Ransomware Response Playbook: What to Do in the First 60 Minutes After Detection

Most ransomware disasters aren’t caused by encryption. They’re caused by the first 60 minutes of confusion—systems left online, logs overwritten, and “containment” that actually spreads the infection. In this ransomware response playbook, I’ll walk you through exactly what to do after detection so you can cut the blast radius, preserve evidence, and give your recovery team a fighting chance.

Featured snippet answer: In the first hour after ransomware detection, immediately (1) confirm the alert and scope, (2) isolate affected endpoints and critical servers, (3) preserve volatile evidence (time, connections, memory where feasible), (4) disable lateral movement paths, and (5) start coordinated incident response communications and documentation.

As of 2026, the best practice is clear: treat ransomware like an active intrusion, not a “file encryption event.” Ransomware often starts with credential theft and lateral movement, so your first actions must focus on stopping propagation and securing systems before you think about restoration. I’ve used variants of this playbook in real customer incidents where the difference between recovery in days vs. weeks came down to one thing: whether isolation happened fast enough to stop domain-wide impact.

Before you touch anything: confirm it’s ransomware and start the clock

The first takeaway: your first minutes must separate a true ransomware event from a false positive, without losing time. Detection alerts can be noisy—especially when defenders see behavior patterns (mass file renames, unusual process trees, remote execution) that also occur in backup restores or legitimate software rollouts.

Ransomware response playbook checkpoint (0–10 minutes)

When your SOC or MDR notifies you, open the incident ticket and capture the timeline immediately. I recommend creating a shared incident worksheet (a ticket field set or a lightweight spreadsheet) with timestamps down to the minute. That timeline becomes gold later during legal review and post-incident reporting.

1. Confirm the signal: review the detection rule name, matched artifacts (file extensions, process hashes, command lines), and the affected hosts.
2. Correlate with related alerts: look for credential dumping, new admin accounts, PsExec/WMI usage, unusual RDP/SMB activity, or EDR tamper attempts.
3. Check for “backup-like” behavior: ensure the activity didn’t coincide with backup restores, content sync jobs, or scheduled mass file operations.
4. Define initial scope: identify “first-seen” machines and any systems that talk to them (file servers, AD DS, hypervisors, VPN concentrators).

In a case I handled in 2025, the initial alert was triggered by a legitimate imaging tool misconfigured to rename files at scale. The team nearly wiped endpoints. The correct move was to compare the process tree and parent process: ransomware-like activity has telltale parents (remote exec tools, suspicious scripting hosts, or abnormal service creation) that bulk installers and sanctioned tools usually don’t.

What most people get wrong here

People often “wait for certainty” and burn the first hour. If the evidence strongly points to active encryption behavior or lateral movement, act as if it’s real—because containment actions are reversible, while overwritten evidence often isn’t.

Containment in minutes: isolate endpoints and cut off lateral movement

The second takeaway: isolation is your fastest risk reduction. If ransomware is active, every minute increases the chance that attackers reach domain controllers, identity services, or backup systems.

Ransomware response playbook containment steps (10–30 minutes)

Your goal in this window is simple: stop SMB/WinRM/RDP/remote execution paths and prevent “east-west” movement between servers and users. Use your EDR console, network management tooling, or—if needed—manual containment through switch/router ACLs.

• Isolate affected endpoints: disconnect network access for impacted devices first. In EDR tools like Microsoft Defender for Endpoint, CrowdStrike, or SentinelOne, use the “isolate machine” action. If you don’t have that, use quarantine VLANs or port shutdown on the switch.
• Isolate critical servers early: don’t just isolate workstations. Prioritize file servers, AD-integrated systems, hypervisors, and authentication services.
• Block common ransomware movement channels: at the firewall or internal segmentation layer, temporarily restrict:
  • SMB (TCP 445)
  • RDP (TCP 3389)
  • WinRM (TCP 5985/5986)
  • WMI/DCOM (dynamic ports + RPC)
  • PsExec/remote service patterns (often over SMB + service creation)
• Disable or restrict admin tooling if it’s being abused: if you see remote execution via known admin tools, revoke temporary use, rotate impacted credentials, and tighten allowlists.
• Prevent backup tampering: if you detect attacks against backup infrastructure (VSS deletion, backup admin credentials use, catalog corruption), isolate backup hosts too.

One practical detail: if you only isolate “the one endpoint that got encrypted,” attackers can still use valid credentials to pivot through other machines that haven’t shown symptoms. That’s why your containment scope should expand to identity and file-access chokepoints quickly.

Isolation pros/cons (quick decision guide)

Evidence preservation: collect the “why” before you chase the “what”

The third takeaway: containment without evidence is what turns a manageable incident into a recurring one. Ransomware operators are sophisticated, and your post-incident improvements depend on reliable artifacts.

Ransomware response playbook evidence checklist (0–60 minutes)

Start preserving evidence in parallel with containment. If your team is small, assign specific roles quickly: one person coordinates isolation actions, another handles evidence capture, and a third manages communications.

1. Snapshot key systems: if you run virtualized infrastructure (VMware/Hyper-V), snapshot impacted VMs that are critical and safe to snapshot. Snapshotting gives you a rollback point and preserves storage state.
2. Preserve logs: pull EDR event timelines, Windows Security logs, Sysmon (if present), firewall logs, VPN logs, and authentication logs (AD DS / Azure AD where applicable). Export raw logs when possible.
3. Capture volatile data: at minimum record running processes, network connections, and current time settings. If your tooling supports memory capture, do it for one or two representative hosts (not all of them) to avoid overwhelming storage.
4. Record file changes: document encrypted extensions, note ransom note filenames, and capture directory paths that show the earliest impact.
5. Preserve command-line artifacts: if EDR provides process creation details and command lines, export them. Attackers often reveal tooling via arguments even when payloads are obfuscated.

In one incident involving a “double extortion” pattern, the earliest ransomware activity was on a workstation, but the negotiation portal activity started from a server that wasn’t isolated early. Preserving identity and server logs was what allowed us to trace the credential path and close the exact gap in privileged access controls.

Lock down tamper-prone sources

Ransomware frequently tries to impair logging, disable security tools, or delete shadow copies. As of 2026, a lot of organizations rely on centralized log platforms, but you still need to export locally relevant logs because cloud pipelines can lag or stop if egress is disrupted.

• Confirm your EDR/AV management agents aren’t offline.
• Check whether attackers attempted to stop services (EDR, SIEM forwarders) and capture service control logs.
• Preserve DNS query logs—attackers often use fast-flux C2 domains or lookups for environment fingerprinting.

Credential and identity containment: stop the attacker from “owning the keys”

The fourth takeaway: if the attacker already stole credentials, isolating machines won’t stop the next wave. Your goal is to contain identity compromise quickly and safely.

Ransomware response playbook identity actions (20–45 minutes)

Work identity like a blast radius map. Start with the accounts most likely to have been abused: domain admins, local admins, service accounts, and accounts used by remote management tools.

• Force credential rotation for confirmed compromises: if your logs show specific accounts used for remote execution, rotate passwords immediately for those accounts.
• Disable high-risk sessions: revoke active sessions for users and admin accounts in your identity platform (e.g., Microsoft Entra ID session revocation, AWS IAM session termination, or AD account lockouts if required).
• Reset privileged access paths: restrict privileged sign-in locations, enforce MFA, and tighten access policies temporarily.
• Audit scheduled tasks and services: attackers often create persistence via scheduled tasks, new services, or WMI subscriptions. Identify new ones within the last 1–24 hours.
• Check for new admin users: scan for newly created local admin accounts and unauthorized domain group membership changes.

Here’s the original insight I insist on: don’t treat “local admin” as low risk during ransomware. If attackers gained local admin on a workstation, they can use it to steal cached credentials, pivot to SMB shares, and laterally move to servers. In many real-world intrusions, the “first encrypted machine” is only the tip of the credential graph.

When identity actions are not safe

If you’re running a safety-critical environment or a hospital-like OT/IT mix, some identity actions (like blanket account disables) can disrupt operations. In those cases, isolate first, then perform targeted credential actions based on evidence. The playbook still applies, but the order gets slightly more conservative.

Communication and incident command: align stakeholders before decisions lock in

The fifth takeaway: ransomware response is as much coordination as it is technical work. Your first hour sets expectations with legal, IT leadership, and—if needed—outside partners.

Ransomware response playbook communications (15–60 minutes)

Use a simple incident command approach so everyone hears the same facts. At minimum, assign:

• Incident lead: owns decisions and timeline.
• Containment lead: isolates endpoints, blocks lateral paths.
• Forensics/evidence lead: exports logs and preserves artifacts.
• Comms lead: notifies internal leadership and drafts external notices if needed.

Communications should answer four questions quickly:

1. What do we know (observable evidence)?
2. What do we think (hypotheses)?
3. What are we doing right now (next 30–60 minutes)?
4. What decisions do we need from leadership (budget, access, approvals)?

If you’re in the US and regulated, your legal/compliance team will care about data exposure and notification timelines. In 2026, many organizations treat ransomware as a data breach by default for risk assessments, even if you believe encryption happened without data exfiltration.

People Also Ask: first 60 minutes ransomware response questions

What should you do first after detecting ransomware?

Isolate affected systems immediately and confirm scope. Start evidence preservation at the same time—especially EDR timelines, authentication logs, and process command lines. Acting in parallel prevents the classic failure mode: isolating too late and losing overwritten logs.

Should you shut down servers during ransomware response?

Shutting down is sometimes appropriate, but “isolate first” is usually the safer default. If you power off everything instantly, you can lose volatile evidence and interrupt log capture. If a server is clearly a pivot point (file server, domain controller, backup host) and is actively being used, snapshot/isolate or hard isolate before controlled shutdown.

How do you stop ransomware from spreading laterally?

Block SMB/RDP/WinRM and stop remote execution tooling paths, then isolate impacted hosts. Also focus on identity containment: revoke or rotate credentials tied to remote execution activity. Lateral spread in ransomware incidents is commonly driven by credential abuse more than by the encryption process itself.

Can you recover encrypted files without paying the ransom?

Often, yes—but it depends on the ransomware strain and whether you have clean backups or decryption keys. Your quickest recovery path is restoring from known-good backups, verifying file integrity, and rebuilding trust in the environment. Paying can sometimes decrypt files, but it doesn’t guarantee data safety or that attackers won’t return—especially under double extortion tactics.

How long do you have before ransomware finishes encryption?

There’s no universal number. Some ransomware completes encryption within minutes on single machines, while other campaigns take hours to fan out. The attacker’s speed is heavily influenced by network topology, reachable shares, and how quickly they can obtain credentials for additional hosts.

Action plan template: your “Day 0” 60-minute runbook

The best way to reduce chaos is to run a checklist with owners. Below is a practical runbook you can adapt into your internal incident policy.

Minute-by-minute: 0–60 minutes

1. 0–5 min: Create incident, capture timeline, identify first-alert hosts, assign roles.
2. 5–10 min: Validate signal (process patterns, parent process, early file extensions, ransom note indicators).
3. 10–20 min: Isolate impacted endpoints via EDR or network quarantine; isolate critical servers.
4. 15–25 min: Export EDR event timelines and Windows Security logs; preserve firewall and authentication logs.
5. 20–30 min: Block lateral movement channels at firewall/segmentation layer; restrict admin tooling.
6. 25–45 min: Identify abused accounts from logs; rotate credentials for confirmed compromised accounts; revoke sessions.
7. 35–60 min: Snapshot VMs where appropriate; ensure backup hosts are isolated if they show tampering indicators.

Tools you’ll likely use (examples, not endorsements)

Most environments already have parts of this stack. For example, Microsoft Defender for Endpoint can isolate machines and provide timeline evidence. CrowdStrike and SentinelOne also support immediate isolation and rich process telemetry. For log aggregation, SIEM stacks like Microsoft Sentinel or Splunk help centralize access logs and firewall events.

Use what you have, but make sure the workflow is rehearsed. If your team can’t reliably export logs during an incident, you don’t really have “forensics”—you have wishful thinking.

After 60 minutes: what changes and what you must not do

The sixth takeaway: the first hour is about stopping spread and preserving truth. After that, you shift into eradication planning, recovery validation, and broader investigation.

What to plan next (60–180 minutes)

• Threat hunting expansion: search for lateral movement artifacts, persistence mechanisms, and data exfiltration indicators.
• Backup validation: test restores in an isolated environment and confirm backup integrity.
• Eradication strategy: remove malware, rotate secrets, and rebuild trust (especially for identity and privileged access).
• Ransom note and extension mapping: identify the ransomware family to tailor decryption feasibility and detection signatures.

What not to do

Don’t redeploy clean images while suspicious identity credentials remain active. Don’t wipe endpoints before exporting EDR timelines if you can avoid it. And don’t assume encryption alone means no data exfiltration—double extortion is a standard business model for many crews.

Internal links you can use next

If you’re building a ransomware response program across teams, these related posts on our blog pair well with this playbook:

• How to Build Incident Response Playbooks That Teams Actually Use
• 2026 Ransomware Trends and What Defenders Miss
• Ransomware IOCs and Triage Techniques for Rapid Scoping
• Defending Against Credential Theft Pathways Common in Ransomware

Conclusion: your first 60 minutes should be boring—and that’s the goal

A strong ransomware response playbook doesn’t just tell you what ransomware is. It forces discipline when people are stressed: contain fast, preserve evidence, and stop credential-driven lateral movement. Your actionable takeaway is simple: run the 0–60 minute checklist in parallel, assign owners immediately, and isolate based on behavior and scope—not on hope.

If you rehearse this playbook quarterly and keep your isolation and log export paths tested, you dramatically improve your odds of recovery without paying—and you shorten the time it takes to prove what happened when leadership and legal finally ask for the facts.