Day 1 Checklist

Below are key considerations for your first day responding to a ransomware matter. We will help you work through each of these.

Impact Assessment

Determine what is not operational, who will notice, and what consequences will likely follow. Identify potential “downstream” impacts to stakeholders, clients, and vendors.

Vendor Engagement

Identify potential external legal counsel, forensics firm, negotiation and payment source, workforce augmentation/restoration vendors, forensic accountant (to document expense and income loss), and communications firm to consider engaging.

Threat Actor Intelligence

Find the ransom note and make preliminary attribution based on file extension and note content. Analyze whether: (1) threat actor is known to only encrypt or steal/encrypt; and (2) threat actor may be on a sanctions list.

Ransom Negotiation Strategy

Directly or through negotiation, make contact with the threat actor to obtain initial demand and begin to develop negotiation strategy. Identify threat actor’s history of payment default, decryptor efficacy, and tor site data posting strategy. Consider payment logistics (e.g., timing of wiring funds to negotiation vendor before wire close/weekend).

Restoration Planning


Identify how access occurred and how ransomware was deployed. Consider whether there are systems that should be taken offline to prevent further spread. Build plan to eliminate current access so you can restore to a secure environment (or build segmented VLAN to restore in until containment occurs).


Account for preservation needs before wiping and reimaging devices during restoration.


Determine stakeholder communication needs and prepare drafts of reactive holding statement for media, associates, and franchisees.

“Response Plan” Execution

Align response to key considerations based on incident, business continuity, and crisis response plans.

Notice analysis

Develop preliminary assessment of potential notification obligations.


Identify what insurance carrier(s) (e.g., cyber, kidnap/ransom) will require to consent to ransom payment and to reimburse (e.g., “business case” for payment, OFAC clearance report).

Share this page