Ransomware 2026: Incident Response in the First 60 Minutes

1 min Reading Time

Ransomware remains the biggest cyber threat to businesses. When the worst happens, the first 60 minutes determine the extent of the damage. A guide to the critical phase between detection and containment.

TL;DR

First hour is crucial: The faster the containment, the less the damage. Breakout time is 48 minutes.
Don’t pay: BSI and BKA advise against paying ransoms – they fund the criminals and do not guarantee decryption.
Isolation before analysis: Immediately disconnect affected systems from the network; do not shut them down.
Prepare communication: Crisis communication, reporting obligations (NIS2: 24h), and insurance notification.
Backups are the key: Regular testing and offline storage help survive ransomware without paying a ransom.

Minute 0-15: Detection and Alert

The attack is detected – by an alarm from the EDR system, by employees reporting encrypted files, or by a ransom demand on the screen. Every minute counts now.

Immediate actions: Alert IT security personnel, activate the incident response team, document timestamps and initial observations. Do not panic – follow the prepared plan.

Minute 15-30: Isolation and Containment

Immediately disconnect affected systems from the network – pull network cables, disable Wi-Fi. Important: Do not shut down systems, as volatile data in RAM is valuable for forensic analysis. Isolate network segments, block VPN access, and deactivate privileged accounts as a precaution.

Check if backup systems are affected. If not: immediately write-protect them. Attackers specifically target backups to strengthen their negotiating position.

Minute 30-45: Situation Assessment and Communication

Initial assessment: Which systems are affected? Which ransomware family? Are there Indicators of Compromise (IoCs)? Were data exfiltrated (Double Extortion)?

Start crisis communication: Inform management, activate external forensic service providers, contact a lawyer (reporting obligations!). If affected by NIS2: 24-hour deadline for the initial report to the BSI.

Minute 45-60: Forensics and Restoration Planning

Start forensic preservation: memory images, log data, network captures. Identify the attack vector – phishing email, compromised RDP access, supply chain attack? In parallel, plan the restoration: check backup integrity, prepare a clean room environment, prioritize systems based on business impact.

What You Should Never Do

Pay the ransom: Funds the criminals, no guarantee of decryption, makes the company a repeat target.

Shut down systems: Destroys forensic evidence in RAM.

Contact the attackers: Not without consulting forensic experts and a lawyer.

Panic communication: No hasty public statements without coordination with PR and legal departments.

Preparation is Key

The first hour cannot be improvised. Companies need a tested incident response plan with clear roles, contact lists (also available offline), regularly checked and offline stored backups, contractually secured forensic service providers on call, and a cyber insurance policy with clear terms.

Key Facts at a Glance

Breakout Time: 48 minutes (CrowdStrike 2025)

Most Common Vector: Phishing, compromised RDP access, vulnerabilities

Double Extortion: Over 70% of ransomware attacks also exfiltrate data

NIS2 Reporting Obligation: 24-hour initial report to BSI

BSI Recommendation: Do not pay ransom

Backup Rule: 3-2-1 (3 copies, 2 media, 1 offsite/offline)

Fact: The average downtime after a ransomware attack is 23 days, according to Sophos.

Fact: According to Chainalysis, companies paid over 1.1 billion US dollars in ransomware ransoms worldwide in 2025 – despite a decreasing willingness to pay.

Frequently Asked Questions

Should you pay the ransom?

The BSI and BKA strongly advise against it. Payments fund the criminals, do not guarantee decryption, and make the company a preferred repeat target. Instead: Use backups, hire forensic experts, file a report.

How quickly must we report the incident?

Under NIS2: 24 hours for the initial warning to the BSI, 72 hours for the detailed report. Data protection authorities (GDPR, 72h) and cyber insurance policies also have their own reporting deadlines.

Why should you not shut down systems?

RAM contains volatile data such as encryption keys, active network connections, and process information. Shutting down destroys this evidence, which is crucial for forensics and possibly decryption.

How do you protect backups from ransomware?

3-2-1 rule: Three copies on two different media, one of them offline or immutable. Air-gapped backups are the best protection. Additionally: regular restore tests and separate backup credentials.

What does a ransomware attack cost?

According to IBM, a ransomware incident costs an average of 4.5 million Euros – without the ransom. Costs arise from operational disruption, forensics, legal advice, customer notification, and reputational damage.