How To
How to Respond to Ransomware in the First 72 Hours
The decisions in order, drawn from Mark Lynd's facilitation of 150+ executive tabletop exercises. This is the executive playbook — not the SOC runbook.
Disclaimer: this is general guidance, not legal or breach-counsel advice. Engage outside counsel and your IR retainer immediately.
Hour 0–1: Confirm and Convene
- 1
Confirm the event is real
A user report or alert is not yet a ransomware event. Have the security team confirm encrypted assets, ransom note, or known TTPs before invoking the IR plan. False starts erode plan discipline.
- 2
Activate the incident commander
The named incident commander assumes operational authority. If you do not know who that is, you have a preparation problem — in 89% of Mark's tabletops, three or more participants could not name the IC.
- 3
Notify outside counsel and IR retainer
Counsel establishes attorney-client privilege over the investigation; IR retainer mobilizes forensics. Both calls happen before public messaging or insurance notification.
Hour 1–6: Contain and Notify
- 4
Contain — with authority confirmed
Isolate affected systems, segment networks, disable compromised credentials. The decision to take production offline must be made by the authorized executive — document who decided and when.
- 5
Notify cyber insurance carrier
Most policies require notification within a specific window (often 24–72 hours of awareness) and use of approved IR vendors. Failure here can void coverage. In 91% of Mark's tabletops, no one in the room could cite the timeline.
- 6
Brief the CEO and board chair
A first read — what is known, what is unknown, what counsel is doing, what insurance is doing, what the next 12 hours look like. No speculation; speculation in a board read becomes truth in a board's head.
Hour 6–24: Investigate and Decide
- 7
Stand up the war room
Physical or virtual, with a single shared status doc, a running timeline, and a decision log. Anyone making a decision documents who, what, why, when. The decision log becomes the legal artifact.
- 8
Engage law enforcement
FBI (IC3 or local field office) and CISA. Engagement is generally protective, often required for insurance, and can unlock decryptors or known-TTP intelligence. Counsel coordinates.
- 9
Make the ransomware payment-decision call
Decide against your pre-documented threshold (you have one, right? 71% of Mark's tabletops did not). Factors: data integrity of backups, OFAC sanctions exposure, business impact, insurance position, regulatory implications. Decision lives in the decision log.
Hour 24–72: Communicate and Recover
- 10
Customer and regulatory communications
Counsel reviews every external communication. Sequence: regulators where required (SEC, HIPAA, state AGs), then affected customers, then public statement. Honesty about what is known, restraint about what is not.
- 11
Begin recovery from tested backups
Recover into clean, segmented infrastructure — not the same network. Tested backups (87% of Mark's tabletops had not tested in the last 6 months) make this hour 24, not hour 240.
- 12
Daily executive read for the next 7 days
Same time, same format, same audience. Forensics findings, recovery progress, communications status, regulatory posture. Discipline in the read prevents drift in the response.
The Single Most Common Failure
Across 150+ tabletops, the most common executive-layer failure is not technical — it is the gap between the written plan and the live decision. Authority is unclear. Insurance timeline is unknown. Backups are unverified. Payment threshold is undefined. The fix is not more plan; the fix is rehearsal.
Want a tabletop before you need this playbook?
Mark facilitates executive tabletop exercises customized to your industry, threat profile, and board. He also partners with IR-OS to bring the modern IR platform to your live decision flow.
Request a Tabletop →