The first 15 minutes after a ransomware warning.
A ransomware alert is stressful because every minute feels expensive. The goal is not to solve everything immediately. The goal is to stop the spread and preserve the facts.
The first 15 minutes should be simple and repeatable.
The first response should be simple enough for a busy office to follow. You need containment, evidence, escalation, and a careful recovery path.
Response goal: do not try to solve the whole incident in the first minutes. Limit spread, preserve facts, and bring the right people in fast.
1. Isolate the suspicious machine
If a workstation shows ransomware notes, mass file changes, strange popups, or a serious security alert, remove its network access if you can do so safely. Unplug Ethernet or disable Wi-Fi. Do not start clicking through folders to see how bad it is. That can change evidence and waste time.
Whether to power the machine off depends on your response policy and support team. In many cases, leaving it on but disconnected preserves more evidence. If the machine is actively destroying files and you cannot disconnect it quickly, stopping the damage may matter more.
2. Protect shared folders and accounts
Ransomware often causes the most damage through shared drives and reused credentials. Temporarily disable exposed shares, remote access, and suspicious accounts while IT investigates. If the alert came from a user with admin rights, treat that as a higher-risk event.
3. Preserve what happened
Take screenshots of ransom notes, alerts, filenames, times, and affected machines. Save logs from security tools. Write down who first noticed the issue and what they were doing. Do not delete suspicious files just to clean things up. Your support team may need them to understand scope.
4. Escalate early
Call your IT provider, security team, or incident-response contact. If you have cyber insurance, follow the policy instructions before hiring outside responders or negotiating with attackers. Many policies require specific notification steps.
5. Restore only after you know what is clean
Restoring too early can reintroduce the problem or overwrite useful evidence. Confirm which machines are affected, which accounts were used, whether backups are clean, and whether the original entry point is closed.
Where AI Wall helps
AI Wall is designed to reduce confusion during this window. Endpoint alerts, process details, canary activity, USB events, isolation status, and admin-facing evidence can help your team decide whether an alert is a small workstation issue or the beginning of a wider incident.
Make the first 15 minutes easier with clearer endpoint evidence.
Run AI Wall on a pilot machine or schedule a demo to see how alerts, machine status, USB controls, and event history can support a calmer ransomware response process.