Ransomware Negotiation & Recovery Playbook¶

Metadata¶

Severity Classification Matrix¶

RACI — Roles & Responsibilities¶

R = Responsible, A = Accountable, C = Consulted, I = Informed

Trigger Conditions¶

Activate this playbook when ALL of the following are true:

• [ ] IR-PB-001 containment phase is complete (active encryption halted)
• [ ] Ransom demand has been received (note, dark web portal, email, or phone)
• [ ] Scope of encrypted systems and data exfiltration has been assessed
• [ ] Backup availability and integrity have been evaluated

AND any of the following:

• [ ] Clean backups are unavailable, incomplete, or untested for critical systems
• [ ] Threat actor claims data exfiltration with evidence (file listings, sample data)
• [ ] Business continuity is at risk without decryption capability
• [ ] Regulatory exposure from exfiltrated data requires threat actor engagement to assess scope

Decision Tree¶

flowchart TD
    A([Ransomware Containment Complete\nDemand Received]) --> B{Are verified clean\nbackups available for\nALL critical systems?}
    B -- Yes --> C[Begin parallel recovery\nfrom backups — DO NOT\nengage threat actor yet]
    B -- No/Partial --> D{Is there evidence\nof data exfiltration?}
    B -- Unknown --> E[Assess backup integrity\nwithin 4 hours]
    E --> B

    C --> F{Recovery feasible\nwithin RTO?}
    F -- Yes --> G[Full backup recovery\nNo negotiation needed]
    F -- No --> D

    D -- "Yes — confirmed" --> H{Does exfiltrated data\ncontain regulated\ninformation?}
    D -- "Claimed only" --> I[Engage negotiator to\nverify exfiltration claims\nBuy time for recovery]
    D -- No --> J{Can the organization\ntolerate data loss\nfrom unrecoverable systems?}

    H -- Yes --> K[MANDATORY: Engage\nlegal + external negotiator\nOFAC screening required]
    H -- No --> I

    I --> L{OFAC/sanctions\nscreening clear?}
    K --> L

    J -- Yes --> G
    J -- No --> I

    L -- Clear --> M{Executive pay/don't-pay\ndecision gate}
    L -- "Sanctioned Entity" --> N[DO NOT PAY\nEngage law enforcement\nPursue recovery alternatives]

    M -- Pay --> O[Procure cryptocurrency\nExecute payment\nObtain decryptor]
    M -- "Don't Pay" --> P[Accept data loss\nFull rebuild from\nclean state]

    O --> Q[Test decryptor on\nisolated system first]
    Q --> R{Decryptor works?}
    R -- Yes --> S[Staged decryption\nwith integrity checks]
    R -- No --> T[Re-engage negotiator\nDemand working decryptor]
    T --> Q

    S --> U([Recovery Complete\nLessons Learned])
    G --> U
    P --> U
    N --> U

Phase 1 — Demand Assessment & Intelligence (0–4 Hours)¶

1.1 Ransom Demand Documentation¶

Immediately document the ransom demand with full detail:

• [ ] Photograph/screenshot the ransom note (do not interact with embedded links yet)
• [ ] Record: demanded amount, currency, payment deadline, contact method
• [ ] Identify threat actor group (if named) — cross-reference with threat intelligence
• [ ] Document the communication channel (Tor site, email, chat portal)
• [ ] Preserve all artifacts for law enforcement

1.2 Threat Actor Intelligence¶

// Correlate threat actor IOCs from ransom note with historical telemetry
let RansomIOCs = datatable(indicator:string, type:string) [
    "203.0.113.45", "IP",
    "c2-beacon.synth-ransom.example.com", "Domain",
    "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2", "SHA256"
];
// Check network connections to known C2
DeviceNetworkEvents
| where Timestamp > ago(30d)
| join kind=inner (RansomIOCs | where type == "IP") on $left.RemoteIP == $right.indicator
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName
| order by Timestamp asc

// Identify initial access timeline
DeviceLogonEvents
| where Timestamp > ago(30d)
| where LogonType in ("RemoteInteractive", "Network")
| where RemoteIP !startswith "10." and RemoteIP !startswith "192.168."
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), LogonCount=count()
    by RemoteIP, AccountName, DeviceName
| order by FirstSeen asc

// Correlate threat actor IOCs with historical network data
index=firewall sourcetype=pan:traffic
| where dest_ip IN ("203.0.113.45", "198.51.100.22")
    OR query IN ("c2-beacon.synth-ransom.example.com")
| stats earliest(_time) AS first_seen, latest(_time) AS last_seen, count BY src_ip, dest_ip, dest_port
| sort first_seen

// Identify initial access — unusual RDP/VPN logins in 30-day window
index=auth sourcetype=WinEventLog:Security EventCode=4624 Logon_Type=10
| where NOT cidrmatch("10.0.0.0/8", Source_Network_Address)
    AND NOT cidrmatch("192.168.0.0/16", Source_Network_Address)
| stats earliest(_time) AS first_logon, count BY Source_Network_Address, Account_Name, ComputerName
| sort first_logon

1.3 OFAC Sanctions Screening¶

• [ ] Cross-reference threat actor alias with OFAC SDN list
• [ ] Cross-reference any known wallet addresses with blockchain analysis providers
• [ ] Check FBI/CISA advisories for attribution to sanctioned nation-state groups
• [ ] Document screening results — retain for compliance records regardless of pay/don't-pay decision
• [ ] If sanctioned: STOP — do not pay under any circumstances — engage legal and law enforcement

1.4 Law Enforcement Notification¶

• [ ] Report to FBI IC3: https://ic3.gov (USA) or relevant national CERT
• [ ] Report to CISA: https://cisa.gov/report
• [ ] Contact local FBI field office if double extortion involves regulated data
• [ ] Notify cyber insurance carrier — most policies require prompt notification
• [ ] Document all law enforcement case numbers and points of contact

Phase 2 — Negotiation Strategy (4–24 Hours)¶

2.1 Engage External Negotiation Firm¶

• [ ] Contact ransomware negotiation firm (pre-contracted or via insurance panel)
• [ ] Provide: ransom note, threat actor alias, communication channel details, OFAC screening results
• [ ] Establish communication protocol: negotiator speaks for the organization — no direct IT/security contact with threat actor
• [ ] Set internal decision checkpoints: 12h, 24h, 48h, 72h

2.2 Negotiation Principles¶

2.3 Communication Templates (Synthetic Examples)¶

Initial Response Template:

Subject: RE: Incident Reference [CASE-2026-XXXX]

We have received your communication. Our organization is a small/mid-size
operation and we are assessing our situation. We need additional time to
evaluate the scope of impact and discuss with our leadership.

We are willing to engage in good-faith discussion but need to understand:
1. What specific data do you claim to have obtained?
2. Can you provide proof of decryption capability for 2-3 test files?
3. What is your timeline flexibility?

We will respond within 48 hours.

Counter-Offer Template:

Subject: RE: Incident Reference [CASE-2026-XXXX]

Thank you for decrypting the test files. We have verified they are functional.

After consultation with our leadership, we must be transparent: the demanded
amount of [AMOUNT] far exceeds our financial capacity. We are a [SIZE]
organization with limited reserves.

We can offer [COUNTER — typically 10-20% of initial demand] as a good-faith
resolution. This represents a significant financial commitment for our
organization.

We are open to further discussion.

2.4 Parallel Recovery Assessment¶

While negotiation proceeds, aggressively pursue recovery alternatives:

• [ ] Attempt decryption with publicly available decryptors (nomoreransom.org)
• [ ] Assess partial backup recovery — which systems can be restored?
• [ ] Evaluate bare-metal rebuild timeline for systems without backups
• [ ] Identify manual workarounds for critical business processes
• [ ] Quantify business impact per day of downtime (for pay/don't-pay ROI)

Phase 3 — Pay/Don't-Pay Decision Gate (24–72 Hours)¶

3.1 Decision Framework¶

3.2 Executive Briefing Template¶

RANSOMWARE INCIDENT — EXECUTIVE DECISION BRIEF
Classification: CONFIDENTIAL — Attorney-Client Privileged

Incident ID:       [IR-2026-XXXX]
Date:              [YYYY-MM-DD]
Briefing Prepared: [Name], [Title]

SITUATION SUMMARY:
- [X] systems encrypted across [Y] business units
- Threat actor: [Alias] — [known/unknown] group
- Demand: [Amount] in [Currency]
- Current negotiated position: [Negotiated amount]
- Data exfiltration: [Confirmed/Claimed/None]
- OFAC screening: [Clear/Pending]

RECOVERY OPTIONS:
1. Pay ransom (negotiated): $[Amount] — estimated [X] days to decrypt
2. Backup recovery: [X]% of systems recoverable — estimated [Y] days
3. Full rebuild: estimated [Z] days — [Data loss description]

BUSINESS IMPACT:
- Revenue loss: $[Amount]/day
- Cumulative impact to date: $[Amount]
- Regulatory notification obligations: [Yes/No — detail]
- Customer/partner impact: [Description]

RECOMMENDATION: [Pay / Don't Pay / Hybrid — with rationale]

DECISION REQUIRED BY: [Date/Time]

3.3 Decision Documentation¶

• [ ] Executive decision recorded in writing with signatures
• [ ] Legal counsel opinion documented (attorney-client privilege)
• [ ] Insurance carrier notified of decision and consulted on coverage
• [ ] OFAC compliance documentation retained regardless of decision
• [ ] Board notification (if material event per governance policy)

Phase 4 — Payment Execution (If Authorized) (48–96 Hours)¶

4.1 Cryptocurrency Procurement¶

• [ ] Engage approved cryptocurrency broker (pre-contracted or insurance panel)
• [ ] Verify wallet address provided by threat actor (cross-check with negotiator)
• [ ] Procure exact amount in specified cryptocurrency
• [ ] Document: wallet addresses, transaction hashes, exchange confirmations, timestamps
• [ ] Retain blockchain records for law enforcement, insurance, and tax purposes

4.2 Decryptor Validation¶

• [ ] Obtain decryptor from threat actor after payment confirmation
• [ ] Hash the decryptor binary and submit to sandbox analysis (malware check)
• [ ] Test decryptor on an isolated VM with copies of 5-10 encrypted files of varying types
• [ ] Verify: file integrity after decryption, no additional malware dropped, no new C2 connections
• [ ] Document decryption success rate and any file types that fail

# Validate decrypted file integrity (Windows)
# Compare decrypted files against known-good hashes where available
$testFiles = Get-ChildItem -Path "C:\DecryptionTest\Decrypted" -Recurse -File
foreach ($file in $testFiles) {
    $hash = Get-FileHash -Path $file.FullName -Algorithm SHA256
    Write-Output "$($hash.Hash)  $($file.Name)  Size:$($file.Length)"
}

# Monitor for suspicious network activity during decryption
Get-NetTCPConnection | Where-Object {
    $_.State -eq "Established" -and
    $_.RemoteAddress -notmatch "^(10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.)"
} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess |
    Format-Table -AutoSize

4.3 Staged Decryption¶

• [ ] Prioritize decryption order: domain controllers → authentication systems → databases → file servers → endpoints
• [ ] Decrypt one system per tier first — validate before proceeding to batch
• [ ] Monitor each decrypted system for 30 minutes before decrypting the next
• [ ] Maintain network isolation during decryption — do not reconnect to production until verified clean
• [ ] Run full EDR scan on each decrypted system before reconnecting

Phase 5 — Recovery & Restoration (72–120 Hours)¶

5.1 System Restoration Sequence¶

5.2 Active Directory Recovery¶

• [ ] Reset KRBTGT password twice (with 12-hour interval between resets)
• [ ] Reset all privileged account passwords (Domain Admins, Enterprise Admins, Schema Admins)
• [ ] Review and remove any unauthorized Group Policy Objects
• [ ] Check for new trust relationships or SID history manipulation
• [ ] Verify AdminSDHolder and dsHeuristics are not modified
• [ ] Scan for Golden Ticket / Silver Ticket persistence indicators

5.3 Credential Reset Plan¶

5.4 Network Hardening (Post-Recovery)¶

• [ ] Block all threat actor C2 infrastructure at perimeter firewall permanently
• [ ] Re-evaluate RDP exposure — disable or restrict to VPN-only access
• [ ] Deploy network segmentation between high-value assets and general network
• [ ] Enable enhanced logging on all recovered systems (PowerShell ScriptBlock, WinRM, Sysmon)
• [ ] Verify EDR coverage on 100% of endpoints before reconnecting to network

Phase 6 — Lessons Learned & Regulatory (Within 2 Weeks)¶

6.1 Metrics to Capture¶

6.2 Regulatory Notification Tracker¶

6.3 Insurance Claim Documentation¶

• [ ] Complete incident timeline with UTC timestamps
• [ ] All ransom communications preserved (screenshots, chat logs)
• [ ] OFAC screening documentation
• [ ] Executive decision memo (pay/don't-pay)
• [ ] Payment records (transaction hashes, broker receipts)
• [ ] Business interruption loss calculations
• [ ] Third-party vendor invoices (negotiation firm, forensics, legal)
• [ ] Regulatory notification copies
• [ ] System restoration costs and labor hours

6.4 Post-Incident Review Agenda¶

• [ ] Complete attack timeline: initial access → lateral movement → exfiltration → encryption
• [ ] Entry vector identification and remediation confirmation
• [ ] Backup strategy assessment: why were backups insufficient?
• [ ] Detection gap analysis: why wasn't the attacker detected earlier?
• [ ] Negotiation effectiveness review (if applicable)
• [ ] Recovery process evaluation: what slowed restoration?
• [ ] Communication review: were stakeholders informed appropriately?
• [ ] Control improvements identified, assigned, and deadlined

ATT&CK Technique Mapping¶

Communication Templates¶

Internal Stakeholder Update¶

RANSOMWARE INCIDENT UPDATE — [Date] [Time] UTC
Status: [Active Response / Negotiation / Recovery / Resolved]
Classification: CONFIDENTIAL

CURRENT STATUS:
- Encrypted systems: [X] of [Y] total
- Business operations: [Fully impacted / Partially impacted / Workarounds active]
- Recovery progress: [X]% of critical systems restored
- Negotiation status: [Engaged / Stalled / Resolved / Not pursuing]

ACTIONS SINCE LAST UPDATE:
- [Action 1]
- [Action 2]

NEXT STEPS:
- [Next action 1 — ETA]
- [Next action 2 — ETA]

NEXT UPDATE: [Date/Time]
Incident Commander: [Name]
Bridge: [Link/Number]

Customer/Partner Notification (Post Legal Review)¶

Subject: Security Incident Notification — [Organization Name]

Dear [Customer/Partner],

We are writing to inform you of a cybersecurity incident that [may have /
has] affected [description of impact].

WHAT HAPPENED:
On [date], we detected unauthorized activity in our systems. We immediately
activated our incident response procedures and engaged external
cybersecurity experts.

WHAT INFORMATION WAS INVOLVED:
[Description — be specific per legal/regulatory guidance]

WHAT WE ARE DOING:
- We have contained the incident and are restoring systems
- We have engaged law enforcement and are cooperating fully
- We have engaged third-party forensic investigators
- [Additional remediation steps]

WHAT YOU CAN DO:
- [Specific protective actions relevant to the data involved]
- [Contact information for questions]

We take the security of your information seriously and sincerely apologize
for any concern this may cause.

[Name], [Title]
[Organization]
[Incident hotline number]

Runbook Checklist¶

Demand Assessment¶

• [ ] IR-PB-001 containment confirmed complete
• [ ] Ransom demand documented (amount, currency, deadline, contact method)
• [ ] Threat actor intelligence gathered and cross-referenced
• [ ] OFAC/sanctions screening completed and documented
• [ ] Law enforcement notified (FBI IC3, CISA, local field office)
• [ ] Cyber insurance carrier notified

Negotiation¶

• [ ] External negotiation firm engaged (if proceeding)
• [ ] Communication protocol established (single point of contact)
• [ ] Parallel recovery options assessed and documented
• [ ] Proof of decryption capability requested and validated
• [ ] Decision checkpoints scheduled (12h, 24h, 48h, 72h)

Pay/Don't-Pay Decision¶

• [ ] Decision framework completed with all stakeholder input
• [ ] Executive briefing delivered
• [ ] Executive decision documented in writing
• [ ] Legal opinion documented (attorney-client privilege)
• [ ] Insurance coverage confirmed (if paying)
• [ ] Board notified (if material event)

Payment Execution (If Authorized)¶

• [ ] Cryptocurrency broker engaged
• [ ] Wallet address verified
• [ ] Payment executed and transaction documented
• [ ] Decryptor received and sandboxed for analysis
• [ ] Decryptor tested on isolated system — success confirmed
• [ ] Staged decryption plan executed

Recovery¶

• [ ] Systems restored in priority order
• [ ] Active Directory rebuilt or verified clean
• [ ] KRBTGT reset twice with 12h interval
• [ ] All privileged credentials rotated
• [ ] EDR verified on 100% of endpoints
• [ ] Network hardening measures deployed

Lessons Learned¶

• [ ] Complete attack timeline documented
• [ ] Regulatory notifications sent per tracker
• [ ] Insurance claim documentation assembled
• [ ] Post-incident review conducted within 2 weeks
• [ ] Backup strategy improvements implemented
• [ ] Detection and prevention gaps addressed
• [ ] Playbook updated with findings

Nexus SecOps Cross-References¶

Nexus SecOps Benchmark Control Mapping¶