This chapter covers what to do after initially stopping further damage from ransomware. It includes examining what is currently known about the ransomware, additional major decisions that need to be made, and additional early actions. In general, this chapter covers the second phase of the ransomware response but does not include most recovery tasks.

This chapter assumes the ransomware response plan has been initiated and that the ransomware program has been identified and prevented from spreading further or causing more damage. The on-site damage you already have is assumed to be the maximum damage you will have.

What Do You Know?

Now is the time to, again, write down and document what is known about the ransomware attack including the following:

• What resources are impacted?
• What resources seem unimpacted?
• What are the commonalities of the resources that have or haven't been impacted (e.g., location, OS, role, network, shared services, accounts, etc.)?
• What assets are still up and operating normally, if any?
• What networks are still up and operating normally, if any?
• Are there assets or networks operating at partial levels?
• What are the current project teams, in-process task threads, and likely future tasks?
• Who currently knows of the incident?
• Who has been contacted and is aware of the incident?
• What is the current communications plan? What are you still waiting on to be communicated to whom?
• Do you know if any data has been exfiltrated? Do you ...