Ransomware Response: The Golden Hour & Negotiation Playbook

01 //The Golden Hour (0-60 Minutes)

Your actions in the first hour determine the survival of the company. 1. **Sever the Link**: Disconnect the internet uplink. Stop the C2 (Command & Control) heartbeat. 2. **Isolate VLANs**: Prevent lateral spread. If the infection is in HR, cut the bridge to Finance. 3. **Protect the Crown Jewels**: Verify the integrity of the immutable backups. If they are connected to the network, pull the plug physically. 4. **Silence**: Do not announce anything yet. Leaks can trigger the attacker to leak data early.

02 //Negotiation Dynamics

Negotiation is intelligence gathering, not just payment. Engaging the attacker buys time. - **Establish a Persona**: Never negotiate as the CEO. Be a 'mid-level IT manager' who has limited authority. This lowers the ransom demand. - **Ask for Proof**: 'We cannot pay if we don't know you have the key. Decrypt this non-sensitive file.' - **Stall**: 'Our bank requires 3 days for international transfers.' Use this time to rebuild from backups.

• Never admit to having cyber insurance (they will demand the policy limit)
• Use a burner email (ProtonMail) and VPN
• Request a file tree to verify what data they actually stole

03 //Recovery & Forensics

Do not just restore and turn back on. You must find the 'Patient Zero' and the entry vector (RDP, Phishing, VPN exploit). If you restore without patching the hole, they will be back in 2 weeks. This is called a 'Loop Attack'.

Get-ScheduledTask | Where-Object { $_.Principal.UserId -eq "SYSTEM" }
# Look for random strings or tasks created in the last 24h

Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Run
# Check registry run keys for malware loaders