Ransomware Incident Response Playbook: The 24-Hour Checklist for Financial Institutions

Your IT director calls at 6:43 AM on a Wednesday. Files are encrypted across three servers. The ransom note on the screen gives you 72 hours. Half your core banking systems are offline and customer calls are already starting.

You know it’s bad. What determines whether it stays manageable — or becomes a regulatory crisis on top of an operational disaster — is what your team does in the next 24 hours.

Ransomware hit financial services hard in 2024 and 2025. Akira, one of the most active groups targeting financial institutions, attacked 34 financial organizations between April 2024 and April 2025, accumulating more than $244 million in ransom payments since emerging in March 2023. According to the Sophos State of Ransomware in Financial Services 2025 report, 59% of financial institutions that were attacked had data encrypted — above the 50% cross-industry average — and the average recovery cost (excluding the ransom itself) was $1.74 million.

97% of firms that had data encrypted ultimately got it back. The 3% that didn’t had backup problems. Don’t be the 3%.

This is the playbook. Not a generic template — a phase-by-phase response guide built for financial institutions dealing with core banking systems, regulatory notification requirements, and examiners who will review your response long after the crisis is over.

TL;DR

• The OCC, FDIC, and Federal Reserve require banks to notify their primary regulator within 36 hours of determining a notification incident — a ransomware attack disrupting core banking operations almost certainly qualifies.
• CIRCIA, when finalized, will add a 72-hour cyber incident reporting requirement and 24-hour ransom payment notification for critical infrastructure including financial services.
• Average recovery cost for financial services: $1.74 million in 2025, not counting the ransom payment itself (Sophos).
• The playbook has five phases: Isolate and verify → Activate and assess → Contain and communicate → Notify and report → Recover and document.

The Regulatory Clock: Three Parallel Deadlines

Most IR plans describe a single response timeline. Ransomware at a financial institution triggers three parallel regulatory clocks, and missing any one creates independent exposure.

Clock 1: 36-Hour Bank Regulator Notification

The OCC, Federal Reserve, and FDIC’s joint Computer-Security Incident Notification rule, effective May 1, 2022, requires banking organizations to notify their primary federal regulator as soon as possible and no later than 36 hours after determining that a “notification incident” has occurred.

A notification incident includes any significant computer-security incident that disrupts or degrades the viability of the bank’s operations, prevents customers from accessing their accounts, or impacts the stability of the financial sector. A ransomware attack that takes core banking systems offline or limits customer account access almost certainly qualifies.

The clock starts when you determine you have a notification incident — not when the attack begins. If your team spends 18 hours in ambiguity before concluding it meets the threshold, you have 18 hours left to notify. File early. Regulators understand that full scope isn’t determined in 36 hours; they expect an initial notification with updates to follow. A late notification is always worse than an incomplete one filed on time.

Where to file:

• OCC national banks: [email protected]
• Federal Reserve-supervised state member banks: Designated contacts per SR 22-4
• FDIC-supervised state non-member banks: FDIC Regional Director

Clock 2: Reg S-P 30-Day Customer Notification

If customer information was affected — even from a ransomware attack that primarily encrypted rather than exfiltrated data — the SEC’s amended Regulation S-P triggers a 30-day customer notification obligation for covered institutions (broker-dealers, investment companies, and SEC-registered investment advisers).

The 30-day clock runs from discovery. Not from when you confirm scope. If there’s any possibility customer NPI was in scope, treat the clock as running. Covered institutions remain responsible for notification even if they haven’t yet determined whether data was actually accessed by the attacker.

Clock 3: CIRCIA (Pending Final Rule)

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) awaits CISA’s final rule. When finalized, it will require covered entities — including financial services — to report significant cyber incidents to CISA within 72 hours and ransomware payments within 24 hours. Build both into your notification workflow now. Retrofitting CISA reporting into an already-strained IR process is harder than adding a notification step before you need it.

Phase 1: First 60 Minutes — Isolate and Verify

Speed matters here, but panicked action makes things worse.

Isolate affected systems. Disconnect Ethernet cables, disable Wi-Fi on affected devices, and revoke VPN access for systems showing signs of encryption. Do not reboot — rebooting can trigger encryption of remaining files and destroys volatile memory evidence that forensics needs. If you’re seeing Active Directory compromise indicators, consider taking domain controllers offline before the attacker can move laterally to unaffected segments.

Verify you actually have ransomware. Some ransom notes are fake — extortion attempts with no actual encryption. Quickly verify: are files genuinely encrypted, or just renamed? Can backup systems be accessed? Is the infection contained to one workstation or spreading across the network?

Activate out-of-band communications. If your email runs on the affected network, use phone or a secondary channel. Sophisticated ransomware operators monitor enterprise communications — detecting that you know about the attack can cause them to accelerate lateral movement or trigger pre-planted data exfiltration before you contain them.

Document everything immediately. Photograph ransom notes, affected screens, and error messages. Preserve system logs before overwrite cycles clear them. Preserve network flow data. Your forensics team, regulators, and potentially law enforcement will need this.

Notify your CISO, General Counsel, and CEO. Don’t wait for full scope confirmation. This is an executive-level event from the moment you confirm active ransomware.

Phase 2: Hours 1–6 — Activate and Assess

Your IR team is activated. Your external forensics retainer should be on the phone within the first hour. This phase is about scope determination and regulatory triage.

Activate your forensics retainer. Most financial institutions should have a pre-negotiated incident response retainer. If you don’t have one, you’re now competing for available forensics capacity with dozens of other organizations at the same time. Expect delays — which directly compress your regulatory notification windows.

Assess scope. Which systems are encrypted? Do any contain customer data, NPI, or account information? Have backups been compromised? Is there evidence of data exfiltration before encryption — ransomware groups increasingly steal data before encrypting it, enabling double extortion? The answers determine your customer notification obligations.

Determine if this is a notification incident. Work with Legal and your CISO to apply the 36-hour rule’s threshold. If core banking operations are disrupted or customer access is impaired, the answer is almost certainly yes.

Contact law enforcement. Notify the FBI’s Internet Crime Complaint Center (IC3) and your local FBI field office early. Law enforcement may have intelligence on the specific variant and threat actor, and their involvement creates documented record that regulators view favorably during exam reviews.

Preserve everything for forensics. Do not wipe or attempt recovery before forensics has captured what it needs. Wiping an infected system before forensics can investigate it destroys the evidence needed to determine what data was accessed — which is exactly the information driving your notification obligations.

Phase 3: Hours 6–24 — Contain and Communicate

Containment at this stage means stopping the spread and protecting clean systems — not complete eradication.

Segment the network. Isolate affected VLANs from clean segments. Prioritize protecting backup infrastructure and unaffected core banking systems. Backup encryption is the difference between a week-long recovery and a multi-month rebuilding effort.

Reset credentials. Assume all credentials on affected systems are compromised. Reset service account passwords, revoke privileged access tokens, and enforce MFA on accounts used during the incident response itself.

Communicate internally — carefully. Brief your Board chair or Audit Committee chair. Prepare a communication timeline for executives. Avoid including technical details in written communications that may later be discoverable in litigation — route sensitive details through outside counsel where possible.

Draft customer communication templates. Even if you’re not ready to send notifications, drafting them now saves critical time. Templates should cover: what happened (without admitting specific liability), what data may have been affected, what you’re doing, and what customers should do. Your cyber incident response playbook should have these pre-built.

Do not make the ransom payment decision under pressure. The ransom decision is a legal, regulatory, and strategic question — not a technical one. It requires OFAC screening of ransomware addresses (paying a sanctioned entity creates OFAC liability regardless of intent), legal analysis, and honest assessment of whether a working decryption key will actually be provided.

Phase 4: Hours 24–72 — Notification and Reporting

This phase is dominated by executing your regulatory and customer notification obligations.

File the 36-hour bank regulator notification. If your window is approaching and you haven’t notified, file with what you know. Initial notifications are expected to be preliminary — regulators understand that full scope determination takes time. Filing late because you wanted complete information is not an acceptable explanation.

Evaluate SAR filing. FinCEN guidance calls for financial institutions to file a SAR for ransomware attacks on the institution. The filing creates a documented compliance record and establishes your institution recognized and reported the criminal activity. Reviewing your incident triage process should include SAR triggers as a formal step.

Begin state breach notification triage. If personal information of customers was affected, evaluate notification obligations under applicable state laws. Timelines vary significantly by state — from 30 days for most states to as few as 72 hours for specific data categories or sectors in others. Outside counsel should drive this analysis.

Update your Board. Your Board needs a status update: what happened, what’s affected, what the regulatory exposure looks like, what recovery timeline is realistic, and what decisions require Board-level input (especially the ransom payment question).

Phase 5: Recovery and Post-Incident Documentation

Sophos data shows 53% of financial services victims recovered within one week. The 47% that took longer generally had one of three problems: backups that were also encrypted, backups that hadn’t been tested, or underestimated recovery complexity.

Restore from verified clean backups. Before restoring, confirm backup integrity. Restoring from an encrypted backup is a costly mistake. Verify backups are isolated from the infected environment and test restoration in a sandbox before going to production.

If you pay: Conduct OFAC screening of wallet addresses, document the business rationale, get written legal approval, and understand that paying does not guarantee a working decryption key or the attacker’s silence. Restore from backups as your primary path anyway.

Run a post-incident review within 60 days. Document: the attack timeline, how ransomware entered your environment (phishing, unpatched vulnerability, compromised credentials), which controls failed or were absent, total cost (recovery, ransom if paid, legal, regulatory response, lost revenue), and what you’re changing. NIST CSF 2.0 — which replaced the FFIEC’s Cybersecurity Assessment Tool, sunset August 31, 2025 — expects documented improvement actions after significant incidents.

Prepare for regulatory follow-up. Ransomware incidents routinely result in examiner scrutiny. Examiners will review your incident documentation, your 36-hour notification record, your forensics findings, and your remediation plan. Having a complete incident package ready before they ask signals maturity. Scrambling to reconstruct the timeline after the fact signals the opposite.

The 5 Mistakes Financial Institutions Make

No pre-negotiated forensics retainer. Under active attack pressure, finding qualified forensics capacity is nearly impossible. Negotiate a retainer — including agreed-upon rates and SLAs — before you need it.

Rebooting infected systems. Reboots can trigger encryption of remaining files and destroy volatile memory evidence. Preserve systems for forensics before any remediation.

Waiting for complete scope before notifying regulators. The 36-hour clock runs regardless. File with what you know; update as scope is confirmed.

Skipping OFAC screening before paying ransom. Paying a sanctioned ransomware group — even unknowingly — creates OFAC exposure. FinCEN has made clear that financial institutions are expected to identify and report ransomware activity; unknowing facilitation of sanctions violations compounds the original incident.

Not documenting the SAR decision. Even if you ultimately decide not to file a SAR (which would be unusual), document why. Examiners reviewing your BSA/AML program after a ransomware incident expect to see evidence that you considered and acted on your SAR obligations.

So What?

Ransomware in financial services stopped being a pure IT problem the moment Congress passed the 36-hour notification rule. Your CISO can manage the technical response. Only your Legal, Compliance, and Risk teams — working a coordinated timeline with clear ownership — can manage the regulatory response simultaneously.

The institutions that handle ransomware incidents well have three things in common: a pre-tested IR plan with a ransomware-specific playbook, a pre-negotiated forensics retainer, and a leadership team that’s walked through the notification timeline in a tabletop exercise before they faced it for real. CISA’s StopRansomware guidance remains the baseline reference for response steps — but the regulatory notification layer on top is what makes financial institution ransomware response distinct from every other industry.

If you’re building or stress-testing your IR program, the Incident Response & Breach Notification Kit includes ransomware-specific playbook templates, regulatory notification checklists mapped to the 36-hour rule and Reg S-P, and SAR filing guidance built for the financial services context.