When ransomware hits, the clock starts ticking. In my case, what looked like a routine outage at the University of Health Sciences and Pharmacy (UHSP), where I serve as CISO, quickly revealed itself as LockBit ransomware: and the first day of our response determined our trajectory for months.
In times of crisis, you don’t rise to the occasion; you fall to your level of preparation. Here’s a framework that IT and security leaders can keep within arm’s reach for the first twenty-four hours after ransomware strikes, based on our encounter with LockBit.
1. Call the Right people, in the Right Order
Get ahead of bad news. We know it travels fast, so your executive leadership should hear about the attack directly from you, not from the rumor mill. Loop in board leadership in proportion to materiality. Notify your cyber insurance carrier immediately; policies often require prompt notice. Insurers can then mobilize resources right away and bring in forensics experts.
Bring internal and external legal counsel into discussions early to align on regulatory exposure and privilege. Then inform law enforcement: they can provide threat intel, victim decryption key checks, and credibility with stakeholders.
And tell your family—if you’re living through this, you might not be home for a little while.
2. Stand up the IR team and the War Room
Activate your incident response (IR) plan and call tree. Assign roles: incident commander, forensics liaison, IT operations lead, communications lead, legal/insurance, and a dedicated scribe.
Keep in mind that the threat actor could be monitoring your communications systems, such as email, Teams, and Slack, so set up an out-of-band collaboration space to coordinate if your primary systems are untrusted.
Establish a single source of truth: a timestamped decision and actions log. You will live in that log for communicating regular updates and later, for root cause, insurance, and regulators.
3. Gather Essential Information
You cannot fix what you don’t understand. Work to determine crisp answers to the following questions:
What’s affected (systems, identities, data classes, etc.)?
What’s the blast radius (segments, tenants, third parties, etc.)?
Do we know the entry point (phish, VPN, exploit, insider, software vulnerability, third party, etc.)?
How widespread is the encryption or compromise?
Document confidence levels and evidence; rushing through these steps can lead to follow-on compromises during recovery.
4. Resist the Urge to Clean
This is the moment to pause and collect facts before making irreversible moves. The first technical instinct – to reboot, reimage, or “clean” – can erase the very evidence your forensics partners need.
Quarantine affected systems and high-risk network segments, disable compromised identities, and enforce conditional access. Pause nonessential automations such as backups until they’re verified safe. Preserve volatile data and snapshots before you touch anything.
5. Establish Minimal Viable Operations
Your mission is continuity with integrity. At UHSP, we accelerated single sign-on to keep teaching going while core infrastructure was unstable. That type of targeted workaround can buy air without feeding the fire, if you bind it to strong identity controls, like MFA, device posture and least privilege, and keep it logically isolated. Prioritize services by impact: in our case, that was safety, student experience, clinical, and payroll, then everything else.
6. Verify Backups Like a Skeptic
“Having backups” isn’t the same as “having restorable backups.” On the first day, prove you have (a) immutable copies, (b) off-network copies, and (c) the keys and runbooks to restore at scale. Test a representative restore into a clean enclave before committing to a broader plan. Decide your restoration order now; switching mid-stream is expensive.
Ensure that you restore to a point before the attackers entered your system, if possible. You don’t want to leave backdoor accounts in your environment, and you must also ensure the original entry path has been secured.
7.Control the Message
Name a communications lead and centralize all messaging. At UHSP, our Marketing and Communications lead handled both internal and external messaging. The Helpdesk was given specific talking points and instructed to direct all other communication back to the communications lead.
Internally, acknowledge the impact, share what’s known and not known, and set expectations for the communications cadence. Externally, coordinate with counsel on disclosures, law enforcement acknowledgments, and insurer guidance. Ad hoc emails and hallway chatter magnify speculation and create discoverable artifacts that age poorly.
8. Use Secure Access to Keep People Productive, Safely
During containment, assume untrusted endpoints and inconsistent patch levels; this was certainly true across my university’s heterogeneous fleet of BYOD. An enterprise browser can buy you a safer “productivity lane” while infrastructure is triaged and rebuilt.
After the attack, we deployed the Island Enterprise Browser to secure the environment, acting as a clean, least-privilege access layer when we distrusted devices but had to keep work moving. The browser allowed us to enforce granular controls such as MFA posture checks, clipboard/print/download restrictions, file exfiltration policies, and auditing across SaaS and web apps, without waiting for every endpoint to be reimaged.
Today, we require all of our most critical applications, including the full Microsoft stack, to be accessed only through Island.
Conclusion: Be Ready Before Hour Zero
The pattern I’ve seen in ransomware response is that panic and improvisation compound damage, while discipline and sequencing constrain it. This is especially true at universities, which are like digital museums housing decades of legacy tech, open networks, and BYOD realities, plus data goldmines of PII, PHI, and research IP. That stack can favor the attacker if your detection, prevention, and response are underprepared.
Before the clock starts ticking on that 24 hours, you should have a plan. Drill the first day in tabletop exercises. Ensure executives are familiar with their roles in a breach. Pre-stage your partners. And give your teams the secure access layer they need to operate under pressure.
Hesitation and half-measures are as dangerous as the attack itself. A well-rehearsed response sequence, carried out with decisiveness, is how you win the first 24 hours and earn the calm that follows