Ransomware · Incident Response
Ransomware Incident Response in Belgium: A 7-Step Forensic Playbook
Belgium handled 105 ransomware incidents nationally in 2025, and the AZ Monica disruption in January 2026 made clear that healthcare and adjacent sectors remain primary targets. The hardest part of a real ransomware event isn't the encryption — it's making decisions under pressure that hold up later in front of regulators, insurers, and clients.
Every action in the first 4 hours either preserves evidence or destroys it. Plan accordingly.
Step 1 — Activate, don't improvise
Within 30 minutes of confirmation, declare the incident and activate the IR plan. Notify executive sponsor, legal counsel, and the cyber insurer. Open a single, timestamped incident log — every decision goes here.
Step 2 — Contain without contaminating evidence
Isolate affected hosts at the network layer (disable switch port, revoke VPN cert) rather than powering them off — memory-resident artefacts and encryption keys can be lost on shutdown. Preserve volatile data first (RAM, network connections, running processes) before any clean-up.
Step 3 — Preserve evidence with chain of custody
Image affected systems to write-once or air-gapped storage. Record hashes (SHA-256) for every artefact. Maintain a chain-of-custody log identifying who handled which evidence, when, and why. This is the difference between a defensible investigation and an inadmissible one.
Step 4 — Identify scope and dwell time
Reconstruct attacker behavior: initial access vector, persistence mechanisms, lateral movement, privilege escalation, exfiltration paths. Determine dwell time — most Belgian mid-market intrusions show 9–28 days of attacker presence before encryption.
Step 5 — Notify the CCB and affected parties
Under NIS2, significant incidents require an early warning to the Centre for Cybersecurity Belgium within 24 hours of awareness, an incident notification within 72 hours, and a final report within one month. If personal data is involved, the GDPR 72-hour notification to the DPA also applies. Coordinate the two timelines from a single facts log to avoid contradictions.
Step 6 — Negotiate or refuse — but don't decide alone
The decision to engage with a double-extortion threat actor is legal, financial, and reputational. It should never be made by IT alone. Loop in legal counsel, the insurer, and (where applicable) law enforcement. Belgian organizations should also consult the CCB's guidance on ransom payments — paying may have sanctions implications depending on the actor.
Step 7 — Recover, then learn
Recover from clean, verified backups. Rotate all credentials, certificates, and tokens that may have been exposed. After service restoration, conduct a structured post-incident review within 30 days and feed the findings back into the risk register, IR plan, and technical controls.
How CyberXDefend supports each step
- Steps 2–3: air-gapped evidence collection with built-in chain of custody and SHA-256 hashing.
- Step 4: attacker-behavior reconstruction across endpoint, identity, and cloud telemetry.
- Step 5: CCB- and GDPR-aligned notification templates pre-populated from the incident log.
- Step 7: hardening recommendations derived directly from the forensic findings.