Read My Latest Artificial Intelligence (AI) Newsletter For FREE By Clicking Here!

Additional menu

PithySecurity.com

PithySecurity.com

What Actually Happens in the 72 Hours After a Ransomware Attack?

By - Get email updates

The first 72 hours after ransomware strikes determine whether you recover cleanly or spend months rebuilding. The decisions made in that window involve containment, forensics, legal notification, and a payment decision that cannot be unmade. Most organizations make these decisions for the first time under pressure.

Analysis Briefing

  • Topic: Ransomware incident response timeline
  • Analyst: Mike D (@MrComputerScience)
  • Context: A back-and-forth with a reader that went deeper than expected
  • Source: Pithy Cyborg
  • Key Question: What decisions in the first 72 hours determine your recovery outcome?

Hour Zero: Containment Before Everything Else

Ransomware announces itself. Files are renamed with unfamiliar extensions. Wallpapers change to ransom notes. Systems stop responding.

The immediate priority is containment. Disconnect affected systems from the network immediately. Pull the ethernet cable. Disable WiFi. Do not shut the systems down unless instructed by a forensic professional, because running memory may contain encryption keys or attacker artifacts that are lost on shutdown.

Call your IT team or incident response provider before doing anything else. The first 30 minutes of decisions determine the scope of recovery.

PhaseTechnical / ForensicLegal & RegulatoryStrategic / Insurance
0–12 HoursContainment: Isolate affected segments. Preserve RAM before shutdown.Clock Starts: Identify which jurisdictions’ data (GDPR, CCPA) is at risk.Notification: Call your insurer. Activate your pre-approved IR firm.
12–24 HoursForensics: Identify “Patient Zero.” Determine if backups are compromised.Materiality: (For Public Cos) Begin SEC “4-day” materiality assessment.Negotiation: Decide if a “negotiator” is needed (for data recovery or deletion).
24–48 HoursRestoration: Begin cleanroom restores. Verify that malware isn’t in the images.Drafting: Prepare “Holding Statements” and initial regulatory notifications.Sanctions Check: Verify that the threat group isn’t on a government blacklist.
48–72 HoursFull Operation: Phased bring-up of business-critical systems.The 72h Deadline: File GDPR/DPA reports if personal data was breached.Business Impact: Finalize the “Resume vs. Rebuild” financial plan.
Containment Before Everything Else

Hours One to Six: The Assessment That Determines Your Options

The forensic questions that determine your path: which systems are encrypted and which are not? Has the attacker been inside the network before triggering encryption? Are backups intact? Has data been exfiltrated?

Modern ransomware operators typically spend days to weeks inside a network before triggering encryption. During dwell time they identify and often compromise backup systems. When encryption triggers, your most recent clean backup may be weeks old.

This assessment determines whether you have a clean recovery path or a negotiation situation.

Hours Six to Seventy-Two: Legal Obligations Run Concurrently

If personal data was exposed, breach notification obligations begin running immediately. GDPR requires notification within 72 hours of discovery. HIPAA allows 60 days. US state laws vary but most have short windows.

Your legal team needs to be involved before any payment decision. Ransomware payments to sanctioned entities are illegal in the US regardless of your operational situation.

Recovery from backups or decryption begins in parallel with notification, not after.

The Cyber Insurance Call You Need to Make in Hour One

If you have cyber insurance, call your insurer in the first hour, not the first day. Most cyber insurance policies have notification requirements that begin at discovery. Missing the notification window can affect coverage.

Your insurer may also have a panel of approved incident response firms. Using an unapproved firm for forensics or negotiation can affect reimbursement. Check your policy before engaging outside help.

Cyber insurance increasingly covers ransom payments, negotiation fees, forensic costs, legal fees, and business interruption losses. The coverage is only useful if you activate it correctly and on time. The policy document should be accessible offline before you need it, because ransomware can encrypt the folder where you stored it.

What This Means For You

  • Maintain an “Offline Response Kit.” In 2026, ransomware doesn’t just encrypt your data; it locks your Incident Response Plan, your Cyber Insurance Policy, and your Contact Lists if they are on the cloud or local server.
  • Update your “Materiality” protocol. For public companies, the SEC’s 4-day disclosure rule is a hard deadline. You must have a process to determine if the breach is “material” within hours, not weeks.
  • Beware of California’s SB 446 (Effective Jan 2026). If you have 500+ California residents affected, you now have a 30-day deadline to notify residents and a 15-day follow-up for the Attorney General. The work for this starts in the first 72 hours.
  • Adopt “Immutable Backups.” Standard backups are no longer enough because 2026-era ransomware specifically seeks out and deletes them. Ensure you have a “Write-Once-Read-Many” (WORM) copy that cannot be altered.

If this was useful, more like it lives at Pithy Cyborg | AI News Made Simple, without hype. Join here →

You found Pithy Security. Good instincts. But the bigger story right now is AI, and that's where I spend most of my time. My name's Mike D, and Pithy Cyborg is where thousands of sharp minds come every week to stay ahead of the models, breakthroughs, and power moves reshaping everything. Engineers, developers, business owners, and curious people who just want to understand what's actually happening in AI all read every issue because I don't bury the lede and I don't waste your time.

The frontier models. The privacy traps. The tools your competitors are already using. The hype that's actually real and the hype that isn't. All of it, delivered without the jargon spiral. Pithy Security covers the cybersecurity angle. Pithy Cyborg covers the whole war. If you've been reading on the web, do yourself a favor and subscribe to the full experience below.

Disclosure: Pithy Cyborg is always 100% free. But, I may earn commissions from the affiliate link below. You get real tools that deliver real value. Everyone wins.

# 1 - Pithy Cyborg | AI News Made Simple - The free newsletter that cuts through the AI noise and keeps you two steps ahead of the models, the tools, and the people building both. Every issue lands with 3 elite AI stories plus one prompt you can use immediately, written in plain English without sacrificing depth. Five minutes. No filler. Join thousands of readers who refuse to be the last to know.

# 2 - Galaxy.AI, The All-in-One AI Platform - Why pay for ChatGPT, Midjourney, and three other tools when Galaxy.AI puts every top LLM, image generator, video tool, and ad creator in one place? One account. One flat price. Unlimited creative firepower. This is the unfair advantage your competitors don't have yet.

# 3 - Follow @MrComputerSci on X - Between issues, I'm on X posting real-time AI hot takes, model breakdowns, and threads that go deeper than any newsletter can. If you want to be in the room where it happens, follow along.