This is a technical playbook. Ethics obligations (ABA Model Rule 1.6, state-bar opinions on cloud and AI) and legal obligations (state breach-notification laws, client contracts) are your firm’s risk counsel’s call — this playbook handles the technical side and flags the triggers that matter for the legal side.
First 60 minutes
Contain
- ✓Isolate every confirmed-infected endpoint from the network — unplug Ethernet, disable Wi-Fi
- ✓Do NOT power off — volatile memory may hold encryption keys a forensic team can recover
- ✓Preserve the ransom note — screenshot, don't click, don't reply
- ✓Disable compromised user accounts and force sign-out across all tenant sessions
- ✓Isolate backup systems if they share credentials with production — the #1 attacker move is to destroy backups before encrypting production
Notify
- ✓Managing Partner and your ethics/risk counsel
- ✓Your cyber-insurance carrier (most policies require notification within 24-72 hours)
- ✓Your MSP / incident-response team
- ✓Named IR contact from your policy's breach-response panel (if applicable)
First 24 hours
Scope
- ✓Confirm which matters / clients are affected — which files, which mailboxes
- ✓Determine whether privileged or client-confidential content was exfiltrated (many ransomware groups steal before encrypting)
- ✓Check for persistence — attackers often maintain access even after the ransomware note
- ✓Review authentication logs for the 30 days preceding the event
Preserve
- ✓Forensic preservation of affected systems (disk images, memory captures) before any remediation
- ✓Preserve email, voicemail, messaging content relevant to affected matters
- ✓Document the IR timeline in a running log — every decision, every communication, with timestamps
- ✓Document any litigation-hold implications for affected matters
Communicate
- ✓Internal-only holding statement to staff — factual, brief, what to do / not do
- ✓Do not engage publicly or with the attacker without counsel sign-off
- ✓Court continuances (if applicable) coordinated with matter lead
First week
Recover
- ✓Restore from verified-clean immutable backup — not a local backup attackers could have touched
- ✓Rebuild workstations from clean images rather than decrypting / cleaning in place
- ✓Rotate every privileged credential: domain admin, tenant admin, VPN, practice-management, e-billing
- ✓Re-issue MFA tokens and reset conditional-access baselines
- ✓Validate that persistence mechanisms are removed (malicious scheduled tasks, service accounts, OAuth grants)
Notify clients / regulators as required
- ✓Ethics consultation on client notification — ABA Model Rule 1.6 triggers for some firms / some incidents
- ✓State breach-notification law triggers (TX: 60 days for SSNs and similar PII; other states vary)
- ✓Client-contract-specific obligations
- ✓If any HIPAA-covered client data was affected: HHS 60-day clock is running
Ransom decision
- ✓Do not pay without sanctions-screening of the wallet / group (OFAC concerns — paying certain groups is a federal violation)
- ✓Cyber-insurance carrier typically leads or strongly recommends here
- ✓Most firms restore from backup rather than pay — if you can't, the gap is in your backup strategy, not your decision-making
Post-incident
- ✓Written post-incident report for leadership, insurance, and your ethics file
- ✓Lessons-learned session with IR team, MSP, and counsel
- ✓Gap remediation: closed loops on what enabled the event
- ✓Updated IR plan incorporating what you learned
- ✓Tabletop exercise within 6 months to validate changes
What would have made this less bad
- ✓EDR / MXDR that caught initial access before encryption began
- ✓Immutable backups with credential separation
- ✓MFA on every account including service accounts
- ✓Phishing training + simulation program (most ransomware starts with a click)
- ✓Documented IR plan with an annual tabletop
- ✓Cyber insurance with a known IR-panel response partner