminating the forgotten assets attackers use as entry points, and a tested incident response plan that has been rehearsed, not just written. At Kyanite Blue, our managed security stack addresses all four layers: Coro for endpoint protection, BlackFog for data exfiltration prevention, Hadrian for attack surface management, and Collective IP for incident response planning and testing.
Frequently Asked Questions
Should I pay the ransom?
The NCSC, NCA, and law enforcement agencies consistently advise against paying ransoms. Payment does not guarantee data recovery, encourages further attacks, and may breach sanctions regulations if the attacker group is designated. Consult legal counsel and your insurance provider before making any payment decision.
How quickly must I notify the ICO?
Under UK GDPR, you must notify the ICO within 72 hours of becoming aware of a personal data breach that poses a risk to individuals' rights and freedoms. The 72-hour clock starts from awareness, not from completion of your investigation. You can notify with incomplete information and update the ICO as the investigation progresses.
What is the NCSC and how can they help?
The National Cyber Security Centre is the UK's technical authority for cyber threats. During a ransomware incident, the NCSC can provide technical guidance, threat intelligence about the specific ransomware variant, and support for significant incidents. Report via their online form or call 0300 020 0973.
Will my cyber insurance cover ransomware?
Most cyber insurance policies cover ransomware-related costs including forensics, legal counsel, notification, and business interruption. However, policies increasingly impose conditions such as minimum security controls and may exclude ransom payments. Review your policy terms and notify your insurer as early as possible in an incident.