A Practitioner Playbook for the Worst Day of Your Year

Ransomware: The First 72 Hours

Most ransomware response advice on the internet is either marketing fluff or generic CISA references. This guide is what we actually do, hour by hour, when a Texas SMB calls us in the middle of an active ransomware incident. We cover the first 60 minutes (containment without making things worse), the first 8 hours (scope, stabilize, documentation), the first 24 hours (containment hardening, forensics, executive and legal notification), and the first 72 hours (eradication, recovery, regulatory disclosure cycle). The decisions you make in the first three days determine whether the incident becomes a contained operational event or an existential threat to the business. The single best preparation: deploy Privileged Access Management (PAM) before the incident so the encryption never executes.

Get Incident Response Capability 888.792.8080

SOC 2 Compliant

24/7 Support

30+ Years Experience

What We Offer

Comprehensive solutions tailored for Houston-area businesses

Hour 0-1: Containment

Disconnect affected systems from the network — pull cables, kill WiFi, isolate VLANs. Do NOT shut down (memory forensics value is lost). Identify the source endpoint, the spread pattern, and the encryption tool. Engage your incident response team or external IR firm. If you have a cyber insurance policy, call the carrier hotline before doing anything irreversible — most policies require carrier-approved IR firms.

Hour 1-8: Scope & Stabilize

Identify the threat actor (ransom note attribution), confirm the encryption tool variant, assess data exfiltration evidence (most modern ransomware groups exfiltrate before encrypting — double extortion), inventory all affected systems, identify your immutable backups, confirm backup integrity. Begin executive and legal notification. Begin documentation — every decision and timestamp matters for insurance, regulators, and possible litigation.

Hour 8-24: Containment Hardening & Forensics

Confirm containment is complete (no lateral movement continuing). Deploy enhanced monitoring on the broader environment to catch any persistence the adversary may have established. Begin forensic preservation — disk and memory images of patient zero and key affected systems. Begin rebuild planning. If exfiltration is confirmed, engage data review counsel for the inevitable disclosure analysis.

Day 1-3: Eradication & Recovery Decisions

Make the rebuild-vs-decrypt decision (almost always rebuild from clean backups; never trust decryption tools provided by the adversary). Begin staged recovery from immutable backups. Validate clean state before reconnecting recovered systems to production. Make the ransom-payment decision — see FAQ; the answer is almost always no, but the analysis depends on backup state, exfiltration severity, OFAC sanctions exposure, and regulatory posture.

Day 1-3: Notification & Disclosure

Notify cyber insurance carrier (within 24-48 hours per most policies). Notify CISA (voluntary but increasingly expected). Notify FBI Internet Crime Complaint Center (IC3). For specific industries: HHS Office for Civil Rights for HIPAA-covered entities; FTC for FTC Safeguards Rule-covered entities (within 30 days for incidents affecting 500+ consumers); state attorneys general per state breach notification laws; SEC if you are publicly traded.

Day 3+: Lessons & Hardening

Conduct a post-incident review. Identify the initial access vector. Identify the gaps that allowed lateral movement. Identify the controls that worked and the controls that did not. Build the remediation plan: PAM deployment if absent, MFA enforcement gaps, EDR coverage gaps, identity hardening, immutable backup validation, network segmentation. The post-incident hardening is the single highest-leverage security investment most organizations ever make.

Why Choose LayerLogix?

Serving businesses throughout the Greater Houston area including Houston, The Woodlands, Sugar Land, Spring, Conroe, Pearland, Katy, Dallas, Fort Worth, Austin, San Antonio.

Faster Recovery, Lower Cost

Organizations with a documented incident response plan and tested procedures recover 50-70% faster and at a fraction of the cost of organizations winging it. The IR firm bills the same regardless of how prepared you are; what changes is how many billable hours you need.

Defensible Insurance Claims

Cyber insurance claims hinge on documented response. Carriers require carrier-approved IR firms, specific notification timelines, and documented decision-making. Organizations that follow the process get paid; organizations that improvise get pushback or denials.

Regulatory Compliance

HIPAA OCR, FTC Safeguards Rule, state breach notification laws, SEC disclosure requirements — each has specific timelines and documentation requirements. Missing a deadline turns a contained incident into a regulatory enforcement problem.

Operational Continuity

Containment + parallel recovery means business operations resume in days, not weeks. Without a plan, the rebuild-from-scratch path takes 4-8 weeks for a typical SMB.

Litigation Defensibility

Post-incident litigation (from customers, partners, employees, shareholders) is increasingly common. Documented response, proper preservation of evidence, and engagement of qualified outside counsel are all part of a defensible record.

Our Process

Hour 0 — recognize the incident: encryption pattern detected, ransom note found, EDR alerting on encryption behavior, end users reporting locked files. Trust the signal; do not delay.

Hour 0-15 minutes — disconnect affected systems from the network. Do NOT shut down. Pull cables, disable WiFi, isolate VLANs. Preserve volatile memory.

Hour 0-1 — engage incident response team or external IR firm. If you have cyber insurance, call the carrier hotline first.

Hour 1-8 — scope the incident: identify patient zero, identify the encryption tool, assess exfiltration evidence, inventory affected systems, confirm immutable backup state.

Hour 1-8 — begin documentation: every decision, every timestamp, every action. Use a dedicated incident log.

Hour 8-24 — confirm containment is complete. Deploy enhanced monitoring. Begin forensic preservation. Begin rebuild planning.

Day 1 — notification cycle: cyber insurance carrier, CISA, FBI IC3, regulators per applicable framework, executives, board, legal counsel, data review counsel if exfiltration confirmed.

Day 1-3 — make the rebuild-vs-decrypt and pay-vs-no-pay decisions with carrier and counsel. Begin staged recovery from immutable backups.

Day 2-3 — validate clean state of recovered systems before reconnecting to production. Watch for persistence the adversary may have established for re-entry.

Day 3+ — post-incident review, gap analysis, hardening plan execution. Convert the incident into lasting security improvement.

Frequently Asked Questions

Should I pay the ransom?▼

Almost always no. Even when paid, decryption tools work only 60-80% of the time, decryption is slow (often slower than restore from backup), the data exfiltrated is rarely actually deleted by the adversary even if they claim to delete it, and payment funds further criminal activity. There are also OFAC sanctions issues — paying ransom to entities on the OFAC sanctions list is a federal violation, and many ransomware groups are sanctioned. The decision should be made with cyber insurance carrier and outside counsel, not by your IT team in the middle of the incident. Plan to pay nothing; restore from immutable backup.

Do I need to call the FBI?▼

You should report to the FBI Internet Crime Complaint Center (IC3) at ic3.gov. Reporting is voluntary but strongly encouraged — it helps law enforcement build cases against ransomware groups, may result in disrupted operations against the adversary, and provides documentation for cyber insurance and regulatory disclosure. The FBI does not typically take operational control of your incident; you continue to manage with your IR firm.

When do I have to notify customers, regulators, or the public?▼

It depends on what data was affected and what regulatory frameworks apply. HIPAA-covered entities: HHS OCR notification within 60 days for breaches affecting 500+ individuals (immediately for media notification at 500+). FTC Safeguards Rule-covered financial institutions: FTC notification within 30 days for incidents affecting 500+ consumers. State breach notification laws: vary by state, typically 30-90 days. Publicly traded companies: SEC has new four-business-day disclosure requirement for material incidents. Your outside counsel determines applicability and timing — do not wing this.

How long does ransomware recovery take?▼

For an organization with documented IR plan, immutable backups, and pre-engaged IR firm: typically 5-14 days to substantial recovery, 30-60 days to full normal operations. For an organization without those preparations: typically 4-8 weeks to substantial recovery, 3-6 months to full normal operations. The difference is preparation, not luck or attacker behavior.

What is the most important thing to have in place before an incident?▼

Three things, in order: (1) immutable backups validated by regular restore testing — without working backups, you have very few options; (2) cyber insurance with a carrier hotline and pre-approved IR firm — speed matters and you do not want to be vendor-shopping during an incident; (3) PAM (Privileged Access Management) — application allowlisting prevents the vast majority of ransomware from executing in the first place, turning a would-be incident into a blocked attempt that never makes the news.

Should we engage a retainer with an IR firm in advance?▼

Yes if budget allows. A retainer ensures you have a known IR firm ready to engage with documented authority and pre-negotiated rates, eliminates 24-48 hours of vendor selection and onboarding during an incident, and is often required by cyber insurance carriers. Most retainers run $5K-$25K per year for SMBs and convert to incident response hours if needed. For organizations integrated with a managed services provider that includes IR capability (LayerLogix delivers this), the IR retainer is built into the managed services baseline.

Ready to Get Started?

Contact LayerLogix today for a free consultation. We serve businesses throughout Houston, The Woodlands, Sugar Land, and the surrounding Greater Houston area.

Schedule Free Consultation Call 888.792.8080