Handling ransomware incidents is different from handling other types of incidents. What do you need to know and/or verify as you scope the incident? Have you established both an Incident Response Team team AND a Business Incident Response Team (BIRT)? Did you identify the threat actor pre-encryption or post-encryption? If pre, what steps do you take to avoid encryption? What steps do you take NOW to avoid further damage? Do you use a wait-and-see approach, or do you kick the actor out of your environment immediately? Join SANS FOR528: Ransomware for Incident Responders (sans.org/FOR528) course author Ryan Chapman in this conversational-style talk to discuss the how, what, and when when it comes to handling ransomware incidents.