Ransomware Attack — Quick Reference Guide

First 30 minutes

• Isolate affected systems from the network — do not shut them down unless instructed by your incident response firm
• Disable compromised accounts and revoke active sessions
• Call your cyber insurer — most policies require notification before remediation begins
• Preserve all available logs: firewall, endpoint, and authentication logs from before the encryption event
• Designate one person as incident lead — all communications route through them
• Do not communicate the breach details over systems that may still be compromised

---

Within 24 hours

• Engage an incident response firm if you do not have internal forensic capability
• Identify dwell time — when did the attacker first enter the environment? This is your breach start date
• Identify what personal information was on affected systems:
  • Health or medical records
  • Financial or banking information
  • SINs or government-issued ID
  • Passwords or credentials
  • Contact information
  • Employee records
• Determine whether data was encrypted at rest before the attack — this affects your RROSH score
• Confirm whether a third-party vendor was involved (entry point or data processor)
• Run your ClearBreach assessment — do not wait for full forensic results to begin assessing

---

Within 72 hours

• Complete your RROSH assessment in ClearBreach and review your verdict
• If PIPEDA RROSH threshold is met: file OPC Breach Report — do not delay for further investigation
• If Alberta PIPA applies and RROSH is met: notify OIPC Alberta (breachnotice@oipc.ab.ca) and affected individuals simultaneously
• Send individual notifications directly — do not substitute a website notice for direct notification under Alberta PIPA
• Begin populating your Internal Incident Record — include all actions taken with timestamps
• Obtain legal advice specifically on sanctions risk before any ransom payment decision

---

Ongoing — until resolution

• Update your Internal Incident Record as new information becomes available
• Track vendor communications in writing — if vendor was involved, document every exchange
• Reassess RROSH if new facts materially change the breach scope
• Retain all records for 24 months minimum from breach start date

---

Alberta PIPA — specific steps

• Notify OIPC Alberta and affected individuals simultaneously — this triggers the streamlined review process and a private closing letter
• Complete the official OIPC Alberta Notification Form — do not submit an informal letter
• Attach the AB PIPA Individual Notice (s.19.1) to your OIPC Alberta submission (Section D)
• Submit by email to breachnotice@oipc.ab.ca

---

MSPs — if managing this for a client

• Confirm your service agreement before acting on the client's behalf — who leads regulatory notification?
• If ransomware entered through your systems or tools, you are a direct party to the breach
• Document all client communications with timestamps
• Run a ClearBreach assessment under your MSP account for the affected client organization