Definition

The first 72 hours of a ransomware response is the critical window for containing the attack, preserving forensic evidence, communicating with internal and external stakeholders, and filing regulatory notifications before dwell time expands the blast radius. The response follows a structured hour-by-hour runbook covering network isolation, threat-actor communication decisions, backup integrity verification, and mandatory regulator reporting under CBUAE, SAMA, and data-protection obligations.

Why it matters

The pressure on Digital Forensics & IR programmes is shifting in specific, observable ways:

• CBUAE Incident Reporting Guidelines require notification within 2 hours of discovery of a material cyber incident; SAMA CSF 3.4.2 requires a post-incident report within 72 hours; both timelines must be managed simultaneously from Hour 0.
• UAE PDPL Article 23 and KSA PDPL Article 30 require notification to regulators within 72 hours of discovering a personal-data breach; ransomware encrypting PII-containing systems triggers this obligation from the moment of discovery.
• Industry data shows that organisations without a pre-tested ransomware runbook take an average of 4.2× longer to contain an incident, resulting in AED 8M–25M in additional recovery costs for mid-size Gulf enterprises.
• Threat-actor negotiation decisions made in the first 24 hours — whether to engage, which channel to use, and whether to involve law enforcement — directly affect legal liability under UAE Federal Decree-Law No. 34/2021 anti-ransom provisions.

Evidence sources to capture

What an auditor or reviewer will sample for — wire each source into your evidence repository before the next review cycle:

• EDR containment log (CrowdStrike Falcon or SentinelOne) — isolated host list, containment timestamp, sensor coverage at time of detection
• Network flow logs (Cisco NetFlow or Zeek) — east-west traffic patterns showing lateral movement before isolation
• Backup integrity test record — last verified backup timestamp, hash verification, restore test result, data currency assessment
• Ransom note and encryption artefact samples — collected with write-blocker; submitted to ID Ransomware and Europol No More Ransom for strain identification
• Regulator notification records — CBUAE incident report reference, SAMA CSF notification ticket, PDPL DPA notification timestamp
• Crisis communications log — internal all-staff message, customer notification draft, board briefing timestamp, PR statement approval

Recommended next actions

A 90-day plan, sequenced so each step produces evidence the next step depends on:

• Hour 0–4: IR Lead activates retainer; SOC isolates affected hosts via EDR (CrowdStrike Falcon isolate or SentinelOne Disconnect); Legal files CBUAE 2-hour notification; Compliance files PDPL breach notification if PII confirmed encrypted.
• Hour 4–24: Forensic team acquires memory dumps and disk images from patient-zero host with write-blocker; identifies ransomware strain via ID Ransomware; assesses backup integrity and data-currency gap.
• Hour 24–48: Threat-intelligence team identifies actor group, TTPs, and any known decryptor availability; Legal advises on ransom-payment legality under UAE Federal Decree-Law 34/2021; Communications drafts customer notification.
• Hour 48–72: Recovery team begins clean-room rebuild of Tier-1 systems from verified backups; submits SAMA 72-hour post-incident report; conducts executive briefing with incident timeline and containment status.
• Day 4–30 (Post-acute): Root-cause analysis identifies initial access vector; Security Manager implements control improvements; lessons-learned report distributed to board Risk Committee within 30 days of containment.

Example metrics

Instrument these and report them monthly to the executive sponsor; sustained adverse trends become board-level conversations:

• CBUAE 2-hour notification compliance: target 100% of qualifying incidents
• Mean time to isolate (MTTI) affected hosts after ransomware detection: target ≤1 hour with EDR
• Backup restore success rate from last verified backup: target 100% for Tier-1 systems (RPO ≤24 hours)
• Ransomware recovery time objective (RTO) for critical banking systems: target ≤72 hours
• Percentage of affected systems rebuilt from clean image vs. restored from encrypted state: target 100% clean rebuild

A 72 hours working plan

MAST Consulting Group runs this Digital Forensics & IR work in four moves. Each move is short, evidence-producing, and signed off by a Lead Practitioner before the next begins.

• Frame (week 1). Confirm scope, regulators in play, and the decisions the work has to enable — referenced against the IR retainer SLA. Without that framing, the rest becomes a documentation exercise the audit committee will not read.
• Diagnose (weeks 2–4). Walk through regulator and customer notification drafts and IR retainer agreement as they exist today. Capture not just gaps but the design decisions behind every existing control — those are usually where audit findings hide.
• Design (weeks 5–8). Make the contested choices early and pre-clear them with law enforcement (Dubai Police e-Crime, FBI/Interpol). Document the rationale; Digital Forensics & IR reviewers care more about reasoned decisions than perfect ones.
• Operate (weeks 9–12). Move evidence collection into AWS CloudTrail + S3 lifecycle locks (cloud) and Slack/Teams channel templates for war rooms. A control that depends on a separate GRC tool nobody opens will fail within two cycles.

Pitfalls we keep seeing

Across MAST Consulting Group's Digital Forensics & IR portfolio, the same recurring failure modes show up cycle after cycle. None are exotic; all are expensive when they reach the audit report.

• Pattern: no legal-hold trigger in the IR runbook. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: acquisition not write-blocked or not hashed at source. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: cloud forensics started after log retention had expired. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: investigation report mixes opinion with fact. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.

Tooling we actually reach for

MAST Consulting Group is deliberately tool-agnostic, but in practice the same shortlist keeps appearing on Digital Forensics & IR engagements because the integrations are cheap and the evidence is defensible:

• EnCase / FTK / Magnet AXIOM (host) — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• Velociraptor / GRR (live response) — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• AWS CloudTrail + S3 lifecycle locks (cloud) — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.

How MAST Consulting Group can help

MAST Consulting Group runs Digital Forensics & IR programmes for banks, insurers, healthcare networks, payments providers, telcos and government entities across the UAE, KSA, India and the wider GCC. We bring Lead Practitioners, sector specialists, and a working library of policies, risk methodologies and evidence templates that have passed audit at firms recognisable to your board.

If anything in this playbook is relevant to a programme you are scoping or rescuing, the fastest next step is a 30-minute working session with the practice lead. We will look at your specific situation, share what we have seen work for Digital Forensics & IR programmes at similar scale, and tell you honestly if the work is something you should bring to us or run in-house.