--- title: "Incident Response for Ransomware: Who Does What?" date: 2026-02-24T15:10:00+01:00 author: FAST LTA canonical_url: "https://www.fast-lta.de//en/blog/incident-response-bei-ransomware-wer-macht-was" section: "Entries: Articles" --- ### IR Team Structure: Who Is in the Room? [\#](#ir-team-structure-who-is-in-the-room "IR Team Structure: Who Is in the Room?") #### 1. Incident Commander (IC) [\#](#1-incident-commander-ic "1. Incident Commander (IC)") **Who?** One person with decision-making authority (often the IT manager, CISO, or CEO). **Responsibilities:** - Leads the entire incident response - Makes final decisions (rebuild from scratch or recover from backup?) - Coordinates internally and externally - Informs management - Escalates decisions upward when necessary **Meetings:** The IC leads recurring stand-ups (for example 10:00, 14:00, 18:00) with the whole team. #### 2. IT Forensics Team [\#](#2-it-forensics-team "2. IT Forensics Team") **Who?** IT security professionals, ideally supported by an external forensics firm. **Responsibilities:** - Evidence preservation (forensic copies of systems) - Reconstruct the attack timeline (when did they get in? Via which vector?) - Malware analysis (which ransomware? Which group?) - Identify vulnerabilities (how did it happen?) - Recovery preparation (which backups are clean? Which systems are affected?) **Timing:** Starts in parallel with recovery, not after. #### 3. IT Recovery Team [\#](#3-it-recovery-team "3. IT Recovery Team") **Who?** Backup administrator, system administrators. **Responsibilities:** - Execute recovery (restore from backups) - Validate systems (does everything work?) - Network rebuilding (if network segmentation was compromised) - Reactivate monitoring (EDR, SIEM, intrusion detection) **Tools:** Backup software (for example Veeam, Commvault) plus the secondary storage layer, ideally an air-gapped target such as the Silent Brick System. **Timing:** Starts immediately after Phase 1 (isolation). #### 4. Legal/​Compliance Team [\#](#4-legal-compliance-team "4. Legal/Compliance Team") **Who?** Internal legal department or external cyber attorney. **Responsibilities:** - NIS2 reporting obligations (Directive (EU) 2022⁄2555): early warning within 24 hours, incident notification within 72 hours, final report within one month, to the competent national authority or CSIRT - GDPR notification (Article 33: supervisory authority within 72 hours if personal data is affected) - DORA incident reporting for financial entities (Regulation (EU) 2022⁄2554) - Insurance coordination - Authority communication - Risk assessment (pay ransom? Sanctions and criminal law risk?) **Contacts:** The competent national cybersecurity authority (in Germany: BSI), the data protection supervisory authority, the cyber insurer. **Timing:** Informed immediately, parallel to forensics and recovery. #### 5. Communications Team [\#](#5-communications-team "5. Communications Team") **Who?** PR, management, potentially an external PR agency. **Responsibilities:** - Internal communication (inform employees) - External communication (customers, partners, media) - Develop the messaging: acknowledge the incident, explain the measures - Trust management and reputation protection **Important:** All communication should be coordinated with legal to avoid legal pitfalls. **Timing:** After Phase 1 (isolation), when the status is clear. #### 6. Finance/​Insurance Team [\#](#6-finance-insurance-team "6. Finance/Insurance Team") **Who?** CFO, insurance manager. **Responsibilities:** - Cost tracking (who pays for what?) - File the insurance claim - Release budget for recovery - Quantify the business loss (for insurance and the forensics report) **Documents:** Cyber insurance policy, claims form. --- ### External Partners and Their Role [\#](#external-partners-and-their-role "External Partners and Their Role") #### 1. Cybersecurity and Forensics Firm [\#](#1-cybersecurity-and-forensics-firm "1. Cybersecurity and Forensics Firm") **When?** Immediately, within hours. **What do they do?** - Conduct forensic analysis - Identify the malware variant - Attacker attribution - Provide recovery recommendations - Write the insurance report **Costs:** Depend heavily on incident complexity; budget five figures as a starting point. **Tip:** Establish a retainer contract with a firm in advance for faster engagement. #### 2. Cyber Insurance Broker [\#](#2-cyber-insurance-broker "2. Cyber Insurance Broker") **When?** Immediately, parallel to forensics. **What do they do?** - Coordinate the damage notification - Coordinate external experts (the insurer often pays for these) - Determine costs - Negotiate with the insurer **Important:** The broker can often organise better external partners than you can on your own. #### 3. National Cybersecurity Authority / CSIRT [\#](#3-national-cybersecurity-authority-csirt "3. National Cybersecurity Authority / CSIRT") **When?** NIS2 deadlines apply: early warning within 24 hours, notification within 72 hours. **What do they do?** - Share threat intelligence - Provide technical advice - Coordinate with other authorities, including at EU level via the CSIRTs network - Provide information about attacker groups **Contact:** In Germany, reports go to the BSI; every EU member state designates its own competent authority and CSIRT. Document your national contact and reporting portal in advance. #### 4. Law Enforcement [\#](#4-law-enforcement "4. Law Enforcement") **When?** In cases of double extortion (data leak threatened) or major damage. **What do they do?** - Initiate investigations - Track attacker groups (internationally via Europol and Interpol) - Monitor for data leaks (dark web monitoring) - Advise on ransom negotiations where applicable **Contacts:** National and regional cybercrime units; in Germany the Bundeskriminalamt (BKA) and the Landeskriminalämter (LKA). **Important:** Involving law enforcement is advisable, but coordinate timing with legal counsel. #### 5. Incident Response Retainer Service [\#](#5-incident-response-retainer-service "5. Incident Response Retainer Service") **Option:** Put an IR team on retainer before an attack occurs. **Advantages:** - Fast access (contractually guaranteed response times) - The team knows your infrastructure (pre-incident assessment) - No procurement delays in the middle of a crisis **Costs:** A recurring retainer fee plus incident costs; pricing varies widely by provider and scope. **Recommendation:** Worthwhile for organisations above a certain size or with regulatory exposure under NIS2 or DORA. --- ### Roles and Responsibilities at a Glance [\#](#roles-and-responsibilities-at-a-glance "Roles and Responsibilities at a Glance") - **Incident Commander:** decides on ransom, network shutdown, external partners; leads recovery; communicates with management, board, and external partners. - **IT Forensics:** collects and analyses evidence; reports to the IC and the recovery team. - **IT Recovery:** decides the sequence of system restoration; restores systems; coordinates with IC and forensics. - **Legal:** decides on NIS2 and GDPR notifications and insurance claims; coordinates with authorities, the insurer, and the IC. - **Communications:** decides when employees and customers are informed; drafts messages for employees, customers, and media. - **Finance:** releases budget for external partners; tracks costs; reports to the IC and management. --- ### Day 1: How a Coordinated Response Unfolds [\#](#day-1-how-a-coordinated-response-unfolds "Day 1: How a Coordinated Response Unfolds") **06:00, detection:** The first encrypted files are noticed. The IC is alerted and activates all IR team members by phone. The forensics firm is engaged. **06:30, first IR meeting (30 minutes, virtual):** Status is collected: which systems are down, are the air-gapped backups intact, do reporting obligations apply? Decisions: isolate the network completely, prepare the NIS2 early warning (24-hour deadline), forensics travels to the site, recovery environment preparation starts in parallel. **08:00, isolation complete:** Infected systems are offline, backups are verified, EDR scans are running, forensics begins evidence collection. **10:00, second stand-up:** Forensics names a preliminary malware variant. IT confirms the recovery environment and schedules the domain recovery. Legal confirms reporting obligations and informs the insurer. Communications schedules a general employee notice. **14:00, recovery starts:** Domain Controller restore begins. Forensic analysis continues in parallel. **18:00, third stand-up:** Domain Controller is online and test users can log in. Forensics traces initial access to a phishing email weeks earlier. Email recovery is scheduled for the next morning. Legal prepares the 72-hour notification. **End of day 1:** The situation is stable, recovery is underway, forensics is producing detail. That is what a rehearsed IR process delivers. --- ### Reporting Obligations: Deadlines and Contacts [\#](#reporting-obligations-deadlines-and-contacts "Reporting Obligations: Deadlines and Contacts") #### NIS2 (if Directive (EU) 2022⁄2555 applies to your organisation) [\#](#nis2-if-directive-eu-2022-2555-applies-to-your-organisation "NIS2 (if Directive (EU) 2022/2555 applies to your organisation)") - Early warning: within 24 hours of becoming aware of a significant incident - Incident notification: within 72 hours - Final report: within one month - Recipient: the competent national authority or CSIRT (in Germany: BSI; other member states designate their own) - Content: type of incident, affected systems, preliminary impact, suspected cross-border effects #### GDPR (if personal data is involved) [\#](#gdpr-if-personal-data-is-involved "GDPR (if personal data is involved)") - Deadline: 72 hours after becoming aware (Article 33) - Recipient: the competent data protection supervisory authority - Content: type of data, estimated number of affected persons, measures taken - Plus: notification of affected individuals where there is a high risk (Article 34) #### Further Notifications [\#](#further-notifications "Further Notifications") - **Insurer:** immediately, not after 72 hours; fill out the claims form, submit the forensics report later. - **Customers (especially in double-extortion cases):** communicate transparently and early. - **Sector regulators:** financial entities follow the DORA incident reporting régime; other regulated sectors may have additional requirements. --- ### Frequently Asked Questions [\#](#frequently-asked-questions "Frequently Asked Questions") **Should the CEO be in the IR team?** Not necessarily in every stand-up, but in a daily briefing (10 to 15 minutes). The CEO must be informed for final decisions (ransom? Public notification?). **When do we engage an external forensics firm?** Immediately. Internal IT teams need their full capacity for recovery. Forensics benefits from external, unbiased eyes. **Will the police handle forensics for free?** No. The police investigate the crime, but they do not deliver the recovery-oriented forensics or the insurance report. Cyber insurance often covers external forensics. **Who decides whether to pay the ransom?** A joint decision: CEO (business risk), legal (sanctions and liability), IC (technical feasibility), with the insurer involved. It is legally and ethically complex; with working backups it should not be necessary. --- ### Checklist: Building an IR Team [\#](#checklist-building-an-ir-team "Checklist: Building an IR Team") - IC designated (who has final decision authority?) - IT forensics partner identified (who do we call in an emergency?) - IT recovery team designated (who performs recovery?) - Legal/​compliance contact identified - Communications lead designated - Cyber insurance policy in place (with IR support?) - National reporting authority and portal documented (in Germany: BSI) - Retainer contract with a forensics firm (optional but recommended) - IR plan documented in writing (not just in people’s heads) - IR exercise conducted (tabletop exercise, at least once a year) --- ### Further Resources [\#](#further-resources "Further Resources") → Ransomware Recovery Checklist: 12 Steps After the Attack (/en/blog/ransomware-recovery-checkliste/) → Recovery Time Objective: How to Calculate Your RTO Realistically (/en/blog/recovery-time-objective/) → NIS2 Explained: Reporting Obligations and Requirements (/en/blog/nis2-einfach-erklaert/) → Tabletop Exercise Ransomware: Instructions and Scenarios (/en/blog/tabletop-exercise-ransomware/) → Silent Brick System: Hardware Air Gap for Fast Recovery (/en/produkte/silent-brick-system/) → Request a Demo (/​en/​kontakt/​demo/​) ### DORA DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora) ### Disaster Recovery Disaster recovery refers to the structured processes and technical measures that ensure IT systems can be restored within defined timeframes (RTO) with maximum data loss (RPO) after a severe failure — ransomware attack, hardware failure or data center outage. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/disaster-recovery) ### RTO / RPO RTO (Recovery Time Objective) is the maximum acceptable downtime after an IT failure; RPO (Recovery Point Objective) is the maximum acceptable data loss — both are metrics that must be technically demonstrably met in backup architectures and must not merely be defined as aspirational targets. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/rto-rpo) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Air Gap An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap) ### Disaster Recovery Disaster recovery refers to the structured processes and technical measures that ensure IT systems can be restored within defined timeframes (RTO) with maximum data loss (RPO) after a severe failure — ransomware attack, hardware failure or data center outage. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/disaster-recovery) ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr) ### DORA DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora) ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr) ### DORA DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora)