Ransomware Incident
IntermediateYour file server just displayed a ransom note. Walk through a realistic incident response scenario, making the critical decisions that determine whether your organization recovers — or pays.
Progress:
1
Initial Detection2
Assess the Damage3
Recovery Decision1
Initial Detection
A ransom note just appeared on your file server. What do you do first?
YOUR FILES HAVE BEEN ENCRYPTED
All your documents, databases, and backups have been encrypted with AES-256-CBC + RSA-4096.
To recover your files, send $50,000 in Bitcoin to:
To recover your files, send $50,000 in Bitcoin to:
bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh
You have 72 hours. After that, the price doubles.
A
Pay the ransom
Transfer $50,000 in Bitcoin to the attacker's wallet as demanded.
B
Shut down the server
Power off the affected server immediately to stop the encryption.
C
Disconnect from network
Immediately isolate the affected system by disconnecting it from the network.