Incident Response Guide — What to Do During and After a Cyberattack

The pay or don't pay decision: this is a business decision with legal, ethical, and practical dimensions. Paying does not guarantee decryption, does not guarantee the stolen data won't be published, funds criminal organizations, and may violate OFAC sanctions if the threat actor is a sanctioned entity. Not paying preserves leverage and avoids sanctions risk but may result in data publication and longer recovery. Engage legal counsel before any payment decision.

The Office of Foreign Assets Control (OFAC) issue: paying ransomware to a sanctioned entity (North Korean Lazarus Group, Russian Evil Corp, others) is a potential civil violation regardless of knowledge. Engage specialized legal counsel or the FBI before paying.

Negotiation: ransom amounts are typically negotiable. Professional incident response firms negotiate regularly and understand the market dynamics. Do not negotiate directly — engage a professional.

Recovery without paying: viable if you have clean, tested, offline backups. The test is "offline or immutable" — ransomware encrypted network-connected backups in 70% of attacks in 2023. Tape, immutable cloud storage (AWS S3 Object Lock, Azure immutable blob), or air-gapped backups are the only reliable recovery option.

Wire transfer fraud: BEC most commonly results in fraudulent wire transfers. If a fraudulent wire transfer was made within the last 24-48 hours, contact your bank immediately to initiate a SWIFT recall. FBI's Internet Crime Complaint Center (IC3) also has a Financial Fraud Kill Chain process. Time is critical — funds become unrecoverable quickly.

Email account compromise: change password and revoke all active sessions immediately. Enable MFA. Review email forwarding rules (attackers commonly set up forwarding to collect intelligence). Review sent emails for fraudulent communications to customers or vendors.

What an IR retainer is: a pre-negotiated agreement with an incident response firm that guarantees a response SLA when you need them. Without a retainer, you compete with every other breached company for scarce IR resources during a major industry event — when you need IR most (large ransomware campaign hitting many companies simultaneously), it is hardest to engage without a retainer.

Retainer structure: annual fee ($10,000-$50,000 for SMB) gives you a guaranteed SLA (typically 4-hour response from a named team) and pre-negotiated hourly rates. Unused retainer hours may roll over or be used for proactive activities (tabletop exercises, IR plan development).

What to look for in an IR firm: experience with your industry, active threat intelligence capability, established law enforcement relationships (FBI, CISA), public sector notification experience, forensic evidence handling experience, experience testifying if litigation follows.

Notify immediately: most cyber insurance policies require notification within 24-72 hours of discovery. Failure to notify timely can jeopardize coverage.

The insurer's IR panel: cyber insurers have pre-approved IR firms, legal counsel, and forensic firms. Using their panel typically means coverage applies; using outside vendors requires pre-approval. Know this before an incident.

Coverage for ransomware: most cyber policies cover ransom payments (subject to OFAC considerations), recovery costs, business interruption, and notification costs. Read your policy — sublimits for ransomware, waiting periods for business interruption, and co-insurance requirements vary.

What insurers are looking for post-incident: evidence that you had reasonable security controls in place. MFA, EDR, and backup disciplines are the most scrutinized. Misrepresentation of security controls on your application can void coverage.