If you are reading this during a live incident
Stop reading. Activate your incident response plan. Call your IR retainer provider. Disconnect (do not power off) affected hosts from the network. Do not pay anything yet. Do not contact the threat actor yet. Bring the CEO and General Counsel into the war room within 60 minutes. Then come back here.
If you do not have an IR retainer, contact our 24/7 incident response team immediately. Time matters more than process at this stage.
Hour 0-1 — Detection and triage
First confirmation typically arrives via one of three signals: ransom note on a desktop, application/file unavailability across multiple users, or EDR/SIEM alert on encryption activity. Within 60 minutes:
- Confirm the encryption is real (not a hoax) — sample one or two files
- Identify the ransomware family from the note (LockBit, BlackCat/ALPHV, Cl0p, Akira, etc.) — drives playbook decisions
- Disconnect affected hosts from the network — do NOT power off (memory forensics will be needed)
- Convene the IR team — IT lead, security lead, communications, legal, executive sponsor
- Open a structured incident log (timestamped, source-of-truth, single owner)
- If you have an IR retainer — call your provider now, not in three hours
Hour 1-6 — Containment and scope
The window for limiting blast radius is narrow. Active encryption typically continues for hours after the initial ransom note appears as the malware finishes propagating.
- Network-segment containment — block lateral movement at firewall/EDR boundary
- Disable known compromised accounts (the ones used to pivot)
- Reset KRBTGT credentials if domain controllers are confirmed in scope (twice, with replication settle in between)
- Identify backup status — are backups online (and therefore at risk of also being encrypted), offline, immutable?
- Identify scope — which systems are affected, which data is encrypted, which data is exfiltrated (modern ransomware almost always exfiltrates before encrypting)
- Engage external DFIR if not already — independent investigation is required for both regulatory reporting and any insurance claim
Hour 6-24 — Regulatory notifications
Malaysian regulatory clocks now apply. Specific obligations depend on what kind of organisation you are.
NACSA — Cyber Security Act 2024 §22
National Critical Information Infrastructure (NCII) operators have explicit incident notification obligations under the Cyber Security Act 2024 (Act 854), with sectoral lead agencies and NACSA as central authority. Section 22 and surrounding provisions of the Act establish the notification framework. Specific timelines and form requirements are set in subsidiary regulations and sectoral lead agency directives — confirm against the current published regulations before submitting. Where any doubt exists, notify early — late notification is harder to explain than slightly premature notification.
BNM — 1-hour notification for financial institutions
Bank Negara Malaysia's RMiT Policy Document requires licensed financial institutions to notify BNM within 1 hour of discovery of any cyber security incident with material impact on operations, customers or data. The notification is initial — full incident report follows within the timelines set in the Policy Document. Specific clause numbering takes precedence; confirm against the current RMiT Policy Document at bnm.gov.my.
For BNM-regulated FIs, the 1-hour clock starts at the moment of discovery — not at the moment of containment. Call BNM as soon as you have minimum viable facts; do not wait for the investigation to mature.
PDPA 2024 — personal data breach
The 2024 amendments to the Personal Data Protection Act introduced personal data breach notification obligations for data controllers. If exfiltrated data includes personal data of Malaysian individuals, the PDPA notification regime applies in parallel to NACSA / BNM notifications. Confirm the current operative timelines against the published regulations.
Sectoral regulators
Securities Commission (capital markets), Ministry of Health (healthcare PHI), Ministry of Education, MCMC (telecommunications) — all have parallel sectoral notification expectations. Map them in advance so the IR playbook lists the right call for the right kind of organisation.
Hour 24-48 — The payment decision
This is the hardest decision in incident response. The honest answer: do not pay. The longer answer follows.
Why companies do pay anyway. Backups have also been encrypted (or were never offline). Recovery time exceeds business survival horizon. Exfiltrated data publication would be catastrophic. Customer contracts have crippling SLA penalties. Cyber insurance policy covers the payment. Decryption is faster than restore. Each of these is a real, often legitimate driver — and each is also a known threat-actor leverage point that has been deliberately built into the modern ransomware extortion model.
Why you should not pay. Payment funds the next attack on the next victim — including, often, you again within 12 months. Decryption keys frequently fail or are partial. Threat actors routinely re-extort after initial payment, demanding more for the “deletion” of exfiltrated data they retain anyway. Sanctions exposure: paying certain threat-actor groups (those linked to OFAC-sanctioned entities) is itself a regulatory offence under multiple jurisdictions Malaysian organisations interact with. And payment establishes a legal and reputational paper trail that compounds future exposure.
If you are seriously considering payment, do these first: formal General Counsel sign-off (in writing); cyber insurance carrier consultation (failure to consult can void cover); sanctions screening of threat actor against OFAC, EU and UK lists; engagement of a professional ransom negotiation firm (DIY negotiation invariably increases the demand); and a written board minute capturing the decision, the alternatives considered, and the legal-and-reputational risk acceptance.
Hour 24-72 — DFIR engagement workflow
Independent digital forensics and incident response is mandatory in 2026 for any material ransomware incident. Insurance, regulator and (often) customer contracts all require independent investigation. Standard DFIR workflow:
- Forensic image of representative affected hosts (not all — just enough for root cause)
- Memory capture from any live host where containment timeline allows
- Log preservation — SIEM, EDR, firewall, AD, application logs — exported and chain-of-custody logged
- Initial-access vector identification — phish, vendor compromise, exposed remote service, exploited vulnerability
- Lateral-movement reconstruction — account abuse, credential theft, scheduled tasks, persistence mechanisms
- Exfiltration detection — what data left, when, to where, in what volume
- Persistence eradication — rebuild, not clean, where uncertainty exists about adversary backdoors
- Final report — narrative, evidence pack, timeline, root cause, remediation plan
See our digital forensics service for the full DFIR methodology.
Recovery cost ranges
Total cost of a ransomware incident is rarely just the ransom. Direct cost components:
- DFIR investigation: RM 80,000 - RM 600,000+ depending on scope and duration
- External communications and PR: RM 30,000 - RM 200,000
- Legal counsel (specialist cyber): RM 50,000 - RM 400,000
- Recovery infrastructure (replacement hardware, cloud burst capacity, surge engineering): RM 100,000 - RM 1,500,000
- Customer notification and credit monitoring (if regulated PII exfiltrated): variable, often RM 10-30 per affected individual
- Regulatory enforcement exposure (PDPA 2024 penalty regime, BNM enforcement): variable, can reach seven figures
- Business interruption — typically the largest line, varies entirely by sector and outage duration
- Ransom payment (if paid): six to seven-figure ringgit equivalent for mid-market, can exceed RM 10M for large enterprise targets
Indicative total cost for a mid-market Malaysian organisation experiencing a material ransomware incident: typically RM 1M - RM 10M+ depending on data exfiltration, regulatory exposure and business interruption.
Pre-incident — what to put in place this quarter
The single highest-leverage pre-incident investment is an Incident Response Retainer with a credible DFIR provider. The second is offline (or immutable cloud) backups with quarterly restore testing. The third is a tabletop exercise stressing the regulatory notification clock.
- IR retainer with defined response SLA and pre-negotiated scope
- Offline / immutable backups for Tier-0 data with monthly restore validation
- Documented IR playbook with named call list, regulator templates pre-populated
- Annual tabletop exercise stressing 1-hour BNM clock and NACSA notification flow
- Cyber insurance with current policy review (sanctions exclusions, ransomware sub-limits, breach response panel)
- EDR and immutable logging in place across the full fleet
- Tier-0 admin model with phishing-resistant MFA
For execution: see our 24/7 incident response service, incident response retainer, digital forensics, and our tabletop exercise service.