Hour 0–4: Containment
Isolate affected systems but do not power off — you will lose volatile memory evidence. Disable compromised accounts, assess if the attacker still has active access, notify your cyber insurer.
Hour 4–24: Scoping
- Identify the threat actor and ransomware variant
- Determine encryption scope and data exfiltration
- Assess backup integrity
- Begin forensic evidence preservation
Hour 24–72: Critical Decisions
Whether to engage with the threat actor, how to communicate with regulators, and how to plan recovery. These decisions define outcomes.
Contact us at info@binary-response.com for bespoke threat intelligence briefings.