Ransomware Playbook

Ransomware, unlike other security incidents, puts organisations on a countdown timer. Decisions need to be made swiftly and in an orderly fashion. Any delay in the decision making process can result in public disclosure or complete loss of data.

Ransomware is malicious software that encrypts files, prevents access to them and demands payment for their recovery. A ransomware attack may also lead to an adversary:

• Deleting network backups
• Exfiltrating data, including potentially sensitive or Personally Identifiable Information (PII) data
• Gaining access to an Organisations entire infrastructure including domain controllers and databases
• Credential access
• Publicly exposing stolen data on public/dark-web forums

This free download provides Operational Level guidance on how to deal with a cyber incident. It is advised that the Incident Response Playbooks are reviewed and exercised regularly to ensure that it remains up to date for contact details, roles, and recovery priorities. These reviews can be administrative, by checking that contact information is up-to-date, or verified as part of a cyber exercise. It is important that the person responsible of reviewing the document signs off to confirm that the information is correct. Up-to-date copies of this document should be retained offline and in a secure manner along with any associated playbooks.