Day 1 Checklist
Below are key considerations for your first day responding to a ransomware matter. We will help you work through each of these.
Determine what is not operational, who will notice, and what consequences will likely follow. Identify potential “downstream” impacts to stakeholders, clients, and vendors.
Identify potential external legal counsel, forensics firm, negotiation and payment source, workforce augmentation/restoration vendors, forensic accountant (to document expense and income loss), and communications firm to consider engaging.
Threat Actor Intelligence
Find the ransom note and make preliminary attribution based on file extension and note content. Analyze whether: (1) threat actor is known to only encrypt or steal/encrypt; and (2) threat actor may be on a sanctions list.
Ransom Negotiation Strategy
Directly or through negotiation, make contact with the threat actor to obtain initial demand and begin to develop negotiation strategy. Identify threat actor’s history of payment default, decryptor efficacy, and tor site data posting strategy. Consider payment logistics (e.g., timing of wiring funds to negotiation vendor before wire close/weekend).
Identify how access occurred and how ransomware was deployed. Consider whether there are systems that should be taken offline to prevent further spread. Build plan to eliminate current access so you can restore to a secure environment (or build segmented VLAN to restore in until containment occurs).
Account for preservation needs before wiping and reimaging devices during restoration.
Determine stakeholder communication needs and prepare drafts of reactive holding statement for media, associates, and franchisees.
“Response Plan” Execution
Align response to key considerations based on incident, business continuity, and crisis response plans.
Develop preliminary assessment of potential notification obligations.
Identify what insurance carrier(s) (e.g., cyber, kidnap/ransom) will require to consent to ransom payment and to reimburse (e.g., “business case” for payment, OFAC clearance report).