Ransomware Response Checklist

☐ Do not reboot or power off affected systems

RAM contains encryption keys, attacker tools, and running processes. Rebooting destroys this permanently. Isolate from the network instead — disconnect the cable or disable the network interface.

☐ Engage your IR provider immediately

If you have an IR retainer, call the emergency line now. If not, engage a specialist firm before making further decisions. Every hour without IR guidance risks additional evidence loss and missteps.

☐ Notify your cyber insurer

Most policies require notification within 24–72 hours of discovering an incident. Notify early — you can provide more detail later. Late notification can affect coverage.

☐ Communicate out-of-band

If corporate email or Teams may be compromised, do not use them to coordinate the response. Use personal phones, Signal, or a clean device on a separate network.

☐ Preserve logs urgently

Export Windows event logs, firewall logs, VPN access logs, and any SIEM data immediately — before they roll over. This is time-critical. Logs from the initial access event may already be near expiry.

☐ Document everything you have observed

Photograph ransom notes, screenshot alerts, write down the timeline of what was noticed and by whom. This contemporaneous documentation is valuable for investigation and insurance.

☐ Identify affected systems without expanding access

Determine scope from existing telemetry and logs. Do not log into potentially compromised systems from privileged accounts to investigate — you may expose additional credentials to the attacker.

☐ Engage legal counsel

In-house or external. GDPR notification obligations, regulatory disclosure requirements, and potential litigation all require legal input from the earliest stage.

☐ Assess whether the attacker still has active access

Ransomware deployment is often not the final act. Check for active connections, new accounts created, scheduled tasks or services installed by the attacker.

☐ Disable compromised accounts — do not just reset passwords

If Active Directory is compromised, password resets may not be sufficient. The attacker may have created new accounts, established persistence via service accounts, or modified AD objects.

☐ Assess backup integrity before touching them

Do your backups still exist? Are they encrypted? Were backup credentials compromised? Verify backup integrity before making recovery decisions that depend on them.

☐ Identify the ransomware variant and threat actor

The ransom note, file extension, and encrypted file metadata often identify the group. This matters for decryptor viability, negotiation strategy, and sanctions screening.

☐ Check ransomware leak sites for your organisation

Most ransomware groups list victims publicly before publishing data. Knowing whether you are already listed informs negotiation urgency and breach notification timing.

☐ Brief board and senior leadership

Leadership need to know, need to be available for decisions, and need to understand that some decisions (ransom payment, public disclosure) require their authority.

☐ Forensic imaging of key systems before rebuild

Do not rebuild any system without forensic imaging first. Rebuilding destroys evidence that may be needed for investigation, insurance, or legal proceedings.

☐ Conduct sanctions screening before any payment decision

OFSI sanctions apply to ransomware payments. Paying a sanctioned group is a criminal offence. Screen before any payment is authorised.

☐ Make a data exfiltration determination

Was data exfiltrated? What data? This drives GDPR notification obligations. You need a defensible, evidence-based answer — not an assumption.

☐ Notify the ICO if required

GDPR: notify the ICO within 72 hours of becoming aware of a personal data breach. The clock starts when you have reasonable certainty, not definitive proof. Notify and update — do not wait for complete information.

☐ Assess and communicate with sector regulators

FCA, PRA, CQC, and other sector regulators have their own notification requirements and timelines separate from GDPR. Check what applies to your organisation.

☐ Develop and communicate a rebuild plan

Rebuild vs restore decision made with IR guidance. Clean build of domain controllers. Endpoint reimaging. New credential infrastructure. Timeline communicated to business stakeholders.

☐ Validate backup restoration before returning to production

Test restored data for integrity. Do not return to production on the assumption restores are clean — verify.

☐ Confirm root cause is closed before expanding access

The initial access vector — the vulnerability, misconfiguration, or credential that gave the attacker entry — must be closed before recovery broadens. Re-encryption events follow from this mistake.

☐ Monitor leak sites post-payment for 30 days

If a ransom was paid, monitor for data publication. The commitment to delete is unenforceable. Post-payment publication happens.

☐ Conduct post-incident review and lessons learned

Document what happened, why, and what changes result. Update IR plan. Brief board. Assign security improvement owners and timelines.