Security blog posts about ransomware tend to cover two things: the technical analysis of the malware, or the policy implications. What they rarely cover is what the 72 hours of an active ransomware incident actually feel like from the responder’s perspective.

Hour 0: The Call

2:47am. The on-call analyst gets paged. Monitoring has detected mass file encryption events across multiple servers in an Ontario healthcare organization’s network. By the time I’m reached as IR lead, the organization’s IT director is already on the phone with their CEO. Ransom note has appeared on 23 servers. It’s a LockBit 3.0 variant.

Hours 0-2: Containment

The first two hours are entirely about stopping the spread. We isolate affected network segments at the switch level, disable all inter-VLAN routing, identify and kill the active encryption process — a malicious binary deployed via a compromised domain controller.

Patient record systems are offline. Elective procedures will be rescheduled. The hospital activates paper-based fallback procedures. Active encryption stops at approximately hour 1.5. Backups appear intact — the most important thing confirmed in the first two hours.

Hours 2-8: Understanding What Happened

Log analysis points to initial access via phishing 19 days earlier. Over those 19 days the attackers moved laterally from an assistant’s workstation to an IT admin account via pass-the-hash, mapped the full network via Active Directory, exfiltrated approximately 180GB of data, compromised the domain controller, and deployed the ransomware payload. The 19-day dwell time is roughly average. They’re not in a rush — reconnaissance and data theft happen first. Encryption is the last step.

Hours 8-24: The Decision

The ransomware operators are demanding $1.8M USD in Monero. The insurer’s negotiators are engaged. My role: provide technical facts — backup status (intact, 2-3 days to restore critical systems), estimated recovery cost without payment, and risk assessment of paying. In this case, they chose not to pay.

Hours 24-72: Recovery

Restoration from backups is not as simple as it sounds. You can’t just restore encrypted systems — the adversary had domain admin access. Every credential needs rotation. The domain controller needs rebuilding from scratch. Active Directory needs auditing for persistence mechanisms.

Critical patient-care systems were back online at hour 54. Full recovery took 11 days.

What Would Have Changed the Outcome

MFA on the initial account. Phishing captured a password. With phishing-resistant MFA, that credential is worthless.

Privileged access workstations for IT admins. Pass-the-hash lateral movement worked because an IT admin had authenticated to a regular workstation.

Earlier EDR detection. The attacker was present for 19 days. With behavioral EDR properly configured, lateral movement patterns would have generated alerts within days of initial access. The backup integrity is what kept this from being a $1.8M ransom payment. That’s the safety net. The goal is to never need it.