What Happens in the First Hour of a Ransomware Attack

Did the attack really start this morning?

No. By the time a ransom note appears, the attacker has usually been inside your network for days or even weeks. The note is the last step, not the first. Ransomware groups break in quietly, look around, find where your patient data and your backups live, steal a copy to extort you with later, and only then trigger encryption, almost always at night or over a weekend when no one is at the front desk to react.

That lead-up matters because it explains the most painful surprise in dental ransomware: practices that thought they had backups discover the backups were encrypted too. In the Tampa Bay Dental Implants incident, the same server that ran the practice also held the backups, so one encryption event took out roughly 6,400 patients' records and the safety net at the same time . We unpack exactly how that happens in why your dental backup got encrypted too.

Here is how a realistic first hour actually unfolds.

A timeline of the first hour

−14 days to −1 day — The attacker is already inside

Nothing looks wrong. Charts open, X-rays load, claims go out. In the background, a stolen credential or an unpatched remote-access tool has given an intruder a foothold. They are mapping shared drives, copying patient files, and quietly identifying your backup system so they can disable it before they strike. This is why a strong perimeter is not enough on its own.

0:00 — The ransom note appears

A staff member arrives, wakes a workstation, and finds a text file or full-screen message demanding payment in cryptocurrency. Practice management software will not open. Files have strange new extensions. Action: stay calm and do not interact with the note. Do not click links or "decrypt" buttons.

0:05 — Isolate, do not power off

The instinct is to shut everything down. Resist it. Action: unplug network cables and disable Wi-Fi on affected machines, and disconnect the practice from the internet, but leave the computers powered on. Powering off can destroy forensic evidence in memory that helps responders understand the scope. Isolation stops the spread; shutdown destroys clues.

0:10 — Stop the bleed across the fleet

Ransomware moves laterally. Action: isolate the server and any networked device sharing files, including imaging machines and any connected backup appliance. If you cannot tell what is infected, isolate everything and let your IT provider sort it out.

0:15 — Notify your IT or MSP

Action: call your IT provider or managed service provider now, not by email. They will begin scoping which systems are hit and whether clean backups exist off-site. With only about 14% of healthcare organizations fully staffed for security , most practices depend on an external partner for exactly this moment.

0:25 — Call your cyber-insurance carrier

Action: notify your cyber-insurance carrier through their incident hotline. Most policies require prompt notification and provide a breach coach and approved forensics firm. Calling late can jeopardize coverage. Do this before making any other decisions.

0:35 — Document everything

Action: photograph the ransom note, write down the exact time you discovered it, list affected machines, and note anything unusual staff saw recently. This record feeds insurance, forensics, and any later regulatory reporting.

Do not pay yet — and probably not at all. CISA and the FBI advise against paying ransoms: payment funds future attacks and guarantees nothing. Across 2025, only about 2% of organizations that paid recovered all their data . Paying is a last resort, decided with your breach coach, not a first-hour reflex.

0:45 — Pause operations and protect patients

Action: decide with your team whether to continue seeing patients on paper or reschedule. Do not reconnect any device to the network to "check" something. A reconnected machine can re-trigger encryption across systems you just isolated.

0:55 — Confirm your recovery position

This is the question that decides everything. Action: with your provider, confirm whether you have an off-site backup the attacker could not touch. If your only backups lived on the same network, on a mapped drive, or on a connected NAS, assume they are compromised.

Beyond the first hour

The first hour is containment. Recovery, breach notification under HIPAA, and getting the practice running again is a longer, structured process. We walk through all of it in the dental ransomware recovery playbook.

Why the backup question is the whole game

Every decision in that hour bends toward one outcome: can you restore without the attacker's key? Practices with clean, isolated backups recover on their own. True Dental Care in Pennsylvania restored from backups after an attack affecting 17,640 people and did not pay . Practices without them face a worse menu: paying a demand that 2025 data put at an average around $615,000 , weathering an average recovery of about 19 days , and absorbing an average recovery cost near $1.02 million (Comparitech, 2025-26). Healthcare ransomware rose roughly 58% in 2025, with dental and secondary care making up about 26% of the roughly 636 tracked attacks , so this is not a rare scenario.

The attacker's whole strategy depends on reaching your backups during those quiet days before the note appears. DDSArk's approach is built to defeat exactly that: immutable, write-once copies stored encrypted and off-site, captured in an application-consistent way and managed by your MSP, with restores tested before you ever need them. Because the backups live outside the network the attacker compromised and cannot be altered or deleted, the ransom note becomes an inconvenience instead of a catastrophe. The recovery target — a 15-minute recovery point and a sub-15-minute restore — is set with your provider.

The first hour is survivable. What makes it survivable is a decision you make long before it starts.