The First 72 Hours After a Ransomware Hit in Your Plant

Published April 29, 2026

Second shift comes on at your plant. Operators try to log into the MES and get kicked out. A few minutes later, someone sees an unfamiliar message on a server console. Within an hour, file shares are unreadable and the ERP is unresponsive. By the end of the shift, production is stopped and executives are being called in.

You are now in hour one of a ransomware incident. What happens in the next 72 hours decides how long your line stays down, how much data you lose, and whether the recovery is a painful week or an existential quarter.

Ransomware is now the single largest source of major operational disruption in manufacturing. The FBI Internet Crime Complaint Center (IC3) 2024 Annual Report documented critical manufacturing as one of the top targeted sectors, with thousands of incidents affecting production. IBM X-Force has reported manufacturing as the most-attacked industry for multiple consecutive years. Your plant is not an exotic target. It is in the heart of the targeting.

This post is about what the first 72 hours of a ransomware response actually looks like, so you can recognize whether your current plan holds up.

The Problem: Most Plans Focus on IT, Not Operations

If you have a ransomware response plan at all, it was probably written by the IT team or a cybersecurity consultant. It likely focuses on network isolation, forensic preservation, and backup restoration. All of that is necessary.

What most plans do not address is:

  • Whether the production line can run in manual mode while systems are down
  • Which customer orders need to be communicated about, and by when
  • How quality and traceability are maintained when MES data is unavailable
  • What the authority chain is for decisions like paying a ransom or not
  • Whether the OT network stays running when IT is isolated, or gets pulled down with it

Operational continuity during a cyber incident is a different problem from IT recovery. Plans that do not address both leave operations improvising at the worst possible moment.

Why It Matters to You Specifically

For a plant manager or operations director, a ransomware event puts you at the center of five converging pressures:

Production Loss

Every hour the line is down has a known cost. That cost is ticking during the entire incident response. The pressure to bring things back is intense.

Customer and Contract Commitments

Customer orders and contracts have delivery dates. A multi-day outage triggers contract conversations, potential penalty clauses, and relationships that were fine before the incident and fragile after it.

Regulatory and Insurance Notification Windows

Cyber insurance policies have tight notification windows, often 24 to 72 hours. Regulatory obligations vary by industry and customer. Defense contractors under CMMC and DFARS requirements have specific reporting obligations. SEC cyber disclosure rules affect publicly traded manufacturers. Missing a notification window creates compounding problems.

Information Pressure

Executives, customers, press, and staff all want to know what happened. The information you release in the first 72 hours is difficult to take back. Getting it wrong creates long-term reputational issues.

Decision Pressure

Decisions about paying ransoms, restoring from backups, and bringing partial operations back online all have to happen with incomplete information. The temptation to move fast to reduce downtime can create decisions that make recovery harder.

What the First 72 Hours Should Look Like

A mature ransomware response plan in a manufacturing environment runs in phases that overlap but have distinct objectives.

Hour 0 to Hour 4: Detect, Isolate, and Protect

The first priority is to stop the spread. This means:

  • Identifying the initial scope (which systems are affected)
  • Isolating those systems from the rest of the network at the switch level, not just at the firewall
  • Protecting systems that are not yet affected, especially OT and production-critical infrastructure
  • Preserving evidence (memory dumps, log captures) before reboots or imaging

A frequent mistake is rushing to reboot or restore systems to get production back. This destroys forensic evidence needed for insurance claims, law enforcement cooperation, and understanding the attack well enough to prevent recurrence. Preserve first, restore second.

Hour 2 to Hour 12: Assemble the Response Team

The team includes IT leadership, operations leadership, executive leadership, legal counsel, your cyber insurance carrier, and usually an external incident response (IR) firm. Cyber insurance policies typically include IR services and specific preferred vendors. Using your own vendor without clearing with the insurer can jeopardize coverage.

This is also when regulatory and contractual notification clocks start running. A designated communications lead is assigned, and early messaging to customers and employees is drafted.

Hour 6 to Hour 24: Understand the Attack

The incident response firm begins forensic analysis. Key questions:

  • What is the initial access vector? Phishing, exposed remote access, unpatched system, supplier compromise?
  • How long was the attacker in the environment before the ransomware detonated? (This “dwell time” is usually days to weeks, sometimes months.)
  • What data was exfiltrated before encryption? Many ransomware groups now steal data for double-extortion purposes.
  • Are there backdoors or persistence mechanisms that need to be closed before restoration?

Answering these questions drives the scope of the cleanup. Restoring without closing the initial access is how organizations get hit twice in the same week.

Hour 12 to Hour 48: Manual Operations Where Possible

While IT recovers, operations decides what can continue manually. Some plants can run without ERP or MES for a period of time using paper travelers and manual quality checks. Others cannot because of tight process control or traceability requirements. Knowing which category you are in before an incident, and what the manual runbook looks like, is the difference between continuing to ship and shutting down completely.

OT systems that were properly segmented may still be operational during this phase. This is another argument for IT/OT network separation.

Hour 24 to Hour 72: Restoration Planning and Decision Points

By hour 24 to 48, the incident response firm usually has enough information to support the restoration plan. Key decisions:

  • Pay the ransom or not? The FBI position, consistently stated in CISA’s #StopRansomware campaign, is to not pay. Paying funds criminal operations and does not guarantee working decryption. But individual circumstances vary, and this is a decision that involves legal, insurance, and executive input.
  • Restore from backups or rebuild? The answer depends on backup integrity, how much data is acceptable to lose, and how quickly each path returns operations.
  • What order do systems come back? OT first, MES second, ERP third is a common pattern. Rushing the ERP back can reintroduce the initial access vector.

Hour 48 to Hour 72: Staged Restoration and Communication

Systems come back in priority order, each one validated as clean before being rejoined to the network. Customer communication is updated. Public communication, if needed, is managed through counsel and communications professionals.

By hour 72, most manufacturers are either running at partial capacity or have a concrete timeline to full capacity. Those without a plan or a partner are often still firefighting at hour 72, which is when the operational and financial damage compounds.

Practical Takeaways

  1. Have a ransomware runbook that includes operations. IT-only plans leave the plant floor improvising. Operations leadership needs to be in the plan.
  2. Test manual operations. If your plant has not run a shift in manual mode in the past year, you do not know whether it can. A short, planned drill finds the gaps before an incident does.
  3. Pre-select your incident response firm. Do not be picking a vendor at 2 a.m. on the day you need them. Cyber insurance panels include pre-approved IR firms. Know who yours are.
  4. Review your backup architecture. Immutable backups, offline copies, and tested restoration procedures are what separate recovery in hours from recovery in weeks. Backups that are encrypted along with production are not backups.
  5. Segment IT from OT. If a ransomware event on the business side can stop production, that is a design issue worth fixing before it gets tested in anger.

Ransomware is not a matter of if at this point. It is a matter of when. The manufacturers who come out the other side quickly are the ones who had a plan, tested it, and had a response partner on call.

If you want a conversation about how your plant’s ransomware readiness looks today, the HVR Cloud team can walk you through an assessment. Get in touch and we can talk through your environment.