It is 2:47 AM on a Tuesday. Your on-call engineer gets an alert — multiple servers are showing unusually high disk activity. By 3:15 AM, the first ransom note appears. By 4:00 AM, your EHR is unreachable, your imaging systems are down, and your phone is ringing.
You are now in the first hour of a ransomware attack. The next 24 hours will determine whether this is a managed incident or an organizational crisis.
Most healthcare organizations have an incident response plan. Very few have tested it under realistic conditions. And almost none have experienced the speed, pressure, and ambiguity of a real ransomware event.
This is what actually happens — hour by hour — and what you need to be ready for.
Hour 0–1: Detection and Initial Panic
The first indication is rarely a ransom note. It is usually something subtler — systems running slowly, backup jobs failing, monitoring alerts firing on unusual activity. In many cases, the attacker has been in your network for days or weeks before deploying the ransomware payload.
When the ransom note does appear, the immediate instinct is to start fixing things. Resist that instinct.
What you must do immediately:
Activate your incident response team. Not tomorrow morning. Right now. Your IR plan should have a call tree with after-hours contact information for every key stakeholder — IT leadership, executive leadership, legal counsel, your cyber insurance carrier, and your incident response retainer (if you have one).
Isolate affected systems. Disconnect compromised systems from the network. Do not shut them down — powering off destroys volatile memory that forensic investigators need. Disconnect network cables. Disable Wi-Fi. Isolate network segments. The goal is to stop lateral movement while preserving evidence.
Do not touch the ransom note. Do not respond to it. Do not click links in it. Do not delete it. It is evidence.
Preserve logs. If your logging infrastructure is still operational, make sure it stays that way. These logs will be critical for forensic investigation and for determining the scope of the breach.
The single most common mistake in the first hour is well-intentioned IT staff attempting to remediate before the scope is understood. Reimaging a server before forensics can examine it destroys evidence of what the attacker did, what data was accessed, and how they got in.
Hour 1–4: Assembling the Response
By hour two, you should have your core team engaged and working from a war room — physical or virtual. This team typically includes:
- Incident Commander — usually the CISO or senior IT leader. This person makes decisions and coordinates all response activities.
- Technical Lead — the person directing containment, investigation, and recovery.
- Legal Counsel — internal or external. You need legal guidance immediately because everything from this point forward has regulatory, liability, and privilege implications.
- Communications Lead — the person who will manage internal and external messaging.
- Executive Sponsor — a C-suite leader who can authorize decisions (expenditures, business continuity changes, communication to the board).
Critical decisions in this window:
Call Your Cyber Insurance Carrier
Do this in hour one, not hour twelve. Your cyber insurance policy likely has specific notification requirements — some require notification within 24 hours. More importantly, your carrier will assign a breach coach (typically external legal counsel) and can connect you with forensic investigators, crisis communications firms, and negotiation specialists if needed.
If you miss the notification window, you risk coverage denial.
Engage Forensic Investigators
Unless you have a large, experienced internal security operations team, you need external forensic support. Your cyber insurance carrier will typically have a panel of approved firms. Engage them immediately. They will help you determine:
- How the attacker gained access
- How long they have been in your environment
- What systems were affected
- Whether data was exfiltrated before encryption
- Whether the attack is still active
Notify Law Enforcement
The FBI encourages reporting ransomware attacks through IC3.gov and recommends notification within 24 hours. Reporting to law enforcement is voluntary but strongly recommended — federal agencies can provide technical assistance, threat intelligence, and in some cases, decryption keys from prior investigations.
CISA also offers free incident response assistance to critical infrastructure organizations, which includes healthcare.
Reporting to law enforcement does not mean you lose control of the response. It means you gain access to resources and intelligence you cannot get otherwise.
Hour 4–8: Scoping the Damage
By this point, your forensic team should be working to answer the critical questions:
What Is the Blast Radius?
How many systems are encrypted? Is it limited to a segment of the network, or has it spread across the environment? Are your backup systems affected? What about your domain controllers, Active Directory, and identity infrastructure?
The Change Healthcare attack in 2024 demonstrated what happens when the blast radius is total — 111 services disconnected, claims processing for the entire US healthcare system disrupted for weeks. That attack began with a compromised credential on a Citrix server without MFA.
Was Data Exfiltrated?
Modern ransomware operations almost always involve double extortion — encrypting your data and stealing a copy. The attacker threatens to publish the stolen data if you do not pay. Determining whether data was exfiltrated is critical because it changes the regulatory picture entirely.
Under HIPAA, a ransomware attack that encrypts ePHI is presumed to be a breach unless you can demonstrate a low probability that PHI was compromised. If data was also exfiltrated, that presumption becomes a certainty.
Are Your Backups Intact?
This is the question that determines your recovery timeline. Sophisticated ransomware operators specifically target backup infrastructure — deleting backup catalogs, encrypting backup repositories, and compromising backup admin credentials.
If your backups are intact and offline, recovery is a matter of days. If your backups are compromised, recovery could take weeks or months — and the ransom payment conversation becomes much more difficult.
Hour 8–16: The Ransom Question
At some point during the first day, someone — your CEO, your board, your legal counsel — will ask the question: should we pay the ransom?
Do not make this decision in the first 24 hours. You do not have enough information yet. You need to know:
- Whether your backups are viable for recovery
- Whether data was exfiltrated (and what data)
- The attacker's track record — do they actually provide working decryption keys?
- Whether law enforcement has a decryption key from a prior case
- Your legal exposure and regulatory obligations
- What your cyber insurance covers
The FBI advises against paying ransoms, but acknowledges that each organization must make its own decision based on its circumstances. UnitedHealth paid $22 million in the Change Healthcare attack. Many organizations pay. Many do not.
What matters is that the decision is informed, deliberate, and made by the right people — not made in panic at 4 AM by an IT director who has not slept.
Hour 8–16: Communication Becomes Critical
While your technical team is working the investigation, your communications challenge is escalating. By hour 12, you need to have messaging prepared for multiple audiences:
Internal Staff
Your employees need to know what happened, what systems are affected, and what they should and should not do. Clinical staff need to know whether patient care can continue and what downtime procedures to follow. Administrative staff need to know which systems are available and which are not.
Do not speculate. Do not overstate what you know. Communicate facts, actions being taken, and when the next update will come.
Patients
If clinical operations are disrupted — cancelled procedures, diverted ambulances, inaccessible records — patients will know something is wrong. Prepare a brief, honest statement. Do not use the word "breach" until your legal team advises it. "We are experiencing a cybersecurity incident that is affecting some of our systems" is appropriate in the first 24 hours.
Board of Directors
Your board needs a brief, factual update: what happened, what is being done, what the potential exposure is. They do not need technical details. They need to know that the right people are managing the response, that legal counsel is engaged, and that insurance has been notified.
Regulators
Under HIPAA, you have 60 days from discovery to notify affected individuals and HHS for breaches affecting 500 or more individuals. You do not need to notify in the first 24 hours. But you do need to begin the assessment that will determine your notification obligations.
If you are a covered critical infrastructure entity under CIRCIA, you will be required to report within 72 hours.
Media
If the attack becomes public — and it likely will — have a holding statement ready. Coordinate with your crisis communications firm (your cyber insurer can provide one). Do not improvise.
Hour 16–24: Stabilization and Recovery Planning
By the end of the first 24 hours, the acute chaos should be settling into structured response. Your forensic investigation is underway. Your containment measures are in place. Your communication cadence is established. Your legal team is managing privilege and regulatory obligations.
Now the focus shifts to recovery:
Prioritize systems for restoration. What is most critical to clinical operations? EHR, pharmacy, imaging, lab systems. Build a recovery sequence based on patient care impact, not IT convenience.
Validate backup integrity. Before restoring from backups, verify they are clean and complete. Restoring from a compromised backup reinfects your environment.
Plan for degraded operations. Full recovery from a significant ransomware attack takes weeks, not days. Your clinical teams need downtime procedures they can sustain — paper-based workflows, manual medication administration, verbal orders. The proposed HIPAA Security Rule requires 72-hour system recovery capability. Can you meet that?
Document everything. Every decision, every action, every communication. This documentation will be essential for your regulatory response, your insurance claim, and any potential litigation.
What Most Organizations Get Wrong
They Have a Plan Nobody Has Practiced
An incident response plan that exists as a document on a SharePoint site is not a plan. It is a wish. If your team has never walked through the first two hours of a ransomware scenario in a tabletop exercise, they will not execute the plan under pressure. They will improvise. And improvisation under crisis conditions leads to mistakes — evidence destroyed, communications sent too early, critical notifications missed.
They Underestimate the Communication Challenge
Technical teams focus on technical response. But for leadership, the communication challenge is often harder than the technical one. Who do you tell? When? What do you say? What do you not say? How do you handle media inquiries? What about social media? What about anxious staff who start posting on their personal accounts?
Communication failures during a ransomware response have ended careers. Plan for them.
They Wait Too Long to Call for Help
The organizations that recover fastest are the ones that activate external resources immediately — forensic investigators, legal counsel, crisis communications, and their insurance carrier. The ones that try to handle it internally for the first 12 hours before admitting they need help lose critical time.
They Focus on Recovery Before Understanding the Attack
The pressure to "get systems back up" is intense. But restoring systems before you understand how the attacker got in means you may be restoring the same vulnerability they exploited. Containment and investigation must happen before recovery.
The Bottom Line
A ransomware attack compresses months of decision-making into hours. The decisions you make — who you call, what you isolate, what you communicate, and what you resist the urge to do — will shape the outcome more than any technology you own.
The best investment you can make is not another security tool. It is a tested incident response plan, a leadership team that has practiced making decisions under pressure, and relationships with the external partners you will need at 3 AM on the worst day of your professional life.
The time to build that capability is not during the attack. It is right now.
Jackal Group helps healthcare organizations build and test incident response plans through executive tabletop exercises and resilience assessments. Contact us to schedule a session.