The First 24 Hours: What I Learned Responding to a Ransomware Attack

Staff Editor 2026-05-15
The First 24 Hours: What I Learned Responding to a Ransomware Attack

The First 24 Hours: What I Learned Responding to a Ransomware Attack

https://www.infosecurity-magazine.com/opinions/the-first-24-hours-responding-to/

Publish Date: 2026-05-14 02:29:49

Source Domain: www.infosecurity-magazine.com

Summary

After discovering LockBit ransomware at the University of Health Sciences and Pharmacy (UHSP), we experienced firsthand the importance of immediate and organized action once ransomware strikes. It’s essential to call the right people in the right order to manage the crisis effectively from the outset. This involves informing executive leadership and board members directly, notifying the cyber insurance carrier promptly, reaching out to legal and law enforcement agencies, and even informing family members to prepare for possible long hours away from home. The incident response (IR) team must immediately jump into action and set up a war room with defined roles for seamless coordination. Gathering essential information to understand the impact and the extent of the attack is crucial to forming an actionable strategy. Initially, it’s important to hold off on cleaning up or making changes to avoid potentially destroying vital evidence needed for investigation.

Another critical focus is minimally viable operations to maintain continuity while preventing further damage. Verifying the integrity and availability of backups is key to eventually restoring systems securely. A centralized communication strategy is essential to manage and mitigate misinformation both internally and externally. Lastly, maintaining secure access to keep operations running safely is paramount. In the aftermath, having a prepared and well-rehearsed incident response plan can drastically limit the impact of an attack.

Key Points:

  • Essential First Steps: Inform executive leadership, board, cyber insurance carrier, legal counsel, law enforcement, and family immediately and appropriately.
  • IR Team Activation: Quickly activate the incident response plan, assign roles, and establish a secure out-of-band collaboration space.
  • Information Gathering: Understand the affected systems, the attack’s scope, the potential entry point, and the extent of compromise to form a response plan.
  • Steady and Measure: Refrain from cleaning systems immediately to prevent losing critical evidence needed for the forensic investigation.
  • Minimal Viable Operations: Maintain essential operations using targeted workarounds and security measures to keep the institution running as much as possible.

More Stories

IUP COMPSCI AND CYBERSECURITY PROGRAM RANKED 8TH BY PROGRAMS.COM

IUP COMPSCI AND CYBERSECURITY PROGRAM RANKED 8TH BY PROGRAMS.COM

Staff Editor 2026-05-15
How the Pentagon Views Anthropic’s Mythos, Project Glasswing

How the Pentagon Views Anthropic’s Mythos, Project Glasswing

Staff Editor 2026-05-15
Poland launches campaign to boost business cybersecurity awareness

Poland launches campaign to boost business cybersecurity awareness

Staff Editor 2026-05-15

You may have missed

IUP COMPSCI AND CYBERSECURITY PROGRAM RANKED 8TH BY PROGRAMS.COM

IUP COMPSCI AND CYBERSECURITY PROGRAM RANKED 8TH BY PROGRAMS.COM

Staff Editor 2026-05-15
Incident Categorization Artificial Intelligence (AI) Market

Incident Categorization Artificial Intelligence (AI) Market

Staff Editor 2026-05-15
How the Pentagon Views Anthropic’s Mythos, Project Glasswing

How the Pentagon Views Anthropic’s Mythos, Project Glasswing

Staff Editor 2026-05-15
Capitol News Illinois | Senate Democrats introduce bills to regulate artificial intelligence | News

Capitol News Illinois | Senate Democrats introduce bills to regulate artificial intelligence | News

Staff Editor 2026-05-15
Let communication be conducted by real human beings, not AI, pope says

Let communication be conducted by real human beings, not AI, pope says

Staff Editor 2026-05-15

Terms and Conditions - Privacy Policy