Skip to main content
← All research

Playbook · · 9 min read

If your company appears on a leak site: the first 60 minutes

A practical, step-by-step playbook for the moment you discover your organisation has been claimed by a ransomware operator. What to verify, who to call, what not to do.

Someone — your SOC, a vendor, a journalist, an alert from a monitoring service — tells you your company name has just appeared on a ransomware leak site. You have approximately one hour before the news cycle and your customers start asking.

This is the playbook we recommend for the first 60 minutes. It is not a substitute for a written incident-response plan (you should have one), an in-house lawyer (you should have one), and an external IR firm on retainer (you should have one). It is the bridge between the moment you find out and the moment those parties take over.

The 60-minute timeline

  1. 1

    0–10 min · Verify the claim and capture evidence

    Screenshot the leak page (full URL), search the name on Darkfield /tools, confirm sample files match real internal documents, capture the operator's contact channel.

  2. 2

    10–25 min · Convene the response

    Activate IR plan, single decision-maker, loop in counsel + cyber-insurance broker. Do not negotiate yourself — bring in a specialised firm that knows OFAC exposure for that operator.

  3. 3

    25–45 min · Assess actual leverage

    Classify what the operator has: confirmed, claimed-but-unverified, operationally-evidenced. Pull the operator's behaviour history from /groups/<slug>.

  4. 4

    45–60 min · Decide the next 24 hours

    Containment scope, forensic preservation, external comms posture, regulator + partner notifications. Counsel aligns the clocks.

What needs to happen in the first hour, and in what order

0–10 min · Verify the claim

  1. Take a screenshot of the leak post page, full-resolution, including the URL bar. Save it to a personal device or a printout — not to a corporate share that the intruder may still control.
  2. Cross-reference on Darkfield: search your company name on /tools. If we've already indexed the post you'll see the permanent URL, the operator name, and the listing date. If the post is older than ~6 hours and you didn't know, that is itself a finding.
  3. Confirm it's really you. Ransomware operators recycle stolen branding to bluff. Compare sample files (if any) against unique internal documents you can identify by content, not just by filename.
  4. Capture the operator's contact channel (Tox ID, qTox handle, email) — even if you have no intention of paying. Your forensic team will want it.

The triage checklist (printable)

☐  Screenshot leak page (full URL bar visible)
☐  Listed on Darkfield? → /tools  → confirm operator, date, status
☐  Sample files match real internal docs? (verify by content)
☐  Capture operator contact channel (Tox ID, email, qTox handle)
☐  Single decision-maker named, IR log started
☐  Counsel notified (regulatory clock starts at executive awareness)
☐  Cyber-insurance broker notified (most policies: 24–48h notice)
☐  External IR firm engaged (not negotiating ourselves)
☐  Operator's history pulled from /groups/<slug>
☐  Forensic snapshots taken (do NOT delete intruder tooling)
☐  Holding statement drafted (publish later, but write it now)
☐  Regulator + key-partner notification list assembled
Save this — print and keep in the incident-response binder

Reading the operator's history

Once you know which operator listed you, their dossier on Groupstells you what kind of negotiation you're in. The behavioural patterns cluster — knowing whether the operator typically follows through on threats, re-lists paid victims, or accepts partial settlements changes the playbook materially.

ArchetypeFollow-through on leak threatRe-list paid victimsNegotiation flexibility
High-volume RaaS (e.g. qilin, akira)~95% — they need the reputational credibilityRare under same brand, occasional after rebrandWill discount 30–50% for fast payment
Specialist (sector-focused)~85% — but late publication is commonAlmost never (small affiliate pool)Less flexible; negotiation often ends in full publication
One-shot / unknown~50% — frequently abandon the leak postN/AUnpredictable; treat the threat as serious anyway
Operator behaviour archetypes — pull the specific operator's history before deciding

What the operator's leverage actually looks like

Confirmed

Files visible in the leak post you can authenticate — assume publication

Claimed

Operator's volume / record-count / source-code claims (routinely inflated)

Evidenced

What your own logs show was exfiltrated — the only count regulators will accept

The first holding statement

You probably won't publish this in hour one. You should still write it in hour one — silence is fine for 24 hours, a lie at hour two is permanent. Keep it short, factual, and free of speculation:

We are aware that data claiming to belong to [COMPANY] has been
posted on a third-party site. We have engaged our incident-response
team and external specialists to investigate and verify the claims.
We are taking the matter seriously.

We will provide further information as soon as we have validated
facts to share. We will not be commenting on the substance of the
posted material while the investigation is ongoing.

Customers and partners with specific concerns can reach us at
[INCIDENT-RESPONSE EMAIL].

[NAME OF SENIOR EXEC]
[DATE]
Template — adapt to your facts, run by counsel before publishing

Things not to do

  • Do not pay in the first hour.The operator gains leverage from urgency. Time is on your side once you've verified and contained.
  • Do not visit the leak page repeatedly from your office IP. Operators correlate visits.
  • Do not delete anything. Not chat logs, not intruder tooling left behind, not even files you wish weren't there. You're destroying evidence.
  • Do not tell employees publicly yet. Insider-trading windows exist on this stuff at public companies; ad-hoc Slack messages have triggered SEC inquiries.
  • Do not check OFAC blocklists only at payment time— that's the worst moment to learn the operator's wallet is sanctioned. Pull it during the first 25 minutes.

Where to keep watching

Bookmark the operator's page on Groups — Darkfield re-checks every active leak site multiple times a day. Status changes (countdown expiry, data_published, new sample drops) propagate to the dossier in close to real time. The daily Pulse brief covers movement across the whole ecosystem.

By Orizon Research. Compiled with AI assistance, reviewed before publication. Findings are evidence pointers, not legal verdicts. Corrections  .