Upon Discovery of a Ransomware Incident:

Contact outside legal counsel and advise of the incident. From this point forward, the attorney
should coordinate all communication to protect client confi dentiality.
Isolate any suspected compromised system(s) and bring offl ine.

Block all incoming and outgoing connections, with exceptions for trusted IT staff , in all fi rewalls
at all sites. Disable all Site-to-Site VPN Tunnels. If working with an EDR product, ensure
that communication is permitted on the applicable ports and public DNS forwarders are still
accessible.

Stop, Pause, and/or Disable all Backup Tasks, and any fi le replication. Isolate backup storage
devices from the network.

Review all Active Directory Accounts and ensure all are legitimate. Confi rm all Domain Admins
are appropriate. Identify any unneeded or potentially compromised accounts and disable.
Reset passwords for all administrative accounts and privileged service accounts.
Review all