Truvara is in Beta.
truvara
Back to ResourcesGuides
9 min read

Incident Response Runbook: Ransomware and Business Email Compromise

Lead

Ransomware and Business Email Compromise (BEC) represent two of the most pervasive and costly cyber threats facing organizations today. This guide provides a unified, step-by-step incident response runbook specifically tailored to these attack types, covering containment, eradication, recovery, and the complex web of reporting obligations under SEC, GDPR, and state breach notification laws. Designed for security teams, IT administrators, and compliance officers, it translates regulatory requirements into actionable procedures. With ransomware payments exceeding $1 billion in 2023 and BEC losses climbing to $2.9 billion annually, having a tested, integrated response plan isn't just prudent—it's essential for minimizing financial, operational, and reputational damage.

What Ransomware and BEC Are and Why Organizations Struggle

Ransomware encrypts systems or data and demands payment for decryption, often coupled with data exfiltration (double extortion). BEC involves unauthorized access to business email accounts to initiate fraudulent transactions or steal sensitive information. While distinct in execution, both frequently begin with phishing or credential compromise and share overlapping response phases: detection, containment, eradication, recovery, and post‑incident activity.

Organizations struggle with these incidents for several reasons. First, the speed of attack—ransomware can encrypt networks in minutes, while BEC actors move laterally within hours—leaves little time for deliberation. Second, response requires coordination across IT, security, legal, finance, and communications teams, each with different priorities and tools. Third, regulatory landscapes are fragmented: SEC rules mandate 4‑day public disclosure for material incidents, GDPR requires 72‑hour notification to supervisory authorities, and state laws vary from 30 to 60 days with differing definitions of “personal information.” Finally, many teams lack clear playbooks that address both technical containment (e.g., isolating systems, revoking OAuth tokens) and legal obligations (e.g., determining materiality under SEC rules or assessing GDPR applicability) in a single, cohesive workflow.

Phase 1: Detection and Initial Triage

  1. Trigger Alert: Confirm detection via EDR alerts, user reports (e.g., suspicious emails, ransom notes), or anomalous network traffic (e.g., beaconing to known C2 domains). For BEC, monitor for unauthorized email forwarding rules, impossible travel logins, or requests for wire transfers.
  2. Preserve Evidence: Isolate affected systems but avoid powering them down. Capture volatile memory (RAM), disk images, and relevant logs (firewall, VPN, email, authentication). For email compromise, enable litigation hold on the affected mailbox immediately.
  3. Initial Classification: Determine if the incident is ransomware (file encryption, ransom note), BEC (unauthorized email access, fraudulent requests), or both (common in double‑extortion ransomware where email is used for data exfiltration). Note observed TTPs (Tactics, Techniques, Procedures).
  4. Notify IR Team: Activate the incident response team lead, including IT security, legal counsel, communications, and relevant business unit leaders (e.g., finance for BEC). Use predefined communication channels (e.g., encrypted bridge line) to avoid alerting attackers via corporate email.
  5. Assess Immediate Impact: Identify affected systems, accounts, and data types. For ransomware, scope encrypted systems; for BEC, review sent emails, modified rules, and accessed attachments. This informs containment priorities and regulatory triggers.

Phase 2: Containment

  1. Network Segmentation: For ransomware, isolate infected subnets using VLANs or firewall rules. For BEC, consider restricting the compromised account's access to specific applications or locations via Conditional Access policies.
  2. Credential Reset: Force password resets for compromised accounts and any accounts sharing credentials. Revoke active sessions and OAuth tokens. For BEC, disable the compromised account temporarily if required by policy, but prefer monitoring to avoid tipping off attackers.
  3. Block Malicious Indicators: Block C2 IPs, domains, and file hashes identified during triage at firewall, proxy, and DNS levels. For BEC, block known malicious sender domains and IP addresses used in fraudulent emails.
  4. Disable Persistence Mechanisms: For ransomware, delete scheduled tasks, services, and registry keys used for persistence. For BEC, remove unauthorized forwarding rules, delegated access, and connected applications (e.g., malicious OAuth apps).
  5. Preserve Forensic Integrity: Ensure all actions are documented and logged. Avoid altering systems beyond necessary containment; use write‑blockers for disk imaging and collect logs from centralized SIEM before making changes.
  6. Communicate Internally: Notify the IR team lead of containment status. Do not inform broad employee populations until legal and communications teams assess notification requirements.

Phase 3: Eradication

  1. Malware Removal: Run endpoint scans with updated signatures and behavioral analysis tools. For ransomware, ensure decryptors are not used until eradication is confirmed—paying ransom does not guarantee removal of backdoors.
  2. Account Remediation: For BEC, reset passwords, re‑enable accounts after verifying no malicious rules persist, and enforce MFA. Review and revoke any unauthorized application permissions or API keys.
  3. Patch and Update: Apply pending security updates, especially for exploited vulnerabilities (e.g., ProxyShell, Log4j) identified during investigation. Update email gateway rules to block similar phishing attempts.
  4. Validate Eradication: Confirm no remnants of attacker tooling remain via EDR scans, log reviews, and threat hunting. For ransomware, verify no encryption processes are active; for BEC, ensure no unauthorized email rules or forwarding exist.
  5. Update IOCs: Add new indicators of compromise (hashes, IPs, domains) to security tools and share with ISACs or information‑sharing communities as appropriate.

Phase 4: Recovery

  1. System Restoration: Restore systems from clean, offline backups verified to be free of malware. Prioritize critical systems based on business impact analysis. For ransomware, ensure backups are air‑gapped or immutable; for BEC, focus on restoring email integrity and data access.
  2. Reconnect and Monitor: Gradually reconnect systems to the network with enhanced monitoring (e.g., increased EDR telemetry, SIEM rules for known IOCs). Validate functionality and data integrity.
  3. Test and Validate: Conduct user acceptance testing for restored services. For email, verify that legitimate mail flow resumes and that security controls (DMARC, DKIM, SPF) are functioning.
  4. Restore Backups: If backups were used during recovery, ensure they are re‑secured and that the incident did not compromise backup infrastructure.
  5. Confirm Business Operations: Confirm with business unit leaders that critical functions are operational and that any manual workarounds can be stood down.

Phase 5: Post‑Incident Activity and Reporting Obligations

  1. Forensic Investigation Complete: Finalize root cause analysis (e.g., phishing email, exploited vulnerability, credential theft). Document attacker TTPs, dwell time, and data accessed or exfiltrated.
  2. Regulatory Assessment:
    • SEC (Public Companies): Determine materiality using quantitative and qualitative factors (per 17 CFR §229.106). If material, file Form 8‑K within 4 business days.
    • GDPR: If EU‑resident data is involved, notify the supervisory authority within 72 hours of becoming aware of the breach. Assess risk to individuals' rights and freedoms.
    • State Laws: Identify all states where affected individuals reside. Apply each state's breach‑notification statute (timelines vary; e.g., Florida 30 days, California without unreasonable delay).
    • CIRCIA: For covered critical‑infrastructure entities, report to CISA within 72 hours for incidents and within 24 hours for ransom payments.
    • HIPAA/GLBA/FERPA: Apply sector‑specific rules if PHI, financial, or education records are involved.
  3. Notification Drafting: Work with legal and communications to draft notifications to regulators, affected individuals, and (if required) media. Include breach description, types of data exposed, steps taken, and mitigation advice.
  4. Insurance and Legal: Notify cyber‑insurance provider per policy requirements. Engage external counsel if litigation or regulatory scrutiny is anticipated.
  5. Lessons Learned: Conduct a post‑mortem meeting within two weeks. Update the incident response plan, playbooks, and security controls based on findings. Document what worked, what didn’t, and actionable improvements.
  6. Final Reporting: Submit post‑incident reports to leadership and board, summarizing timeline, impact, costs, and remediation efforts.

Common Pitfalls

  1. Paying Ransom Without Eradication – Paying may decrypt files but leaves backdoors, persistence mechanisms, and stolen data unresolved, leading to repeat attacks.
  2. Delaying Notification Pending Forensics – Regulatory clocks start when the organization reasonably believes a breach occurred, not when forensics is complete. Delaying to “confirm everything” risks non‑compliance.
  3. Over‑Isolating Accounts in BEC – Immediately disabling a compromised BEC account can alert attackers, prompting them to accelerate fraudulent transactions or destroy evidence before containment is fully in place.
  4. Neglecting OAuth and API Tokens – Focusing only on password resets leaves active OAuth tokens or API keys that allow continued access even after password changes.
  5. Inconsistent Documentation – Poor logging of containment and eradication steps hinders regulatory defense, insurance claims, and lessons‑learned accuracy.

Key Frameworks and Standards

  • NIST SP 800‑61 Rev. 2 – Computer Security Incident Handling Guide; provides the four‑phase lifecycle used throughout this runbook.
  • CISA Ransomware Guide – Sector‑agnostic best practices for ransomware preparation, prevention, and response, including reporting workflows.
  • NIST CSF (Identify, Protect, Detect, Respond, Recover) – Aligns response activities with broader cybersecurity risk management.
  • ISO/IEC 27035 – Information security incident management standard, emphasizing lessons learned and continual improvement.
  • SEC Regulation S‑K Item 106 – Requires disclosure of material cybersecurity risks and incidents.
  • GDPR Articles 33 & 34 – Mandate breach notification to supervisory authorities and communication to data subjects.
  • State Breach Notification Laws – Compiled by the National Conference of State Legislatures (NCSL), providing state‑specific timelines and definitions.

How Truvara Helps

Truvara’s integrated GRC platform streamlines incident response by aligning technical actions with regulatory requirements in real time. Its automated control mapping links containment steps (e.g., disabling OAuth tokens) to relevant GDPR Articles or SEC clauses, reducing the cognitive load on responders during high‑stress events. The built‑in breach‑notification workflow generator incorporates state‑law variables, helping teams determine applicability and deadlines without manual research. Truvara’s centralized evidence locker preserves logs, memory captures, and chain‑of‑custody documentation, satisfying both forensic and auditor requirements. By unifying IR playbooks, policy management, and regulatory tracking, Truvara enables organizations to move from reactive firefighting to a coordinated, compliant response.

Key Takeaways

  • Act Fast, Document Faster: Immediate containment and evidence preservation are critical; every action must be logged for both forensic and regulatory purposes.
  • Combine Technical and Legal Workflows: Use a single runbook that maps each containment step to the relevant reporting requirement (SEC, GDPR, state laws, etc.).
  • Never Assume Eradication After Payment: Ransom payment does not equal cleanup; verify removal of all attacker artifacts before restoring systems.
  • Secure All Credential Vectors: Reset passwords, revoke OAuth tokens, and review API keys—password changes alone are insufficient.
  • Test and Update Regularly: Conduct tabletop exercises that include both ransomware and BEC scenarios, and refresh the playbook after each incident or drill.

Conclusion

A well‑crafted incident response runbook bridges the gap between rapid technical action and strict regulatory compliance. By following the phased approach outlined above—detect, contain, eradicate, recover, and report—organizations can limit damage, meet legal obligations, and emerge stronger. Regularly rehearse the procedures, keep your threat intelligence up to date, and leverage tools like Truvara to automate the tedious mapping between security controls and compliance mandates. Doing so not only protects your data and reputation but also demonstrates to regulators, insurers, and stakeholders that you take cyber risk seriously.