"Timely" is relative, right?
If I build a house in a week, that was done in a timely fashion, as it was done faster than average,
If i build a house of cards in a week, that took way longer than the average house of cards, and it would not be fair to call it "timely".
In a world where most companies report breaches months after the fact, yes, I think "last week we found out about it and we're now confirming it" is fair. You need to work with Law Enforcement, you need to confirm the validity of the data and the hacker's claims, and that they data they are ransoming is all they actually took. You need to check the severity of the data they took. Was it user/passes? Was there any trademarked processes, IP, sensitive info? You need to ensure the threat actor is removed from your environment, and the hole they got in with is closed.
If you choose to pay the ransom, you may need to work even closer with LE to ensure you don't get flagged for aiding and funding criminals.
With them choosing not to pay, I'm sure they need to clear that with legal still. Finance needs to be on board. Can you actually call it a charitable donation for a tax write-off if its under this sort of duress? (And I'd assume there's other sort's of questions a SysAdmin can't be expected to come up with examples for)
While ALL of this is happening, you can't announce your actions. You can't put our a PR until you know for sure you were compromised, what the scope was, and that any persistence has been removed.
If i build a house of cards in a week, that took way longer than the average house of cards, and it would not be fair to call it "timely".
In a world where most companies report breaches months after the fact, yes, I think "last week we found out about it and we're now confirming it" is fair. You need to work with Law Enforcement, you need to confirm the validity of the data and the hacker's claims, and that they data they are ransoming is all they actually took. You need to check the severity of the data they took. Was it user/passes? Was there any trademarked processes, IP, sensitive info? You need to ensure the threat actor is removed from your environment, and the hole they got in with is closed.
If you choose to pay the ransom, you may need to work even closer with LE to ensure you don't get flagged for aiding and funding criminals.
With them choosing not to pay, I'm sure they need to clear that with legal still. Finance needs to be on board. Can you actually call it a charitable donation for a tax write-off if its under this sort of duress? (And I'd assume there's other sort's of questions a SysAdmin can't be expected to come up with examples for)
While ALL of this is happening, you can't announce your actions. You can't put our a PR until you know for sure you were compromised, what the scope was, and that any persistence has been removed.