@blamejs/exceptd-skills 0.12.26 → 0.12.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (33) hide show
  1. package/AGENTS.md +3 -0
  2. package/CHANGELOG.md +60 -0
  3. package/bin/exceptd.js +73 -1
  4. package/data/_indexes/_meta.json +22 -19
  5. package/data/_indexes/activity-feed.json +26 -5
  6. package/data/_indexes/catalog-summaries.json +3 -3
  7. package/data/_indexes/chains.json +994 -64
  8. package/data/_indexes/currency.json +28 -1
  9. package/data/_indexes/frequency.json +428 -124
  10. package/data/_indexes/handoff-dag.json +70 -19
  11. package/data/_indexes/jurisdiction-map.json +37 -12
  12. package/data/_indexes/section-offsets.json +282 -0
  13. package/data/_indexes/stale-content.json +2 -2
  14. package/data/_indexes/summary-cards.json +198 -0
  15. package/data/_indexes/token-budget.json +168 -3
  16. package/data/_indexes/trigger-table.json +190 -0
  17. package/data/_indexes/xref.json +145 -2
  18. package/data/attack-techniques.json +104 -19
  19. package/data/framework-control-gaps.json +498 -11
  20. package/data/playbooks/cloud-iam-incident.json +1351 -0
  21. package/data/playbooks/idp-incident.json +1259 -0
  22. package/data/playbooks/ransomware.json +1407 -0
  23. package/data/rfc-references.json +44 -0
  24. package/lib/flag-suggest.js +4 -0
  25. package/lib/playbook-runner.js +117 -10
  26. package/manifest-snapshot.json +227 -3
  27. package/manifest-snapshot.sha256 +1 -1
  28. package/manifest.json +282 -41
  29. package/package.json +1 -1
  30. package/sbom.cdx.json +7 -7
  31. package/skills/cloud-iam-incident/skill.md +419 -0
  32. package/skills/idp-incident-response/skill.md +352 -0
  33. package/skills/ransomware-response/skill.md +374 -0
package/data/playbooks/ransomware.json ADDED
@@ -0,0 +1,1407 @@
1
+ {
2
+ "_meta": {
3
+ "id": "ransomware",
4
+ "version": "1.0.0",
5
+ "last_threat_review": "2026-05-15",
6
+ "threat_currency_score": 95,
7
+ "changelog": [
8
+ {
9
+ "version": "1.0.0",
10
+ "date": "2026-05-15",
11
+ "summary": "Initial ransomware incident-response playbook. Extends incident-response-playbook with ransomware-specific phases: OFAC SDN sanctions screening as blocking gate on payment posture, EU Reg 2014/833 + UK OFSI + AU DFAT + JP MOF cross-jurisdiction sanctions lookups, cyber-insurance carrier 24h notification, decryptor availability lookup (No More Ransom + vendor-specific), negotiator engagement decision under legal sanctions posture, immutable-backup viability test, PHI-exfil-before-encrypt as distinct breach class, healthcare/financial sector clock parallelization (NIS2 24h / DORA 4h / GDPR 72h / SEC 8-K 4 business days / HIPAA 60d / CIRCIA 72h / NYDFS 500.17 24h ransom-payment).",
12
+ "framework_gaps_updated": [
13
+ "OFAC-SDN-Payment-Block",
14
+ "Insurance-Carrier-24h-Notification",
15
+ "EU-Sanctions-Reg-2014-833-Cyber",
16
+ "Immutable-Backup-Recovery",
17
+ "Decryptor-Availability-Pre-Decision",
18
+ "PHI-Exfil-Before-Encrypt-Breach-Class"
19
+ ]
20
+ }
21
+ ],
22
+ "owner": "@blamejs/ir",
23
+ "air_gap_mode": false,
24
+ "scope": "system",
25
+ "preconditions": [
26
+ {
27
+ "id": "filesystem-read",
28
+ "description": "Investigator has read access to at least one host with confirmed encryption signal (mass file rename, ransom note present, EDR encryption alert).",
29
+ "check": "agent_has_filesystem_read == true",
30
+ "on_fail": "halt"
31
+ },
32
+ {
33
+ "id": "backup-snapshot-available",
34
+ "description": "A recent backup snapshot (within the org's documented RPO) is identifiable and reachable, even if its restorability has not yet been validated.",
35
+ "check": "backup_snapshot_identifiable == true",
36
+ "on_fail": "warn"
37
+ },
38
+ {
39
+ "id": "operator-confirmed-encryption",
40
+ "description": "Operator has confirmed an encryption event (not merely suspected). Distinguishes ransomware-response from generic IR triage.",
41
+ "check": "encryption_event_confirmed == true",
42
+ "on_fail": "halt"
43
+ }
44
+ ],
45
+ "mutex": [],
46
+ "feeds_into": [
47
+ {
48
+ "playbook_id": "framework",
49
+ "condition": "analyze.compliance_theater_check.verdict == 'theater'"
50
+ },
51
+ {
52
+ "playbook_id": "cred-stores",
53
+ "condition": "lateral_movement_via_credentials == true"
54
+ }
55
+ ]
56
+ },
57
+ "domain": {
58
+ "name": "Ransomware incident response — sanctions-screened, insurance-aware, decryptor-checked",
59
+ "attack_class": "identity-abuse",
60
+ "atlas_refs": [],
61
+ "attack_refs": [
62
+ "T1486",
63
+ "T1567",
64
+ "T1078",
65
+ "T1059"
66
+ ],
67
+ "cve_refs": [
68
+ "CVE-2024-1709",
69
+ "CVE-2023-3519",
70
+ "CVE-2024-3094",
71
+ "CVE-2024-21626"
72
+ ],
73
+ "cwe_refs": [
74
+ "CWE-287",
75
+ "CWE-798"
76
+ ],
77
+ "d3fend_refs": [
78
+ "D3-RPA",
79
+ "D3-NTA",
80
+ "D3-IOPR",
81
+ "D3-CSPP"
82
+ ],
83
+ "frameworks_in_scope": [
84
+ "nist-800-53",
85
+ "iso-27001-2022",
86
+ "soc2",
87
+ "nis2",
88
+ "dora",
89
+ "uk-caf",
90
+ "au-ism",
91
+ "au-essential-8",
92
+ "hipaa",
93
+ "nerc-cip"
94
+ ]
95
+ },
96
+ "phases": {
97
+ "govern": {
98
+ "jurisdiction_obligations": [
99
+ {
100
+ "jurisdiction": "US",
101
+ "regulation": "OFAC SDN — 31 CFR 501 + OFAC Ransomware Advisory (2021, updated)",
102
+ "obligation": "sanctions_screen_before_payment",
103
+ "window_hours": 0,
104
+ "clock_starts": "detect_confirmed",
105
+ "evidence_required": [
106
+ "threat_actor_attribution_evidence",
107
+ "ofac_sdn_search_result",
108
+ "secondary_sanctions_list_check"
109
+ ]
110
+ },
111
+ {
112
+ "jurisdiction": "EU",
113
+ "regulation": "EU Reg 2014/833 — Cyber Sanctions",
114
+ "obligation": "sanctions_screen_before_payment",
115
+ "window_hours": 0,
116
+ "clock_starts": "detect_confirmed",
117
+ "evidence_required": [
118
+ "threat_actor_attribution_evidence",
119
+ "eu_consolidated_sanctions_list_check"
120
+ ]
121
+ },
122
+ {
123
+ "jurisdiction": "UK",
124
+ "regulation": "UK OFSI Consolidated List + Sanctions and Anti-Money Laundering Act 2018",
125
+ "obligation": "sanctions_screen_before_payment",
126
+ "window_hours": 0,
127
+ "clock_starts": "detect_confirmed",
128
+ "evidence_required": [
129
+ "threat_actor_attribution_evidence",
130
+ "ofsi_consolidated_list_check"
131
+ ]
132
+ },
133
+ {
134
+ "jurisdiction": "AU",
135
+ "regulation": "DFAT Autonomous Sanctions — Cyber",
136
+ "obligation": "sanctions_screen_before_payment",
137
+ "window_hours": 0,
138
+ "clock_starts": "detect_confirmed",
139
+ "evidence_required": [
140
+ "threat_actor_attribution_evidence",
141
+ "dfat_consolidated_list_check"
142
+ ]
143
+ },
144
+ {
145
+ "jurisdiction": "JP",
146
+ "regulation": "MOF Foreign Exchange and Foreign Trade Act sanctions",
147
+ "obligation": "sanctions_screen_before_payment",
148
+ "window_hours": 0,
149
+ "clock_starts": "detect_confirmed",
150
+ "evidence_required": [
151
+ "threat_actor_attribution_evidence",
152
+ "mof_sanctions_list_check"
153
+ ]
154
+ },
155
+ {
156
+ "jurisdiction": "GLOBAL",
157
+ "regulation": "Cyber insurance carrier policy — typical 24h notice clause",
158
+ "obligation": "notify_insurance_carrier",
159
+ "window_hours": 24,
160
+ "clock_starts": "detect_confirmed",
161
+ "evidence_required": [
162
+ "policy_number",
163
+ "loss_notice_form",
164
+ "preliminary_scope_estimate"
165
+ ]
166
+ },
167
+ {
168
+ "jurisdiction": "EU",
169
+ "regulation": "NIS2 Art.23 — Significant Incident",
170
+ "obligation": "notify_regulator",
171
+ "window_hours": 24,
172
+ "clock_starts": "detect_confirmed",
173
+ "evidence_required": [
174
+ "encrypted_host_count",
175
+ "service_impact_scope",
176
+ "preliminary_attribution"
177
+ ]
178
+ },
179
+ {
180
+ "jurisdiction": "EU",
181
+ "regulation": "DORA Art.19 — Major ICT-related Incident (financial entities)",
182
+ "obligation": "notify_regulator",
183
+ "window_hours": 4,
184
+ "clock_starts": "detect_confirmed",
185
+ "evidence_required": [
186
+ "encrypted_host_count",
187
+ "service_impact_scope",
188
+ "financial_impact_preliminary"
189
+ ]
190
+ },
191
+ {
192
+ "jurisdiction": "EU",
193
+ "regulation": "GDPR Art.33 / Art.34 — Personal Data Breach",
194
+ "obligation": "notify_regulator",
195
+ "window_hours": 72,
196
+ "clock_starts": "analyze_complete",
197
+ "evidence_required": [
198
+ "phi_or_personal_data_exfil_evidence",
199
+ "data_subject_categories_affected",
200
+ "containment_record"
201
+ ]
202
+ },
203
+ {
204
+ "jurisdiction": "US-SEC",
205
+ "regulation": "SEC 17 CFR 229.106(b) Form 8-K Item 1.05 — Material Cybersecurity Incident",
206
+ "obligation": "notify_regulator",
207
+ "window_hours": 96,
208
+ "clock_starts": "analyze_complete",
209
+ "evidence_required": [
210
+ "materiality_determination",
211
+ "incident_scope_summary",
212
+ "containment_record"
213
+ ]
214
+ },
215
+ {
216
+ "jurisdiction": "US-HIPAA",
217
+ "regulation": "HHS Breach Notification Rule — 45 CFR 164.400-414",
218
+ "obligation": "notify_affected_individuals",
219
+ "window_hours": 1440,
220
+ "clock_starts": "analyze_complete",
221
+ "evidence_required": [
222
+ "phi_records_affected_count",
223
+ "containment_record",
224
+ "risk_assessment_per_164_402"
225
+ ]
226
+ },
227
+ {
228
+ "jurisdiction": "US-CA",
229
+ "regulation": "CCPA / CPRA Sec.1798.82",
230
+ "obligation": "notify_affected_individuals",
231
+ "window_hours": 1440,
232
+ "clock_starts": "analyze_complete",
233
+ "evidence_required": [
234
+ "california_resident_records_affected",
235
+ "containment_record"
236
+ ]
237
+ },
238
+ {
239
+ "jurisdiction": "UK",
240
+ "regulation": "UK GDPR Art.33 — ICO Notification",
241
+ "obligation": "notify_regulator",
242
+ "window_hours": 72,
243
+ "clock_starts": "analyze_complete",
244
+ "evidence_required": [
245
+ "personal_data_breach_summary",
246
+ "affected_individuals_count"
247
+ ]
248
+ },
249
+ {
250
+ "jurisdiction": "AU",
251
+ "regulation": "Privacy Act 1988 — Notifiable Data Breaches scheme",
252
+ "obligation": "notify_regulator",
253
+ "window_hours": 720,
254
+ "clock_starts": "analyze_complete",
255
+ "evidence_required": [
256
+ "eligible_data_breach_assessment",
257
+ "australian_resident_records_affected"
258
+ ]
259
+ },
260
+ {
261
+ "jurisdiction": "US-NY",
262
+ "regulation": "NYDFS 23 NYCRR 500.17 — Ransom Payment",
263
+ "obligation": "notify_regulator",
264
+ "window_hours": 24,
265
+ "clock_starts": "validate_complete",
266
+ "evidence_required": [
267
+ "ransom_payment_record",
268
+ "ofac_screening_attestation",
269
+ "incident_summary"
270
+ ]
271
+ },
272
+ {
273
+ "jurisdiction": "US-FEDERAL",
274
+ "regulation": "CIRCIA — Cyber Incident Reporting for Critical Infrastructure Act",
275
+ "obligation": "notify_regulator",
276
+ "window_hours": 72,
277
+ "clock_starts": "detect_confirmed",
278
+ "evidence_required": [
279
+ "covered_cyber_incident_assessment",
280
+ "encrypted_host_count",
281
+ "containment_record"
282
+ ]
283
+ }
284
+ ],
285
+ "theater_fingerprints": [
286
+ {
287
+ "pattern_id": "immutable-backup-claim",
288
+ "claim": "We have immutable backups — restore is guaranteed.",
289
+ "fast_detection_test": "Test the actual immutability property end-to-end: (1) pick the most recent backup snapshot, (2) attempt to delete or modify it from a system that holds the same admin credentials used in production (not from the dedicated backup-admin identity), (3) confirm the delete/modify is refused at the storage layer. Replication and versioning are NOT immutability. S3 Object Lock with governance-retention is bypassable by admin; only compliance-retention with no root override is immutable. Restic / Borg / Veeam 'immutable' modes vary — confirm the cryptographic + storage-policy layer, not the marketing label.",
290
+ "implicated_controls": [
291
+ "nist-800-53-CP-9",
292
+ "iso-27001-2022-A.8.13",
293
+ "au-essential-8-backup"
294
+ ]
295
+ },
296
+ {
297
+ "pattern_id": "decryptor-will-work",
298
+ "claim": "We will pay; the threat actor's decryptor will restore everything.",
299
+ "fast_detection_test": "Historical evidence: ransomware-victim decryptor reliability across 2023-2026 (Coveware quarterly reports) shows ~65% of paid victims recovered all data; ~35% experienced partial decryption, corrupt files, or no working decryptor. For specific families: Conti / LockBit / ALPHV decryptors have public failure-mode documentation. The decryptor-as-recovery posture is not a backup substitute and the framework treats it as such only by absence of guidance.",
300
+ "implicated_controls": [
301
+ "nist-800-53-CP-10",
302
+ "iso-27001-2022-A.5.30"
303
+ ]
304
+ },
305
+ {
306
+ "pattern_id": "cyber-insurance-covers-ransom",
307
+ "claim": "Our cyber insurance policy covers ransom payment — economic exposure is bounded.",
308
+ "fast_detection_test": "Read the policy: (1) does it exclude payments to OFAC-sanctioned threat actors (most policies post-2021 do), (2) does it require pre-payment carrier approval, (3) does it cap ransom payouts separately from total policy limit, (4) does it require named IR firms from a panel, (5) does it require 24h notification with non-compliance voiding cover. Most policies fail (1) for any sanctioned-actor scenario AND require (2)-(5) procedurally; carrier denial post-incident is the dominant failure mode rather than insufficient limits.",
309
+ "implicated_controls": [
310
+ "iso-27001-2022-A.5.7",
311
+ "soc2-cc9.2"
312
+ ]
313
+ },
314
+ {
315
+ "pattern_id": "read-only-volumes-cannot-be-encrypted",
316
+ "claim": "Production data lives on read-only-by-design volumes — ransomware cannot encrypt it.",
317
+ "fast_detection_test": "Enumerate the privileged identity surface that can flip read-only to read-write or that can manage the snapshot lifecycle. If any production account or service identity can do either, the read-only property is operationally defeated by credential compromise (the typical ransomware kill chain). Test: with a compromised privileged credential, can a single API call (storage account key rotation, snapshot policy modification, replication-target change) make the volume writable? If yes, the control is paper.",
318
+ "implicated_controls": [
319
+ "nist-800-53-AC-3",
320
+ "iso-27001-2022-A.5.15"
321
+ ]
322
+ }
323
+ ],
324
+ "framework_context": {
325
+ "gap_summary": "Ransomware incident response touches four control families that no single framework operationalizes coherently: (1) backup integrity (NIST CP-9, ISO A.8.13, AU E8 Backup all require backups but treat 'backup' as a single class — immutability is a sub-property absent from the control text); (2) incident response (NIST IR-4, ISO A.5.26, SOC 2 CC7 specify capability without naming the sanctions-screening gate or decryptor-availability decision); (3) sanctions compliance (OFAC, EU Reg 2014/833, UK OFSI, AU DFAT, JP MOF live in their own regulatory tree — no security framework cross-walks them as a payment-block prerequisite); (4) insurance-policy interaction (no security framework treats carrier-notification timing or pre-approval requirements as a control). Ransomware also expands the breach-notification surface in jurisdictions where PII exfiltration before encryption is a distinct event from the encryption itself (GDPR Art.33/34, HIPAA Breach Notification Rule, state breach laws); frameworks generally treat the encryption event as the trigger and miss the exfil-before-encrypt class which is now the dominant 2024-2026 attack pattern (Coveware reports >80% of named-ransomware attacks include exfiltration).",
326
+ "lag_score": 45,
327
+ "per_framework_gaps": [
328
+ {
329
+ "framework": "nist-800-53",
330
+ "control_id": "IR-4 (Incident Handling)",
331
+ "designed_for": "Method-neutral incident response capability with preparation, detection and analysis, containment, eradication, recovery, and post-incident activity.",
332
+ "insufficient_because": "Does not enumerate ransomware-specific decision points: OFAC sanctions screening as a blocker on payment posture, decryptor availability lookup as a precondition to the pay/restore decision, insurance-carrier engagement timing, negotiator-engagement legal posture under sanctions, immutable-backup vs replication distinction."
333
+ },
334
+ {
335
+ "framework": "iso-27001-2022",
336
+ "control_id": "A.5.26 (Response to information security incidents)",
337
+ "designed_for": "Process-shaped requirement for incident response.",
338
+ "insufficient_because": "Process-level only; auditor accepts an incident-response procedure document without testing whether ransomware-specific sub-flows (sanctions screening, decryptor lookup, insurance-policy compliance, negotiator engagement) are present and exercised."
339
+ },
340
+ {
341
+ "framework": "soc2",
342
+ "control_id": "CC7.4 (Security incident response)",
343
+ "designed_for": "Trust services criterion for the entity to respond to identified security incidents.",
344
+ "insufficient_because": "Names the response capability without requiring evidence that ransomware-specific decisions (sanctions, decryptor, negotiator) are made under documented criteria. Auditors test for an incident log entry, not for the decision-tree the entity followed."
345
+ },
346
+ {
347
+ "framework": "uk-caf",
348
+ "control_id": "D1 (Response and Recovery Planning)",
349
+ "designed_for": "NCSC CAF outcome that the organisation has plans for responding to and recovering from cyber incidents.",
350
+ "insufficient_because": "Outcome-shaped; D1 evidence at IGP/IGP+ level is plan existence and tabletop exercise. Does not test whether plans address ransomware sub-class with immutable-backup viability check, sanctions screening, or decryptor-availability decision."
351
+ },
352
+ {
353
+ "framework": "au-ism",
354
+ "control_id": "ISM-1554 (Incident response plan is exercised)",
355
+ "designed_for": "Tabletop / live exercise of the incident response plan.",
356
+ "insufficient_because": "Exercise frequency is named; exercise content is not. A generic IR tabletop satisfies ISM-1554 without ever rehearsing the sanctions-screening blocker on a ransom decision."
357
+ },
358
+ {
359
+ "framework": "hipaa",
360
+ "control_id": "164.308(a)(7) (Contingency Plan)",
361
+ "designed_for": "Establishment of policies and procedures for responding to an emergency that damages systems containing ePHI.",
362
+ "insufficient_because": "Contingency planning is recovery-shaped; treats the encryption event as the trigger. The dominant 2024-2026 ransomware pattern includes PHI exfiltration before encryption, which is a separate Breach Notification Rule trigger 45 CFR 164.402 — the contingency plan does not naturally surface this as a parallel obligation."
363
+ },
364
+ {
365
+ "framework": "au-essential-8",
366
+ "control_id": "Strategy 8 — Regular Backups",
367
+ "designed_for": "Daily backups of important data, software, and configuration settings with off-network retention.",
368
+ "insufficient_because": "'Off-network' is the maturity gate; immutability is not. ASD ML2 evidence is backup existence and retention; auditors accept tape-vault offsite as compliant. Replication targets accessible via the same compromised admin credential as production fail the ransomware blast-radius test without failing E8 Backup compliance."
369
+ }
370
+ ]
371
+ },
372
+ "skill_preload": [
373
+ "ransomware-response",
374
+ "incident-response-playbook",
375
+ "sector-healthcare",
376
+ "sector-financial",
377
+ "framework-gap-analysis",
378
+ "compliance-theater"
379
+ ]
380
+ },
381
+ "direct": {
382
+ "threat_context": "Ransomware in mid-2026 is dominated by exfiltration-before-encryption: Coveware Q1 2026 reports >82% of named-ransomware incidents include a data-theft component, making the encryption event a secondary leverage rather than the primary blast radius. Active families and clusters mid-2026: Akira (healthcare cluster, 2026 sustained), Hunters International (post-Hive successor, broad-sector), RansomHub (2025-2026 affiliate growth post-ALPHV exit-scam), LockBit splinter brands (post-Operation Cronos February 2024 takedown), Cuba (FSB-adjacent, sanctions-flagged), BlackSuit/Royal continuation. Operational exemplars: Change Healthcare (UnitedHealth Group, ALPHV/BlackCat, February 2024, ~$1.5B financial impact, 6-week pre-encryption dwell, PHI exfiltration affecting ~190M individuals); MGM Resorts (Scattered Spider initial access → ALPHV affiliate ransomware, September 2023, vishing-driven IT helpdesk credential reset); Synnovis / NHS (Qilin, June 2024, pathology service disruption); Ascension Health (Black Basta, May 2024). Initial-access vector distribution 2024-2026: ~45% phishing-derived (including vishing/MFA-fatigue chains a la Scattered Spider), ~25% exposed-VPN-appliance exploitation (Citrix CVE-2023-3519 class, Fortinet CVE-2024-21762 class, ScreenConnect CVE-2024-1709), ~20% credential reuse from infostealer markets, ~10% supply-chain/vendor compromise. Living-off-the-land via legitimate admin tools (PsExec, WMI, PowerShell, AnyDesk, ScreenConnect, Cobalt Strike Beacon, Sliver, Brute Ratel) is universal across families. Shadow Copy deletion (T1490 not in catalog but documented widely) precedes encryption in ~95% of Windows attacks.",
383
+ "rwep_threshold": {
384
+ "escalate": 90,
385
+ "monitor": 75,
386
+ "close": 45
387
+ },
388
+ "framework_lag_declaration": "No security framework operationalizes the four ransomware-specific decision points as controls: (1) OFAC SDN screening as a payment-posture blocker — sanctions compliance lives in Treasury / Finance regulatory tree, not in NIST/ISO/SOC 2 incident-response controls, and the cross-walk is the operator's responsibility; (2) decryptor availability lookup (No More Ransom Project + vendor-specific decryptors) — frameworks do not require this lookup before payment decision and most policies make the pay/restore decision without it; (3) insurance-carrier 24h notification with carrier-pre-approval requirements — no security framework names carrier-policy interaction, yet carrier denial post-incident is the dominant economic-exposure failure mode; (4) PHI / personal-data exfil-before-encrypt as a distinct breach class — HIPAA Breach Notification Rule (45 CFR 164.402) and GDPR Art.33/34 trigger on the exfiltration event independently of the encryption event, but frameworks treat ransomware as a single 'availability' incident and miss the parallel-clock obligation. NIS2 Art.23 (24h) and DORA Art.19 (4h) clocks run from awareness regardless of which sub-event drove awareness, so even a pure-encryption-without-exfil incident triggers the same notification clock as a confirmed-exfil event — but the breach-notification scope differs materially, and the IR team must classify both within hours.",
389
+ "skill_chain": [
390
+ {
391
+ "skill": "ransomware-response",
392
+ "purpose": "Ransomware-specific decision tree: encryption-confirmation, sanctions-screening gate, decryptor availability lookup, immutable-backup viability test, negotiator-engagement legal posture.",
393
+ "required": true
394
+ },
395
+ {
396
+ "skill": "incident-response-playbook",
397
+ "purpose": "Parent IR playbook for PICERL phases, jurisdiction matrix, evidence preservation, post-incident review template.",
398
+ "required": true
399
+ },
400
+ {
401
+ "skill": "sector-healthcare",
402
+ "purpose": "When PHI is in scope, HIPAA Breach Notification Rule sequencing, state AG notification, business-associate cascade.",
403
+ "skip_if": "phi_in_scope == false",
404
+ "required": false
405
+ },
406
+ {
407
+ "skill": "sector-financial",
408
+ "purpose": "When the entity is a financial entity in DORA scope, 4h initial notification chain to competent authority + ECB/EIOPA/ESMA; also NYDFS 500.17 24h ransom-payment notification for NY-licensed entities.",
409
+ "skip_if": "financial_entity_in_scope == false",
410
+ "required": false
411
+ },
412
+ {
413
+ "skill": "framework-gap-analysis",
414
+ "purpose": "Map findings to the four ransomware-specific framework gaps (sanctions screening, decryptor availability, insurance-policy interaction, exfil-before-encrypt breach class).",
415
+ "required": true
416
+ },
417
+ {
418
+ "skill": "compliance-theater",
419
+ "purpose": "Run the four theater tests (immutable-backup claim, decryptor-will-work claim, insurance-covers-ransom claim, read-only-volumes claim) against the org's pre-incident posture.",
420
+ "required": true
421
+ }
422
+ ],
423
+ "token_budget": {
424
+ "estimated_total": 22000,
425
+ "breakdown": {
426
+ "govern": 3200,
427
+ "direct": 2200,
428
+ "look": 3000,
429
+ "detect": 3400,
430
+ "analyze": 4400,
431
+ "validate": 3200,
432
+ "close": 2600
433
+ }
434
+ }
435
+ },
436
+ "look": {
437
+ "artifacts": [
438
+ {
439
+ "id": "encrypted-file-extension-inventory",
440
+ "type": "file",
441
+ "source": "Walk affected hosts for files with ransomware-family-fingerprinted extensions (.akira, .lockbit, .cuba, .royal, .blacksuit, .hunters, .ransomhub, plus randomized extensions matching family-specific patterns)",
442
+ "description": "Encrypted-file extension distribution. Family fingerprinting drives sanctions-screening and decryptor-availability lookup.",
443
+ "required": true,
444
+ "air_gap_alternative": "Local filesystem walk only; no network. Pair extension list against an air-gapped copy of the No More Ransom family-extension index shipped with the playbook context."
445
+ },
446
+ {
447
+ "id": "ransom-note-content",
448
+ "type": "file",
449
+ "source": "Walk affected hosts for filenames matching readme*.txt, decrypt*.txt, how_to_recover*, restore_files*, !README*, recover_*.html; capture text content + Tor URL + contact email/Tox/Session IDs",
450
+ "description": "Ransom note IoCs. Attribution evidence for OFAC screening and No More Ransom lookup.",
451
+ "required": true,
452
+ "air_gap_alternative": "Local read of files; transcribe Tor/email/Tox/Session identifiers to a sealed evidence record."
453
+ },
454
+ {
455
+ "id": "active-directory-privilege-chain",
456
+ "type": "audit_trail",
457
+ "source": "AD audit logs + BloodHound-style attack-path enumeration: Domain Admin / Enterprise Admin / built-in administrator session locations, recent kerberos ticket activity, service-account password-age + delegation flags",
458
+ "description": "AD privilege-escalation chain at incident time. Drives lateral-movement scope determination and credential-rotation priority.",
459
+ "required": true,
460
+ "air_gap_alternative": "Read AD audit log dumps from a controller backup if live AD is suspect-compromised."
461
+ },
462
+ {
463
+ "id": "backup-snapshot-immutability-state",
464
+ "type": "config_file",
465
+ "source": "Backup-system config: snapshot retention policy, object-lock mode (governance vs compliance for S3, immutability flag for Azure, write-protect for Veeam/Rubrik/Cohesity), replication topology, admin-identity separation between production and backup",
466
+ "description": "Backup immutability posture. Distinguishes immutable (compliance-lock, no root override) from replicated (deletable with admin credential) from write-protected (storage-side enforced).",
467
+ "required": true,
468
+ "air_gap_alternative": "Read backup-system config from local copy + verify storage-side policy via console or API call from a known-clean admin workstation."
469
+ },
470
+ {
471
+ "id": "shadow-copy-deletion-events",
472
+ "type": "log",
473
+ "source": "Windows event log channels Microsoft-Windows-VolumeShadowCopyService + Security 4663 + Application 8224, syscall trace for vssadmin.exe / wmic.exe / wbadmin.exe delete invocations, kernel-level VSS-API call traces from EDR",
474
+ "description": "Shadow Copy deletion events. Precedes encryption in ~95% of Windows ransomware incidents; absence + encrypted-files-present indicates non-Windows or atypical kill chain.",
475
+ "required": true,
476
+ "air_gap_alternative": "Read locally-cached Windows event logs from affected hosts."
477
+ },
478
+ {
479
+ "id": "c2-beacon-traffic",
480
+ "type": "network_capture",
481
+ "source": "Egress NetFlow / firewall logs / EDR network telemetry filtered to known C2 framework signatures: Cobalt Strike Beacon JA3, Sliver implant traffic, Brute Ratel C4 staging URLs, AnyDesk + ScreenConnect anomalous-context sessions, Tor exit-node connections",
482
+ "description": "Active or historical C2 beacons. Identifies still-resident adversary infrastructure for containment scope.",
483
+ "required": true,
484
+ "air_gap_alternative": "Use pre-incident network-flow capture from immutable telemetry store; do not attempt new captures while containment is incomplete."
485
+ },
486
+ {
487
+ "id": "lateral-movement-iocs",
488
+ "type": "log",
489
+ "source": "PsExec / WMI / WinRM / SMB authentication events, Pass-the-Hash signatures (event 4624 type 9 with NTLM), RDP brute-force patterns, scheduled-task and service-installation events across affected hosts",
490
+ "description": "Lateral movement evidence. Bounds the blast radius and credential-rotation scope.",
491
+ "required": true,
492
+ "air_gap_alternative": "Read locally-cached event logs from each affected host."
493
+ },
494
+ {
495
+ "id": "initial-access-vector",
496
+ "type": "audit_trail",
497
+ "source": "Phishing email retrieval (mail-server quarantine + inbox forensics), VPN appliance authentication logs (Citrix Gateway, FortiGate SSL VPN, Pulse Connect Secure), exposed-management-plane authentication logs (RDP, SSH, ScreenConnect, AnyDesk), supply-chain compromise indicators (vendor-managed software push events)",
498
+ "description": "Initial access vector identification. Required for root-cause remediation and CVE matching.",
499
+ "required": true,
500
+ "air_gap_alternative": "Read mail and VPN logs from local immutable copies."
501
+ },
502
+ {
503
+ "id": "exfil-before-encrypt-evidence",
504
+ "type": "network_capture",
505
+ "source": "Outbound bandwidth profile 24-72h before the encryption event from NetFlow / firewall data: large transfers (> 1 GB cumulative per destination) to consumer cloud-storage domains (MEGA, anonfiles, transfer.sh, file.io, rclone-target endpoints), Tor exit-node bytes-out, custom protocol egress to non-CDN IPs",
506
+ "description": "Exfiltration-before-encryption evidence. Drives PHI-exfil breach classification independent of the encryption event.",
507
+ "required": true,
508
+ "air_gap_alternative": "Use pre-incident NetFlow capture from immutable telemetry store; live egress capture during incident is contamination risk."
509
+ },
510
+ {
511
+ "id": "cyber-insurance-policy-state",
512
+ "type": "config_file",
513
+ "source": "Cyber insurance policy document + carrier panel of approved IR firms + carrier-pre-approval requirements + ransom-payment carve-outs + sanctions exclusions + 24h notification clause text",
514
+ "description": "Insurance posture at incident time. Drives 24h carrier-notification clock and pay/no-pay decision constraints.",
515
+ "required": true,
516
+ "air_gap_alternative": "Read locally-stored policy document; defer carrier-portal interaction to a known-clean workstation."
517
+ },
518
+ {
519
+ "id": "ofac-sdn-attribution-evidence",
520
+ "type": "api_response",
521
+ "source": "Threat-actor attribution package: ransom note IoCs + leak-site URL + crypto-wallet addresses + JA3 / JA4 fingerprints + reused-tooling signatures + family-fingerprint match; cross-checked against OFAC SDN list, EU Reg 2014/833 consolidated list, UK OFSI Consolidated List, AU DFAT Consolidated List, JP MOF sanctions list",
522
+ "description": "Attribution-and-sanctions-screen package. BLOCKING evidence for payment posture.",
523
+ "required": true,
524
+ "air_gap_alternative": "Use the air-gapped sanctions-list snapshot shipped with the playbook context; flag the snapshot date and require operator confirmation that live-list lookup is performed before payment decision is finalized."
525
+ },
526
+ {
527
+ "id": "negotiator-engagement-state",
528
+ "type": "audit_trail",
529
+ "source": "Communication log with retained IR-firm negotiator if any; engagement-letter scope; carrier-approved-firm verification; communications-channel hash (Signal / Wickr / carrier-channel) capture",
530
+ "description": "Negotiator engagement state. Records whether negotiator is engaged, when, and under whose authority.",
531
+ "required": false,
532
+ "air_gap_alternative": "Read locally-stored engagement letter; document state in sealed evidence record."
533
+ },
534
+ {
535
+ "id": "decryptor-availability",
536
+ "type": "api_response",
537
+ "source": "No More Ransom Project Crypto Sheriff family-match query + vendor-specific decryptor inventories (Emsisoft, Kaspersky NoMoreCry, Bitdefender, Avast); match against the encrypted-file-extension-inventory and ransom-note fingerprint",
538
+ "description": "Decryptor availability lookup result. Affirmative match changes pay/restore posture materially.",
539
+ "required": true,
540
+ "air_gap_alternative": "Use the air-gapped No More Ransom family-decryptor index shipped with the playbook context; live lookup deferred to a known-clean workstation; absence in snapshot does not equal absence live."
541
+ },
542
+ {
543
+ "id": "recovery-rto-estimate",
544
+ "type": "config_file",
545
+ "source": "Restore-from-backup time estimate based on backup size + restore-network throughput + sequencing dependencies (AD restored before application servers, DB restored before app tier); RTO target vs estimated actual",
546
+ "description": "Recovery time estimate. Drives business-decision input on pay/restore tradeoff.",
547
+ "required": true,
548
+ "air_gap_alternative": "Compute from backup catalog size + documented restore-throughput benchmark."
549
+ },
550
+ {
551
+ "id": "forensic-preservation-state",
552
+ "type": "memory_dump",
553
+ "source": "Memory dumps from at least one affected host preserved BEFORE remediation, disk images from primary affected hosts, audit-log copies shipped to immutable store, AD ntds.dit copy if AD is compromise scope, hypervisor-level VM snapshot of one affected guest",
554
+ "description": "Forensic preservation state. Required for post-incident root-cause + insurance-claim + law-enforcement engagement.",
555
+ "required": true,
556
+ "air_gap_alternative": "Local acquisition only; chain-of-custody log maintained on offline media."
557
+ }
558
+ ],
559
+ "collection_scope": {
560
+ "time_window": "since_encryption_event - 30d",
561
+ "asset_scope": "all_affected_hosts_plus_lateral_movement_scope",
562
+ "depth": "deep",
563
+ "sampling": "complete on confirmed-affected hosts; spot-sample on adjacent hosts to bound lateral-movement scope"
564
+ },
565
+ "environment_assumptions": [
566
+ {
567
+ "assumption": "At least one affected host's filesystem is readable (not fully encrypted or destroyed)",
568
+ "if_false": "All affected hosts fully unreadable post-encryption — pivot to backup-side and network-flow evidence; mark forensic-preservation-state inconclusive."
569
+ },
570
+ {
571
+ "assumption": "Backup snapshots exist within the documented RPO",
572
+ "if_false": "No restorable backup — pay/no-pay decision is forced; sanctions-screening + decryptor-availability becomes the only path. Document the backup-control failure as a Section 10 action item."
573
+ },
574
+ {
575
+ "assumption": "AD or equivalent identity store is queryable (not fully compromised)",
576
+ "if_false": "AD fully compromised — assume domain-admin-level adversary persistence; rebuild posture rather than rotate-in-place; engage AD recovery specialists."
577
+ },
578
+ {
579
+ "assumption": "EDR / XDR telemetry was live before the encryption event",
580
+ "if_false": "No pre-incident EDR telemetry — exfil-before-encrypt scope cannot be confirmed by host-side evidence; rely on network-flow and external-DLP signals; widen the breach-notification scope to all PII held on affected hosts."
581
+ }
582
+ ],
583
+ "fallback_if_unavailable": [
584
+ {
585
+ "artifact_id": "encrypted-file-extension-inventory",
586
+ "fallback_action": "escalate_to_human",
587
+ "confidence_impact": "high"
588
+ },
589
+ {
590
+ "artifact_id": "ransom-note-content",
591
+ "fallback_action": "mark_inconclusive",
592
+ "confidence_impact": "high"
593
+ },
594
+ {
595
+ "artifact_id": "active-directory-privilege-chain",
596
+ "fallback_action": "mark_inconclusive",
597
+ "confidence_impact": "high"
598
+ },
599
+ {
600
+ "artifact_id": "backup-snapshot-immutability-state",
601
+ "fallback_action": "escalate_to_human",
602
+ "confidence_impact": "high"
603
+ },
604
+ {
605
+ "artifact_id": "shadow-copy-deletion-events",
606
+ "fallback_action": "mark_inconclusive",
607
+ "confidence_impact": "medium"
608
+ },
609
+ {
610
+ "artifact_id": "c2-beacon-traffic",
611
+ "fallback_action": "mark_inconclusive",
612
+ "confidence_impact": "medium"
613
+ },
614
+ {
615
+ "artifact_id": "lateral-movement-iocs",
616
+ "fallback_action": "mark_inconclusive",
617
+ "confidence_impact": "high"
618
+ },
619
+ {
620
+ "artifact_id": "initial-access-vector",
621
+ "fallback_action": "escalate_to_human",
622
+ "confidence_impact": "high"
623
+ },
624
+ {
625
+ "artifact_id": "exfil-before-encrypt-evidence",
626
+ "fallback_action": "escalate_to_human",
627
+ "confidence_impact": "high"
628
+ },
629
+ {
630
+ "artifact_id": "cyber-insurance-policy-state",
631
+ "fallback_action": "escalate_to_human",
632
+ "confidence_impact": "medium"
633
+ },
634
+ {
635
+ "artifact_id": "ofac-sdn-attribution-evidence",
636
+ "fallback_action": "escalate_to_human",
637
+ "confidence_impact": "high"
638
+ },
639
+ {
640
+ "artifact_id": "negotiator-engagement-state",
641
+ "fallback_action": "mark_inconclusive",
642
+ "confidence_impact": "low"
643
+ },
644
+ {
645
+ "artifact_id": "decryptor-availability",
646
+ "fallback_action": "mark_inconclusive",
647
+ "confidence_impact": "medium"
648
+ },
649
+ {
650
+ "artifact_id": "recovery-rto-estimate",
651
+ "fallback_action": "mark_inconclusive",
652
+ "confidence_impact": "medium"
653
+ },
654
+ {
655
+ "artifact_id": "forensic-preservation-state",
656
+ "fallback_action": "escalate_to_human",
657
+ "confidence_impact": "high"
658
+ }
659
+ ]
660
+ },
661
+ "detect": {
662
+ "indicators": [
663
+ {
664
+ "id": "mass-file-extension-change-event",
665
+ "type": "behavioral_signal",
666
+ "value": "Within the encrypted-file-extension-inventory artifact: > 500 files on a single host renamed within < 60 minutes to a single non-original extension matching a ransomware-family fingerprint OR a randomized 5-10 char extension pattern repeated across hosts",
667
+ "description": "Mass file-extension change event consistent with ransomware encryption.",
668
+ "confidence": "deterministic",
669
+ "deterministic": true,
670
+ "attack_ref": "T1486",
671
+ "false_positive_checks_required": [
672
+ "Rule out documented media-conversion batch job: check change-management ticket queue for any approved batch operation in the same window touching the same file set.",
673
+ "Rule out archive-creation operation: confirm the new extension is not a documented archive format (.zip, .7z, .tar.gz) AND the original files are not preserved beside the new ones.",
674
+ "Rule out documented backup-software encryption (Veeam/Commvault encrypt-on-write modes): verify the affected paths are not under documented backup-staging directories."
675
+ ]
676
+ },
677
+ {
678
+ "id": "shadow-copy-deletion-no-iac-ticket",
679
+ "type": "log_pattern",
680
+ "value": "Within the shadow-copy-deletion-events artifact: vssadmin delete shadows /all OR wmic shadowcopy delete OR wbadmin delete catalog event observed within 4h preceding the mass-file-extension-change-event AND no change-management ticket authorizes the operation",
681
+ "description": "Shadow Copy deletion without operational authorization. Near-deterministic ransomware kill-chain step on Windows.",
682
+ "confidence": "deterministic",
683
+ "deterministic": true,
684
+ "attack_ref": "T1486",
685
+ "false_positive_checks_required": [
686
+ "Confirm no documented maintenance window covering the time of the vssadmin/wmic/wbadmin invocation.",
687
+ "Verify the invoking process identity is not a documented backup-administration scheduled task; if it is, confirm the schedule entry was not recently modified by an unauthorized account."
688
+ ]
689
+ },
690
+ {
691
+ "id": "encrypted-file-extension-growth-rate",
692
+ "type": "behavioral_signal",
693
+ "value": "Within the encrypted-file-extension-inventory artifact: encrypted-extension count grows > 100 files per minute sustained for > 5 minutes on at least one host",
694
+ "description": "Sustained high-rate encryption pattern. Distinguishes active encryption-in-progress from post-encryption discovery.",
695
+ "confidence": "high",
696
+ "deterministic": false,
697
+ "attack_ref": "T1486",
698
+ "false_positive_checks_required": [
699
+ "Rule out backup-software full-backup encryption operation: confirm the writing process is not a documented backup agent (Veeam VBR, Commvault Simpana, Rubrik agent) AND the destination is not the documented backup staging volume.",
700
+ "Rule out user-initiated bulk-encryption (BitLocker volume conversion, Boxcryptor migration, large rsync to encrypted remote): confirm no documented user-driven operation matches the window."
701
+ ]
702
+ },
703
+ {
704
+ "id": "bloodhound-class-ad-recon",
705
+ "type": "log_pattern",
706
+ "value": "Within the active-directory-privilege-chain + lateral-movement-iocs artifacts: high-volume LDAP queries from a non-administrator endpoint matching BloodHound / SharpHound / Adalanche query patterns (Domain Admins membership, AdminSDHolder, GPO links, ACL enumeration) within 30d preceding the encryption event",
707
+ "description": "BloodHound-class AD reconnaissance. Pre-encryption privilege mapping is a standard ransomware staging step.",
708
+ "confidence": "high",
709
+ "deterministic": false,
710
+ "attack_ref": "T1078",
711
+ "false_positive_checks_required": [
712
+ "Rule out documented penetration test: check authorized-testing register for any engagement with AD enumeration in scope during the observed window.",
713
+ "Rule out documented internal AD audit (Purple Knight, PingCastle, BloodHound-CE used by internal blue team): confirm the source endpoint is not a documented audit workstation."
714
+ ]
715
+ },
716
+ {
717
+ "id": "cobaltstrike-beacon-signature",
718
+ "type": "network_pattern",
719
+ "value": "Within the c2-beacon-traffic artifact: JA3 fingerprint match to known Cobalt Strike Beacon TLS profile OR Sliver implant signature OR Brute Ratel staging URL pattern OR named-pipe pattern matching default Cobalt Strike pipe naming scheme",
720
+ "description": "C2 framework beacon signature.",
721
+ "confidence": "deterministic",
722
+ "deterministic": true,
723
+ "attack_ref": "T1059",
724
+ "false_positive_checks_required": [
725
+ "Rule out vendor security-tool legitimate C2 traffic: confirm the destination is not a documented vendor SaaS endpoint (some EDR products use C2-like patterns); verify against vendor IOC list.",
726
+ "Rule out documented red-team engagement: check authorized-testing register for any C2-framework deployment in the observed window."
727
+ ]
728
+ },
729
+ {
730
+ "id": "large-outbound-transfer-pre-encryption",
731
+ "type": "network_pattern",
732
+ "value": "Within the exfil-before-encrypt-evidence artifact: cumulative outbound transfer > 1 GB to a single non-corporate destination in the 24-72h window preceding the mass-file-extension-change-event, destination not on the documented egress allowlist, transfer pattern consistent with rclone / MEGAcmd / anon-upload tooling",
733
+ "description": "Pre-encryption exfiltration pattern. Triggers PHI / personal-data exfil-breach classification independent of the encryption event.",
734
+ "confidence": "high",
735
+ "deterministic": false,
736
+ "attack_ref": "T1567",
737
+ "false_positive_checks_required": [
738
+ "Rule out documented backup-to-cloud operation: confirm the destination is not a documented backup-target endpoint (S3 backup bucket, Azure backup vault, Wasabi/Backblaze backup destination).",
739
+ "Rule out documented analytics or ML training data export: confirm the destination is not a documented data-pipeline endpoint with a current export schedule.",
740
+ "Rule out documented vendor-data-sync: confirm the destination is not on the vendor-integration allowlist with an approved transfer profile."
741
+ ]
742
+ },
743
+ {
744
+ "id": "ad-admin-count-modification-event",
745
+ "type": "log_pattern",
746
+ "value": "Within the active-directory-privilege-chain artifact: Domain Admins / Enterprise Admins / Schema Admins / built-in Administrators group membership added within 30d preceding the encryption event, source account is not on the documented privileged-account-management workflow",
747
+ "description": "AD admin group expansion. Standard ransomware operator persistence step.",
748
+ "confidence": "high",
749
+ "deterministic": false,
750
+ "attack_ref": "T1078",
751
+ "false_positive_checks_required": [
752
+ "Rule out documented RBAC review or named-admin onboarding: confirm the addition is not in the PAM workflow ticket queue with a current approval record.",
753
+ "Rule out documented break-glass account use: confirm the added account is not a documented break-glass identity with logged retrieval and post-use rotation."
754
+ ]
755
+ }
756
+ ],
757
+ "false_positive_profile": [
758
+ {
759
+ "indicator_id": "mass-file-extension-change-event",
760
+ "benign_pattern": "Scheduled media-conversion batch job, archive-creation operation, backup-software encrypt-on-write mode.",
761
+ "distinguishing_test": "Cross-reference the writing-process identity against documented batch / archive / backup-agent processes. If the writing process is unrecognized OR the new extension does not match any documented operational extension OR the original files are deleted (not preserved beside the new files), hold deterministic."
762
+ },
763
+ {
764
+ "indicator_id": "encrypted-file-extension-growth-rate",
765
+ "benign_pattern": "Backup-software full-backup encryption, user-initiated BitLocker conversion.",
766
+ "distinguishing_test": "Backup agents write to staging volumes with documented destinations; BitLocker conversion targets the OS volume only. Ransomware encryption targets user-data volumes broadly. If the affected path set spans multiple user-data shares AND no backup-agent process is the writer, hold high confidence."
767
+ },
768
+ {
769
+ "indicator_id": "bloodhound-class-ad-recon",
770
+ "benign_pattern": "Authorized internal blue-team audit using SharpHound / Purple Knight / PingCastle.",
771
+ "distinguishing_test": "Authorized audits run from documented workstations with named operator accounts. Adversary-driven enumeration runs from compromised user endpoints with non-audit identities. If the source identity is not on the documented audit-operator list, hold high."
772
+ },
773
+ {
774
+ "indicator_id": "cobaltstrike-beacon-signature",
775
+ "benign_pattern": "Authorized red-team Cobalt Strike deployment, vendor EDR product using C2-like traffic patterns.",
776
+ "distinguishing_test": "Authorized red-team engagements have a documented entry in the testing register; vendor EDR endpoints are on the vendor-allowlist. If neither matches, hold deterministic."
777
+ },
778
+ {
779
+ "indicator_id": "large-outbound-transfer-pre-encryption",
780
+ "benign_pattern": "Documented backup-to-cloud, analytics export, vendor-integration data sync.",
781
+ "distinguishing_test": "Documented transfers go to allowlisted destinations on an approved schedule. Adversary exfiltration goes to non-allowlisted destinations and the volume profile is atypical for the documented schedule. Hold high when destination is unrecognized AND volume exceeds the largest documented daily transfer."
782
+ }
783
+ ],
784
+ "minimum_signal": {
785
+ "detected": "Either (a) mass-file-extension-change-event OR encrypted-file-extension-growth-rate fires deterministic AND ransom-note-content is present AND at least one false-positive distinguishing test does not clear the indicator, OR (b) operator-confirmed encryption signal (precondition encryption_event_confirmed) regardless of indicator state.",
786
+ "inconclusive": "Some indicators fire but the encryption-event precondition is not confirmed AND ransom-note-content is absent — this is suspected encryption-in-progress; preserve evidence, do not declare ransomware until precondition is met.",
787
+ "not_detected": "Mass-file-extension-change-event does not fire AND encrypted-file-extension-growth-rate does not fire AND ransom-note-content is absent AND operator does not confirm encryption."
788
+ }
789
+ },
790
+ "analyze": {
791
+ "rwep_inputs": [
792
+ {
793
+ "signal_id": "mass-file-extension-change-event",
794
+ "rwep_factor": "active_exploitation",
795
+ "weight": 30,
796
+ "notes": "Encryption event is realized harm — active exploitation is definitionally present."
797
+ },
798
+ {
799
+ "signal_id": "mass-file-extension-change-event",
800
+ "rwep_factor": "blast_radius",
801
+ "weight": 25,
802
+ "notes": "Each additional affected host increases blast radius. >100 hosts is org-wide."
803
+ },
804
+ {
805
+ "signal_id": "large-outbound-transfer-pre-encryption",
806
+ "rwep_factor": "blast_radius",
807
+ "weight": 25,
808
+ "notes": "Exfil-before-encrypt extends blast radius from availability to confidentiality. PHI / financial / IP exfiltration changes the breach-notification scope materially."
809
+ },
810
+ {
811
+ "signal_id": "shadow-copy-deletion-no-iac-ticket",
812
+ "rwep_factor": "active_exploitation",
813
+ "weight": 15,
814
+ "notes": "Recovery-inhibition step. Increases recovery cost and pay-pressure."
815
+ },
816
+ {
817
+ "signal_id": "bloodhound-class-ad-recon",
818
+ "rwep_factor": "blast_radius",
819
+ "weight": 15,
820
+ "notes": "Indicates AD-wide compromise potential. Drives rebuild-vs-rotate decision."
821
+ },
822
+ {
823
+ "signal_id": "cobaltstrike-beacon-signature",
824
+ "rwep_factor": "active_exploitation",
825
+ "weight": 15,
826
+ "notes": "Established C2 means persistence may survive containment of encrypted hosts."
827
+ },
828
+ {
829
+ "signal_id": "ad-admin-count-modification-event",
830
+ "rwep_factor": "blast_radius",
831
+ "weight": 15,
832
+ "notes": "Adversary persistence at admin layer. AD rebuild may be required."
833
+ }
834
+ ],
835
+ "blast_radius_model": {
836
+ "scope_question": "Given the encryption event + exfil evidence + lateral-movement scope + AD compromise state, what is the blast radius if the playbook does not contain the incident within the next 24-72h?",
837
+ "scoring_rubric": [
838
+ {
839
+ "condition": "Single host encrypted, no lateral movement evidence, no exfil evidence, immutable backup viable, decryptor or restore path clear",
840
+ "blast_radius_score": 1,
841
+ "description": "Bounded single-host incident. Restore from immutable backup; full recovery within hours."
842
+ },
843
+ {
844
+ "condition": "Multiple hosts within a single network segment encrypted, no exfil evidence, immutable backup viable, AD not compromised",
845
+ "blast_radius_score": 2,
846
+ "description": "Segment-bounded incident. Restore from immutable backup; recovery within 24-48h; no breach-notification trigger."
847
+ },
848
+ {
849
+ "condition": "Multi-segment encryption OR confirmed exfil < 1GB OR partial AD recon evidence",
850
+ "blast_radius_score": 3,
851
+ "description": "Cross-segment incident. Breach-notification clocks engaged if exfil includes personal data. Multi-day recovery."
852
+ },
853
+ {
854
+ "condition": "Domain-wide encryption OR confirmed exfil > 1GB OR AD admin-group modifications OR PHI exfil-before-encrypt confirmed",
855
+ "blast_radius_score": 4,
856
+ "description": "Domain-wide incident with breach-notification scope. PHI / financial / personal-data notification clocks engaged in parallel with availability clocks. Recovery > 1 week."
857
+ },
858
+ {
859
+ "condition": "Sanctioned threat actor attributed AND large-scale exfil-before-encrypt AND backup viability compromised — forced payment-or-rebuild decision under sanctions block",
860
+ "blast_radius_score": 5,
861
+ "description": "Worst-case ransomware blast radius. Payment forbidden under sanctions law; rebuild required; multi-week to multi-month recovery; full regulatory + customer notification scope. Treat as confirmed business-continuity incident."
862
+ }
863
+ ]
864
+ },
865
+ "compliance_theater_check": {
866
+ "claim": "Org has tested ransomware recovery via immutable backups + cyber insurance + documented incident response — economic and operational exposure is bounded.",
867
+ "audit_evidence": "Backup procedure document; cyber insurance policy on file; incident response procedure document; annual tabletop exercise record.",
868
+ "reality_test": "Test the four ransomware-specific control properties on the live posture at incident time: (1) backup immutability — can the production-admin identity (the one the adversary controls) delete or modify the most recent backup snapshot? If yes, the backup property is replication, not immutability. (2) insurance-pre-approval — does the policy require pre-payment carrier approval AND is the carrier reachable within the 24h notice window AND is the IR firm in use on the carrier panel? If any answer is no, carrier denial is the dominant economic-exposure failure mode. (3) decryptor availability — was a decryptor lookup performed against No More Ransom + vendor-specific decryptors for the identified family before the payment decision? If no, the pay/restore decision lacked a key input. (4) sanctions screening — was the threat-actor attribution evidence cross-checked against OFAC SDN + EU Reg 2014/833 + UK OFSI + AU DFAT + JP MOF before the payment decision? If no, the payment posture risks federal-law violation in at least one applicable jurisdiction.",
869
+ "theater_verdict_if_gap": "Ransomware-recovery posture treated as a single control class without operationalizing the four ransomware-specific decision properties. Recommendation: (a) test the backup-immutability property end-to-end pre-incident, (b) drill the carrier-notification + pre-approval workflow with the insurance broker, (c) integrate No More Ransom lookup into the IR playbook as a precondition to payment decision, (d) integrate sanctions-list screening into the IR playbook as a blocking gate on payment posture, with named legal-counsel sign-off required before any negotiator engagement."
870
+ },
871
+ "framework_gap_mapping": [
872
+ {
873
+ "finding_id": "ransomware-incident",
874
+ "framework": "nist-800-53",
875
+ "claimed_control": "IR-4 (Incident Handling)",
876
+ "actual_gap": "Method-neutral incident response. Does not name sanctions screening, decryptor availability, insurance-policy interaction, or negotiator engagement as required sub-flows.",
877
+ "required_control": "Ransomware-specific extension of IR-4 with named decision gates: pre-payment sanctions screening (OFAC + EU + UK + AU + JP), decryptor availability lookup, carrier-pre-approval, negotiator legal posture, immutable-backup viability test as a Layer-1 control."
878
+ },
879
+ {
880
+ "finding_id": "ransomware-incident",
881
+ "framework": "iso-27001-2022",
882
+ "claimed_control": "A.5.26 (Response to information security incidents) + A.8.13 (Information backup)",
883
+ "actual_gap": "Process-shaped response and outcome-shaped backup. Treats 'backup' as a single class; does not distinguish immutability from replication.",
884
+ "required_control": "Sub-control distinguishing immutable backup (compliance-lock, no root override) from replicated / write-protected / off-network classes; ransomware-recovery sub-flow integrated with A.5.26."
885
+ },
886
+ {
887
+ "finding_id": "ransomware-incident",
888
+ "framework": "soc2",
889
+ "claimed_control": "CC7.4 (Security incident response) + CC9.2 (Vendor / business partner risk)",
890
+ "actual_gap": "Incident response criterion is response-capability-shaped. Vendor criterion does not surface cyber insurance carrier-policy interaction as a control.",
891
+ "required_control": "CC7 sub-criterion requiring documented ransomware-specific decision tree including sanctions, decryptor, insurance, negotiator. CC9 sub-criterion requiring carrier-pre-approval workflow tested annually."
892
+ },
893
+ {
894
+ "finding_id": "ransomware-incident",
895
+ "framework": "hipaa",
896
+ "claimed_control": "164.308(a)(7) (Contingency Plan) + 164.402 (Breach Notification Rule)",
897
+ "actual_gap": "Contingency plan is recovery-shaped, treats encryption event as trigger; misses exfil-before-encrypt as a distinct breach trigger that engages independent of the encryption event.",
898
+ "required_control": "Contingency plan extended to enumerate PHI exfil-before-encrypt as a parallel breach trigger; 164.402 risk assessment scoped to determine whether exfiltration constitutes a breach when encryption renders evidence ambiguous."
899
+ },
900
+ {
901
+ "finding_id": "ransomware-incident",
902
+ "framework": "au-essential-8",
903
+ "claimed_control": "Strategy 8 — Regular Backups",
904
+ "actual_gap": "Off-network is the maturity gate; immutability is not addressed.",
905
+ "required_control": "Maturity-level criterion distinguishing immutable backup from replicated / off-network classes; ML3 requires end-to-end immutability test using a production-admin-credential adversary simulation."
906
+ },
907
+ {
908
+ "finding_id": "ransomware-incident",
909
+ "framework": "uk-caf",
910
+ "claimed_control": "D1 (Response and Recovery Planning)",
911
+ "actual_gap": "Outcome-shaped at IGP/IGP+; tabletop exercise is plan-existence proof.",
912
+ "required_control": "D1 sub-outcome requiring ransomware-specific tabletop exercise that exercises sanctions screening + decryptor lookup + carrier notification within scenario time-pressure."
913
+ }
914
+ ],
915
+ "escalation_criteria": [
916
+ {
917
+ "condition": "ofac_sanctions_match == true",
918
+ "action": "notify_legal"
919
+ },
920
+ {
921
+ "condition": "rwep >= 90 AND backup_immutability_compromised == true",
922
+ "action": "page_on_call"
923
+ },
924
+ {
925
+ "condition": "phi_exfil_before_encrypt == true",
926
+ "action": "raise_severity"
927
+ },
928
+ {
929
+ "condition": "lateral_movement_via_credentials == true",
930
+ "action": "trigger_playbook",
931
+ "target_playbook": "cred-stores"
932
+ },
933
+ {
934
+ "condition": "compliance_theater_check.verdict == 'theater'",
935
+ "action": "trigger_playbook",
936
+ "target_playbook": "framework"
937
+ }
938
+ ]
939
+ },
940
+ "validate": {
941
+ "remediation_paths": [
942
+ {
943
+ "id": "priority-1-immediate-containment",
944
+ "description": "(1) Isolate confirmed-affected hosts from the network at the EDR or network-segment layer; (2) preserve forensic state (memory, disk, audit logs) BEFORE any further remediation per NIST 800-86; (3) execute OFAC SDN + EU Reg 2014/833 + UK OFSI + AU DFAT + JP MOF screening against threat-actor attribution evidence; (4) notify cyber insurance carrier within the 24h policy window; (5) engage retained IR firm from carrier panel; (6) test immutable-backup viability by attempting a restore on an isolated network with a known-clean admin identity.",
945
+ "preconditions": [
946
+ "edr_network_isolation_capability == true",
947
+ "forensic_acquisition_tooling_available == true"
948
+ ],
949
+ "priority": 1,
950
+ "compensating_controls": [
951
+ "out-of-band-comms-on-signal-or-wickr",
952
+ "incident-commander-named",
953
+ "executive-briefing-cadence-2h"
954
+ ],
955
+ "estimated_time_hours": 4
956
+ },
957
+ {
958
+ "id": "priority-2-decision-tree",
959
+ "description": "(1) Execute decryptor availability lookup against No More Ransom Project + vendor-specific decryptors for the identified family; (2) make the negotiator-engagement decision under documented legal criteria — if sanctions match, negotiator engagement is FORBIDDEN and any communication that could be construed as payment-facilitation is legally prohibited; if no sanctions match, evaluate risk-benefit under counsel guidance; (3) draft regulator notifications per jurisdiction matrix; (4) execute restore-from-backup test on isolated network to confirm backup viability; (5) determine PHI / personal-data exfil scope for breach-notification scope.",
960
+ "preconditions": [
961
+ "ofac_sanctions_screen_complete == true",
962
+ "decryptor_lookup_complete == true",
963
+ "legal_counsel_engaged == true"
964
+ ],
965
+ "priority": 2,
966
+ "compensating_controls": [
967
+ "named-legal-counsel-on-call",
968
+ "regulator-notification-drafts-pre-prepared",
969
+ "backup-restore-test-in-isolated-network"
970
+ ],
971
+ "estimated_time_hours": 24
972
+ },
973
+ {
974
+ "id": "priority-3-recovery",
975
+ "description": "(1) Execute full restore from validated immutable backup; (2) confirm lateral-movement scope and rotate all credentials in the determined blast-radius; (3) remediate the initial-access vector (patch the exploited CVE, revoke the compromised credentials, harden the VPN appliance / management plane); (4) determine PHI exfil-before-encrypt scope and execute breach-notification per applicable jurisdiction obligations; (5) schedule tabletop debrief within 14 days.",
976
+ "preconditions": [
977
+ "immutable_backup_validated == true",
978
+ "initial_access_vector_identified == true"
979
+ ],
980
+ "priority": 3,
981
+ "compensating_controls": [
982
+ "phased-service-restoration",
983
+ "enhanced-monitoring-post-restore",
984
+ "credential-rotation-at-blast-radius"
985
+ ],
986
+ "estimated_time_hours": 72
987
+ },
988
+ {
989
+ "id": "policy-exception-pay-blocked",
990
+ "description": "If sanctions match blocks payment AND backup viability is compromised AND decryptor is unavailable AND business continuity requires service restoration faster than rebuild allows: generate a policy-exception documenting the residual-risk acceptance for a partial-recovery posture (rebuild from clean media + accept data loss back to last clean backup) with executive + board acceptance recorded.",
991
+ "preconditions": [
992
+ "sanctions_match == true",
993
+ "backup_viability_compromised == true",
994
+ "decryptor_unavailable == true"
995
+ ],
996
+ "priority": 4,
997
+ "compensating_controls": [
998
+ "executive-residual-risk-acceptance",
999
+ "board-notification-of-data-loss-scope",
1000
+ "customer-notification-of-service-impact"
1001
+ ],
1002
+ "estimated_time_hours": 168
1003
+ }
1004
+ ],
1005
+ "validation_tests": [
1006
+ {
1007
+ "id": "backup-restore-clean-isolated-network",
1008
+ "test": "Restore one critical workload from the most recent immutable backup snapshot onto an isolated network; verify integrity hash matches a pre-incident reference hash; verify service behavior matches pre-incident baseline.",
1009
+ "expected_result": "Integrity hash matches; service behavior matches baseline; no encrypted-extension files present.",
1010
+ "test_type": "functional"
1011
+ },
1012
+ {
1013
+ "id": "ofac-sanctions-attestation-recorded",
1014
+ "test": "Confirm OFAC SDN + EU Reg 2014/833 + UK OFSI + AU DFAT + JP MOF screening was executed against the documented threat-actor attribution evidence AND result is signed by named legal counsel AND timestamp precedes any negotiator engagement.",
1015
+ "expected_result": "Attestation present, signed, time-ordered before negotiator engagement.",
1016
+ "test_type": "negative"
1017
+ },
1018
+ {
1019
+ "id": "decryptor-lookup-attestation",
1020
+ "test": "Confirm No More Ransom Crypto Sheriff + Emsisoft + Kaspersky + Bitdefender + Avast decryptor lookups were executed for the identified family AND result is recorded with timestamp.",
1021
+ "expected_result": "Decryptor-availability attestation present with timestamp before pay/restore decision.",
1022
+ "test_type": "negative"
1023
+ },
1024
+ {
1025
+ "id": "insurance-carrier-24h-notification",
1026
+ "test": "Confirm cyber insurance carrier received loss notice within 24h of detect_confirmed AND carrier acknowledgment is recorded AND retained IR firm is on the carrier-approved panel.",
1027
+ "expected_result": "Carrier acknowledgment timestamped within 24h; IR firm on panel; pre-approval status documented.",
1028
+ "test_type": "functional"
1029
+ },
1030
+ {
1031
+ "id": "credential-rotation-at-blast-radius",
1032
+ "test": "All identities in the determined blast radius (domain admin, enterprise admin, privileged service accounts, VPN-appliance admin, ScreenConnect/AnyDesk admin, SSO break-glass, AD krbtgt twice) are rotated AND old credentials are revoked at the IdP.",
1033
+ "expected_result": "All identities show new credential timestamps post-incident; old credentials are revoked or disabled.",
1034
+ "test_type": "functional"
1035
+ },
1036
+ {
1037
+ "id": "initial-access-vector-remediated",
1038
+ "test": "The identified initial-access vector (e.g. exposed Citrix CVE-2023-3519, ScreenConnect CVE-2024-1709) is patched or removed; supply-chain compromise vectors (CVE-2024-3094 xz-utils class, CVE-2024-21626 runc class) are mitigated; the credential reuse path (if infostealer-derived) has had affected accounts rotated and infostealer-marketplace monitoring engaged.",
1039
+ "expected_result": "Vector closed; patch version verified; equivalent compensating control in place if patch is not yet available.",
1040
+ "test_type": "functional"
1041
+ },
1042
+ {
1043
+ "id": "phi-exfil-scope-determined",
1044
+ "test": "Determine whether PHI / personal-data exfil-before-encrypt occurred; if yes, scope the affected records and trigger HIPAA Breach Notification Rule 164.402 risk assessment + GDPR Art.33/34 + applicable state breach laws.",
1045
+ "expected_result": "Scope determination recorded with evidence; notification clocks running per matrix.",
1046
+ "test_type": "functional"
1047
+ },
1048
+ {
1049
+ "id": "regression-tabletop-scheduled",
1050
+ "test": "Confirm a ransomware-specific tabletop exercise is scheduled within 90 days of recovery, with sanctions-screening + decryptor-lookup + carrier-notification + immutable-backup viability as exercise injects.",
1051
+ "expected_result": "Tabletop scheduled; injects documented.",
1052
+ "test_type": "regression"
1053
+ }
1054
+ ],
1055
+ "residual_risk_statement": {
1056
+ "risk": "Even after full recovery, the data exfiltrated in the pre-encryption window cannot be recovered or recalled. The adversary retains a copy of any data exfiltrated before encryption. Where PHI / personal data / IP was exfiltrated, downstream harm (identity theft, regulator action, customer churn, IP exploitation) persists beyond the IR cycle and may surface months or years later.",
1057
+ "why_remains": "Exfiltrated data is, by definition, outside the org's control after the incident. Decryption / payment does not recall exfiltrated copies. Sanctions-blocked payment does not change exfiltration scope. The only mitigations are forward-looking: enhanced monitoring of dark-web leak sites, credit monitoring for affected individuals (where applicable), regulatory engagement.",
1058
+ "acceptance_level": "board",
1059
+ "compensating_controls_in_place": [
1060
+ "credentials-rotated-at-blast-radius",
1061
+ "initial-access-vector-remediated",
1062
+ "immutable-backup-validated-and-restored",
1063
+ "regulator-notifications-filed-per-jurisdiction",
1064
+ "dark-web-leak-site-monitoring-engaged",
1065
+ "post-incident-tabletop-scheduled-90d"
1066
+ ]
1067
+ },
1068
+ "evidence_requirements": [
1069
+ {
1070
+ "evidence_type": "scan_report",
1071
+ "description": "Encrypted-file-extension inventory + ransom-note content + AD privilege-chain snapshot + shadow-copy-deletion event records + C2 beacon traffic + lateral-movement IoCs + exfil-before-encrypt network-flow record.",
1072
+ "retention_period": "7_years",
1073
+ "framework_satisfied": [
1074
+ "nist-800-53-IR-5",
1075
+ "iso-27001-2022-A.5.26",
1076
+ "soc2-cc7.4",
1077
+ "hipaa-164-308-a-7"
1078
+ ]
1079
+ },
1080
+ {
1081
+ "evidence_type": "attestation",
1082
+ "description": "Signed OFAC SDN + EU + UK + AU + JP sanctions-screening attestation, with named legal-counsel signature and timestamp ordered before any negotiator engagement.",
1083
+ "retention_period": "7_years",
1084
+ "framework_satisfied": [
1085
+ "ofac-31-cfr-501",
1086
+ "eu-reg-2014-833",
1087
+ "uk-ofsi"
1088
+ ]
1089
+ },
1090
+ {
1091
+ "evidence_type": "attestation",
1092
+ "description": "Decryptor-availability lookup attestation against No More Ransom Project + vendor-specific decryptors, with timestamp ordered before pay/restore decision.",
1093
+ "retention_period": "7_years",
1094
+ "framework_satisfied": [
1095
+ "nist-800-53-IR-4"
1096
+ ]
1097
+ },
1098
+ {
1099
+ "evidence_type": "ticket_reference",
1100
+ "description": "Cyber insurance carrier loss-notice with timestamped acknowledgment, IR-firm panel verification, and any carrier-pre-approval correspondence.",
1101
+ "retention_period": "7_years",
1102
+ "framework_satisfied": [
1103
+ "soc2-cc9.2"
1104
+ ]
1105
+ },
1106
+ {
1107
+ "evidence_type": "patch_record",
1108
+ "description": "Patch records or compensating-control records for the identified initial-access vector (Citrix / Fortinet / ScreenConnect / xz-utils / runc class as applicable).",
1109
+ "retention_period": "7_years",
1110
+ "framework_satisfied": [
1111
+ "nist-800-53-SI-2",
1112
+ "iso-27001-2022-A.8.8"
1113
+ ]
1114
+ },
1115
+ {
1116
+ "evidence_type": "log_excerpt",
1117
+ "description": "Audit log excerpts establishing the exfil-before-encrypt window, the lateral-movement scope, and the credential-rotation completion timestamps.",
1118
+ "retention_period": "7_years",
1119
+ "framework_satisfied": [
1120
+ "gdpr-art-33",
1121
+ "nis2-art-23",
1122
+ "hipaa-164-402"
1123
+ ]
1124
+ },
1125
+ {
1126
+ "evidence_type": "attestation",
1127
+ "description": "Signed exceptd attestation: encrypted-host count, exfil-scope determination, sanctions-screening verdict, decryptor-lookup verdict, immutable-backup viability verdict, restore-completion timestamp, residual-risk acceptance signature.",
1128
+ "retention_period": "7_years",
1129
+ "framework_satisfied": [
1130
+ "nist-800-53-CA-7",
1131
+ "iso-27001-2022-A.5.36"
1132
+ ]
1133
+ }
1134
+ ],
1135
+ "regression_trigger": [
1136
+ {
1137
+ "condition": "new_ransomware_family_in_threat_intel",
1138
+ "interval": "on_event"
1139
+ },
1140
+ {
1141
+ "condition": "post_recovery_30d",
1142
+ "interval": "30d"
1143
+ },
1144
+ {
1145
+ "condition": "post_recovery_90d_tabletop",
1146
+ "interval": "90d"
1147
+ },
1148
+ {
1149
+ "condition": "carrier_policy_renewal",
1150
+ "interval": "on_event"
1151
+ }
1152
+ ]
1153
+ },
1154
+ "close": {
1155
+ "evidence_package": {
1156
+ "bundle_format": "csaf-2.0",
1157
+ "contents": [
1158
+ "scan_report",
1159
+ "attestation",
1160
+ "ticket_reference",
1161
+ "patch_record",
1162
+ "log_excerpt",
1163
+ "ofac_sanctions_attestation",
1164
+ "decryptor_lookup_attestation",
1165
+ "immutable_backup_viability_record",
1166
+ "exfil_scope_determination",
1167
+ "regulator_notification_drafts",
1168
+ "residual_risk_statement",
1169
+ "post_incident_tabletop_schedule"
1170
+ ],
1171
+ "destination": "local_only",
1172
+ "signed": true
1173
+ },
1174
+ "learning_loop": {
1175
+ "enabled": true,
1176
+ "lesson_template": {
1177
+ "attack_vector": "Ransomware via $initial_access_vector (phishing / VPN-appliance CVE / infostealer credential / supply-chain) → $lateral_movement → exfiltration ($exfil_volume to $exfil_destination) → Shadow Copy deletion → mass encryption with $family fingerprint. Threat actor: $attribution; sanctions match: $sanctions_match.",
1178
+ "control_gap": "$control_gap — typically: backup immutability was replication not compliance-lock; sanctions screening was not pre-rehearsed; insurance carrier notification was not in the 24h-clock IR playbook; decryptor lookup was not part of the decision tree; PHI exfil-before-encrypt was not separately classified.",
1179
+ "framework_gap": "No security framework operationalizes the four ransomware-specific decision properties (sanctions / decryptor / insurance / exfil-before-encrypt) as controls. NIST IR-4, ISO A.5.26, SOC 2 CC7.4, HIPAA 164.308(a)(7), AU E8 Backup, UK CAF D1 are all method-neutral or single-class.",
1180
+ "new_control_requirement": "Ransomware-specific sub-control set: (a) immutable-backup viability test using production-admin-credential adversary simulation, (b) pre-rehearsed sanctions-screening workflow with named legal counsel, (c) insurance carrier pre-approval workflow tested annually, (d) decryptor-availability lookup integrated as a decision-tree precondition, (e) PHI / personal-data exfil-before-encrypt classified as a distinct breach trigger."
1181
+ },
1182
+ "feeds_back_to_skills": [
1183
+ "ransomware-response",
1184
+ "incident-response-playbook",
1185
+ "sector-healthcare",
1186
+ "sector-financial",
1187
+ "framework-gap-analysis"
1188
+ ]
1189
+ },
1190
+ "notification_actions": [
1191
+ {
1192
+ "obligation_ref": "US/OFAC SDN — 31 CFR 501 + OFAC Ransomware Advisory (2021, updated) 0h",
1193
+ "deadline": "computed_at_runtime",
1194
+ "recipient": "internal_legal",
1195
+ "evidence_attached": [
1196
+ "threat_actor_attribution_evidence",
1197
+ "ofac_sdn_search_result",
1198
+ "secondary_sanctions_list_check"
1199
+ ],
1200
+ "draft_notification": "OFAC sanctions screening: Threat actor attribution evidence (ransom note IoCs, leak-site URL, crypto-wallet addresses, family fingerprint: ${family}) cross-checked against OFAC SDN list on ${screen_timestamp}. Match status: ${match_status}. If match: payment posture is FORBIDDEN under 31 CFR 501; any negotiator engagement that could be construed as payment-facilitation is legally prohibited. Legal counsel sign-off: ${counsel_name}."
1201
+ },
1202
+ {
1203
+ "obligation_ref": "EU/EU Reg 2014/833 — Cyber Sanctions 0h",
1204
+ "deadline": "computed_at_runtime",
1205
+ "recipient": "internal_legal",
1206
+ "evidence_attached": [
1207
+ "threat_actor_attribution_evidence",
1208
+ "eu_consolidated_sanctions_list_check"
1209
+ ],
1210
+ "draft_notification": "EU Reg 2014/833 cyber sanctions screening: Threat actor attribution cross-checked against EU consolidated sanctions list on ${screen_timestamp}. Match status: ${match_status}. EU-jurisdiction payment posture: ${posture}."
1211
+ },
1212
+ {
1213
+ "obligation_ref": "GLOBAL/Cyber insurance carrier policy — typical 24h notice clause 24h",
1214
+ "deadline": "computed_at_runtime",
1215
+ "recipient": "internal_legal",
1216
+ "evidence_attached": [
1217
+ "policy_number",
1218
+ "loss_notice_form",
1219
+ "preliminary_scope_estimate"
1220
+ ],
1221
+ "draft_notification": "Cyber insurance loss notice: Policy ${policy_number}, incident detected ${detect_timestamp}, encrypted-host count ${host_count}, suspected exfil scope ${exfil_scope}, preliminary attribution ${attribution}. Retained IR firm: ${ir_firm}. Confirm carrier-pre-approval status for ${proposed_remediation_path}."
1222
+ },
1223
+ {
1224
+ "obligation_ref": "EU/NIS2 Art.23 — Significant Incident 24h",
1225
+ "deadline": "computed_at_runtime",
1226
+ "recipient": "internal_legal",
1227
+ "evidence_attached": [
1228
+ "encrypted_host_count",
1229
+ "service_impact_scope",
1230
+ "preliminary_attribution"
1231
+ ],
1232
+ "draft_notification": "NIS2 Art.23 early warning: Significant incident detected ${detect_timestamp}; encrypted hosts ${host_count}; service impact ${service_impact}; preliminary attribution ${attribution}. Full incident assessment within 72h per Art.23(4)."
1233
+ },
1234
+ {
1235
+ "obligation_ref": "EU/DORA Art.19 — Major ICT-related Incident (financial entities) 4h",
1236
+ "deadline": "computed_at_runtime",
1237
+ "recipient": "internal_legal",
1238
+ "evidence_attached": [
1239
+ "encrypted_host_count",
1240
+ "service_impact_scope",
1241
+ "financial_impact_preliminary"
1242
+ ],
1243
+ "draft_notification": "DORA Art.19 initial notification: Major ICT-related incident detected ${detect_timestamp}; financial-service impact ${service_impact}; preliminary financial impact ${financial_impact}; classification per RTS: ${classification}."
1244
+ },
1245
+ {
1246
+ "obligation_ref": "EU/GDPR Art.33 / Art.34 — Personal Data Breach 72h",
1247
+ "deadline": "computed_at_runtime",
1248
+ "recipient": "internal_legal",
1249
+ "evidence_attached": [
1250
+ "phi_or_personal_data_exfil_evidence",
1251
+ "data_subject_categories_affected",
1252
+ "containment_record"
1253
+ ],
1254
+ "draft_notification": "GDPR Art.33 72-hour notification: Personal data breach via ransomware exfil-before-encrypt. Categories of data subjects affected: ${data_subject_categories}. Number affected: ${affected_count}. Containment: credentials rotated, immutable backup restored, initial-access vector remediated. Risk to data subjects: ${risk_level}."
1255
+ },
1256
+ {
1257
+ "obligation_ref": "US-SEC/SEC 17 CFR 229.106(b) Form 8-K Item 1.05 — Material Cybersecurity Incident 96h",
1258
+ "deadline": "computed_at_runtime",
1259
+ "recipient": "internal_legal",
1260
+ "evidence_attached": [
1261
+ "materiality_determination",
1262
+ "incident_scope_summary",
1263
+ "containment_record"
1264
+ ],
1265
+ "draft_notification": "Form 8-K Item 1.05 disclosure (draft for legal review): Material cybersecurity incident determined material on ${materiality_timestamp}. Nature: ransomware with exfil-before-encrypt. Scope: ${scope}. Material impact: ${material_impact}. Status: ${status}."
1266
+ },
1267
+ {
1268
+ "obligation_ref": "US-HIPAA/HHS Breach Notification Rule — 45 CFR 164.400-414 1440h",
1269
+ "deadline": "computed_at_runtime",
1270
+ "recipient": "data_subjects",
1271
+ "evidence_attached": [
1272
+ "phi_records_affected_count",
1273
+ "containment_record",
1274
+ "risk_assessment_per_164_402"
1275
+ ],
1276
+ "draft_notification": "HIPAA Breach Notification: We are writing to inform you of a security incident that may have affected your protected health information. ${incident_description}. PHI categories: ${phi_categories}. Affected individuals: ${affected_count}. Steps taken: ${steps_taken}. Steps you can take: ${steps_individuals_can_take}."
1277
+ },
1278
+ {
1279
+ "obligation_ref": "US-NY/NYDFS 23 NYCRR 500.17 — Ransom Payment 24h",
1280
+ "deadline": "computed_at_runtime",
1281
+ "recipient": "internal_legal",
1282
+ "evidence_attached": [
1283
+ "ransom_payment_record",
1284
+ "ofac_screening_attestation",
1285
+ "incident_summary"
1286
+ ],
1287
+ "draft_notification": "NYDFS 500.17 ransom-payment notification (only if payment is made and sanctions screening is clear): Payment of ${amount} made on ${payment_timestamp}. OFAC screening cleared on ${screen_timestamp}. Reasoning: ${reasoning}. Compensating controls: ${controls}."
1288
+ },
1289
+ {
1290
+ "obligation_ref": "US-FEDERAL/CIRCIA — Cyber Incident Reporting for Critical Infrastructure Act 72h",
1291
+ "deadline": "computed_at_runtime",
1292
+ "recipient": "internal_legal",
1293
+ "evidence_attached": [
1294
+ "covered_cyber_incident_assessment",
1295
+ "encrypted_host_count",
1296
+ "containment_record"
1297
+ ],
1298
+ "draft_notification": "CIRCIA covered cyber incident report: Incident detected ${detect_timestamp}; covered-entity status ${entity_status}; nature ransomware with exfil-before-encrypt; encrypted hosts ${host_count}; containment status ${containment_status}."
1299
+ },
1300
+ {
1301
+ "obligation_ref": "UK/UK GDPR Art.33 — ICO Notification 72h",
1302
+ "deadline": "computed_at_runtime",
1303
+ "recipient": "internal_legal",
1304
+ "evidence_attached": [
1305
+ "personal_data_breach_summary",
1306
+ "affected_individuals_count"
1307
+ ],
1308
+ "draft_notification": "UK GDPR Art.33 notification to ICO: Mirror of GDPR Art.33 body addressed to ICO casework."
1309
+ },
1310
+ {
1311
+ "obligation_ref": "AU/Privacy Act 1988 — Notifiable Data Breaches scheme 720h",
1312
+ "deadline": "computed_at_runtime",
1313
+ "recipient": "internal_legal",
1314
+ "evidence_attached": [
1315
+ "eligible_data_breach_assessment",
1316
+ "australian_resident_records_affected"
1317
+ ],
1318
+ "draft_notification": "Australian NDB scheme notification: Eligible data breach assessment confirmed on ${assessment_timestamp}; affected Australian residents: ${affected_count}; remediation completed: ${remediation_summary}."
1319
+ },
1320
+ {
1321
+ "obligation_ref": "US-CA/CCPA / CPRA Sec.1798.82 1440h",
1322
+ "deadline": "computed_at_runtime",
1323
+ "recipient": "data_subjects",
1324
+ "evidence_attached": [
1325
+ "california_resident_records_affected",
1326
+ "containment_record"
1327
+ ],
1328
+ "draft_notification": "California breach notification: ${incident_description}; ${types_of_information_affected}; ${steps_taken}; ${steps_individuals_can_take}; ${contact_information}."
1329
+ },
1330
+ {
1331
+ "obligation_ref": "UK/UK OFSI Consolidated List + Sanctions and Anti-Money Laundering Act 2018 0h",
1332
+ "deadline": "computed_at_runtime",
1333
+ "recipient": "internal_legal",
1334
+ "evidence_attached": [
1335
+ "threat_actor_attribution_evidence",
1336
+ "ofsi_consolidated_list_check"
1337
+ ],
1338
+ "draft_notification": "UK OFSI Consolidated List screening: Threat actor attribution cross-checked on ${screen_timestamp}. Match status: ${match_status}. UK-jurisdiction payment posture: ${posture}."
1339
+ },
1340
+ {
1341
+ "obligation_ref": "AU/DFAT Autonomous Sanctions — Cyber 0h",
1342
+ "deadline": "computed_at_runtime",
1343
+ "recipient": "internal_legal",
1344
+ "evidence_attached": [
1345
+ "threat_actor_attribution_evidence",
1346
+ "dfat_consolidated_list_check"
1347
+ ],
1348
+ "draft_notification": "AU DFAT Autonomous Sanctions screening: Threat actor attribution cross-checked on ${screen_timestamp}. Match status: ${match_status}."
1349
+ },
1350
+ {
1351
+ "obligation_ref": "JP/MOF Foreign Exchange and Foreign Trade Act sanctions 0h",
1352
+ "deadline": "computed_at_runtime",
1353
+ "recipient": "internal_legal",
1354
+ "evidence_attached": [
1355
+ "threat_actor_attribution_evidence",
1356
+ "mof_sanctions_list_check"
1357
+ ],
1358
+ "draft_notification": "JP MOF Foreign Exchange and Foreign Trade Act sanctions screening: Threat actor attribution cross-checked on ${screen_timestamp}. Match status: ${match_status}."
1359
+ }
1360
+ ],
1361
+ "exception_generation": {
1362
+ "trigger_condition": "sanctions_match == true AND backup_viability_compromised == true AND decryptor_unavailable == true",
1363
+ "exception_template": {
1364
+ "scope": "Ransomware incident ${incident_id} — payment blocked by sanctions match against ${sanctions_list}, backup viability compromised because ${backup_failure_reason}, decryptor unavailable per No More Ransom + vendor-specific decryptor lookup on ${decryptor_lookup_timestamp}. Recovery posture is rebuild-from-clean-media with data loss back to last clean backup at ${last_clean_backup_timestamp}.",
1365
+ "duration": "until_recovery_complete",
1366
+ "compensating_controls": [
1367
+ "executive-residual-risk-acceptance",
1368
+ "board-notification-of-data-loss-scope",
1369
+ "customer-notification-of-service-impact",
1370
+ "regulator-notification-per-jurisdiction-matrix",
1371
+ "dark-web-leak-site-monitoring-engaged"
1372
+ ],
1373
+ "risk_acceptance_owner": "board",
1374
+ "auditor_ready_language": "Pursuant to NIST 800-53 IR-4 + ISO 27001 A.5.26 + SOC 2 CC7.4 + HIPAA 164.308(a)(7), the organization documents a time-bound risk acceptance for partial-recovery posture in ransomware incident ${incident_id}. Payment is forbidden under OFAC SDN (31 CFR 501) / EU Reg 2014/833 / UK OFSI / AU DFAT / JP MOF (whichever applies; see attached screening attestation). Backup-immutability failure mode: ${backup_failure_reason}. Decryptor unavailable per cross-vendor lookup on ${decryptor_lookup_timestamp}. Recovery posture: rebuild from clean media with data loss back to ${last_clean_backup_timestamp}. Compensating controls: ${compensating_controls}. Residual risk: data exfiltrated in the pre-encryption window remains in the adversary's possession; downstream harm (identity theft, regulator action, customer churn) may surface in the months following. Risk accepted by board on ${acceptance_date}. The exception will be re-evaluated on (a) recovery completion, (b) any sanctions-list update affecting the attributed threat actor, (c) any newly published decryptor for the identified family — whichever is first. Detection coverage post-recovery is provided by ${detection_controls} including enhanced-monitoring-post-restore, dark-web-leak-site-monitoring, and credential-rotation regression testing."
1375
+ }
1376
+ },
1377
+ "regression_schedule": {
1378
+ "next_run": "computed_at_runtime",
1379
+ "trigger": "both",
1380
+ "notify_on_skip": true
1381
+ }
1382
+ }
1383
+ },
1384
+ "directives": [
1385
+ {
1386
+ "id": "bitlocker-class-encryption-active",
1387
+ "title": "Active ransomware encryption in progress on one or more hosts — immediate containment + forensic preservation",
1388
+ "applies_to": {
1389
+ "always": true
1390
+ }
1391
+ },
1392
+ {
1393
+ "id": "phi-exfil-before-encrypt",
1394
+ "title": "PHI / personal-data exfiltration confirmed in the 24-72h window before encryption — parallel breach-notification scope",
1395
+ "applies_to": {
1396
+ "attack_technique": "T1567"
1397
+ }
1398
+ },
1399
+ {
1400
+ "id": "ad-domain-compromise-via-credential-dump",
1401
+ "title": "Active Directory domain compromise via credential-dump-and-replay — rebuild posture decision",
1402
+ "applies_to": {
1403
+ "attack_technique": "T1078"
1404
+ }
1405
+ }
1406
+ ]
1407
+ }