Someone — your SOC, a vendor, a journalist, an alert from a monitoring service — tells you your company name has just appeared on a ransomware leak site. You have approximately one hour before the news cycle and your customers start asking.
This is the playbook we recommend for the first 60 minutes. It is not a substitute for a written incident-response plan (you should have one), an in-house lawyer (you should have one), and an external IR firm on retainer (you should have one). It is the bridge between the moment you find out and the moment those parties take over.
The 60-minute timeline
- 1
0–10 min · Verify the claim and capture evidence
Screenshot the leak page (full URL), search the name on Darkfield /tools, confirm sample files match real internal documents, capture the operator's contact channel.
- 2
10–25 min · Convene the response
Activate IR plan, single decision-maker, loop in counsel + cyber-insurance broker. Do not negotiate yourself — bring in a specialised firm that knows OFAC exposure for that operator.
- 3
25–45 min · Assess actual leverage
Classify what the operator has: confirmed, claimed-but-unverified, operationally-evidenced. Pull the operator's behaviour history from /groups/<slug>.
- 4
45–60 min · Decide the next 24 hours
Containment scope, forensic preservation, external comms posture, regulator + partner notifications. Counsel aligns the clocks.
0–10 min · Verify the claim
- Take a screenshot of the leak post page, full-resolution, including the URL bar. Save it to a personal device or a printout — not to a corporate share that the intruder may still control.
- Cross-reference on Darkfield: search your company name on /tools. If we've already indexed the post you'll see the permanent URL, the operator name, and the listing date. If the post is older than ~6 hours and you didn't know, that is itself a finding.
- Confirm it's really you. Ransomware operators recycle stolen branding to bluff. Compare sample files (if any) against unique internal documents you can identify by content, not just by filename.
- Capture the operator's contact channel (Tox ID, qTox handle, email) — even if you have no intention of paying. Your forensic team will want it.
The triage checklist (printable)
☐ Screenshot leak page (full URL bar visible)
☐ Listed on Darkfield? → /tools → confirm operator, date, status
☐ Sample files match real internal docs? (verify by content)
☐ Capture operator contact channel (Tox ID, email, qTox handle)
☐ Single decision-maker named, IR log started
☐ Counsel notified (regulatory clock starts at executive awareness)
☐ Cyber-insurance broker notified (most policies: 24–48h notice)
☐ External IR firm engaged (not negotiating ourselves)
☐ Operator's history pulled from /groups/<slug>
☐ Forensic snapshots taken (do NOT delete intruder tooling)
☐ Holding statement drafted (publish later, but write it now)
☐ Regulator + key-partner notification list assembledReading the operator's history
Once you know which operator listed you, their dossier on Groupstells you what kind of negotiation you're in. The behavioural patterns cluster — knowing whether the operator typically follows through on threats, re-lists paid victims, or accepts partial settlements changes the playbook materially.
| Archetype | Follow-through on leak threat | Re-list paid victims | Negotiation flexibility |
|---|---|---|---|
| High-volume RaaS (e.g. qilin, akira) | ~95% — they need the reputational credibility | Rare under same brand, occasional after rebrand | Will discount 30–50% for fast payment |
| Specialist (sector-focused) | ~85% — but late publication is common | Almost never (small affiliate pool) | Less flexible; negotiation often ends in full publication |
| One-shot / unknown | ~50% — frequently abandon the leak post | N/A | Unpredictable; treat the threat as serious anyway |
What the operator's leverage actually looks like
Confirmed
Files visible in the leak post you can authenticate — assume publication
Claimed
Operator's volume / record-count / source-code claims (routinely inflated)
Evidenced
What your own logs show was exfiltrated — the only count regulators will accept
The first holding statement
You probably won't publish this in hour one. You should still write it in hour one — silence is fine for 24 hours, a lie at hour two is permanent. Keep it short, factual, and free of speculation:
We are aware that data claiming to belong to [COMPANY] has been
posted on a third-party site. We have engaged our incident-response
team and external specialists to investigate and verify the claims.
We are taking the matter seriously.
We will provide further information as soon as we have validated
facts to share. We will not be commenting on the substance of the
posted material while the investigation is ongoing.
Customers and partners with specific concerns can reach us at
[INCIDENT-RESPONSE EMAIL].
[NAME OF SENIOR EXEC]
[DATE]Things not to do
- Do not pay in the first hour.The operator gains leverage from urgency. Time is on your side once you've verified and contained.
- Do not visit the leak page repeatedly from your office IP. Operators correlate visits.
- Do not delete anything. Not chat logs, not intruder tooling left behind, not even files you wish weren't there. You're destroying evidence.
- Do not tell employees publicly yet. Insider-trading windows exist on this stuff at public companies; ad-hoc Slack messages have triggered SEC inquiries.
- Do not check OFAC blocklists only at payment time— that's the worst moment to learn the operator's wallet is sanctioned. Pull it during the first 25 minutes.
Where to keep watching
Bookmark the operator's page on Groups — Darkfield re-checks every active leak site multiple times a day. Status changes (countdown expiry, data_published, new sample drops) propagate to the dossier in close to real time. The daily Pulse brief covers movement across the whole ecosystem.