In this chapter it is assumed that you have detected a large-scale ransomware attack in your organization and are now just starting to respond. You have activated the ransomware response plan, initiated contact with the needed team members, and now need to assess the scope of damage and minimize it. This is the first 24 hours.

Basic Outline for Initial Ransomware Response

After activating the ransomware response plan, the first major task that needs to be completed is stopping the further spread and damage from the ransomware program(s). This is followed by determining the initial scope of the ransomware involvement and damage. That is then followed by the first official team meeting to discuss what everyone has learned and then make the additional initial response decisions. Figure 7.1 shows the initial tasks graphically.

Everything in early phases of the ransomware response plan can typically be accomplished in 24 hours, although it may be longer depending on circumstances, resources, timing, and the aggressiveness of the response. Ransomware attacks are notorious for intentionally launching late at night, on weekends, and during holidays. Attackers want to maximize the potential for their program(s) to do the most harm and for the defensive response to take longer to happen and be less effective. The following sections look into each of these tasks in more detail.